-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 20 Apr 2020 10:44:09 -0700
Source: git
Architecture: source
Version: 1:2.26.2-1
Distribution: unstable
Urgency: high
Maintainer: Jonathan Nieder <jrnieder@gmail.com>
Changed-By: Jonathan Nieder <jrnieder@gmail.com>
Changes:
git (1:2.26.2-1) unstable; urgency=high
.
* new upstream point release (see RelNotes/2.26.2.txt).
* Addresses the security issue CVE-2020-11008.
.
With a crafted URL that contains a newline or empty host, or
lacks a scheme, the credential helper machinery can be fooled
into providing credential information that is not appropriate
for the protocol in use and host being contacted.
.
Unlike the vulnerability fixed in 2.26.1, the credentials are
not for a host of the attacker's choosing. Instead, they are
for an unspecified host, based on how the configured
credential helper handles an absent "host" parameter.
.
The attack has been made impossible by refusing to work with
underspecified credential patterns.
.
Thanks to Carlo Arenas for reporting that Git was still
vulnerable, Felix Wilhelm for providing the proof of concept
demonstrating this issue, and Jeff King for promptly providing
a corrected fix.
.
Tested using the proof of concept at
https://crbug.com/project-zero/2021.
Checksums-Sha1:
977bf82f2a640efaa44f6b402f60f668ff189a5d 2860 git_2.26.2-1.dsc
bdb5eb6c014d7c372be70782a5155d964abe2c08 6007864 git_2.26.2.orig.tar.xz
9687e228a58fcc6cd199c5095e8585bc09cb8578 646844 git_2.26.2-1.debian.tar.xz
3efec9f4d673c771fa995c56c7fcfddfa0ddf67d 12103 git_2.26.2-1_amd64.buildinfo
Checksums-Sha256:
2ac1155aad5cf16ca6a1c11d33ac2efb8a2b9d2a7eac6c8597c0a842ca15d0e2 2860 git_2.26.2-1.dsc
6d65132471df9e531807cb2746f8be317e22a343b9385bbe11c9ce7f0d2fc848 6007864 git_2.26.2.orig.tar.xz
0a5d96cb3199411220b6ae2cf4ac39f100b606d7a89a4b7328a25ef1c76f1326 646844 git_2.26.2-1.debian.tar.xz
00df86912813e3258e9945c1b52c6d9f356fbdd5523e95675146d380a7e4f640 12103 git_2.26.2-1_amd64.buildinfo
Files:
3fd6e121108c1ed66f3ee8e18eb958db 2860 vcs optional git_2.26.2-1.dsc
f9a832256032e711973dd7be4981ab4c 6007864 vcs optional git_2.26.2.orig.tar.xz
f0e2c740be97e16c026fef45869f5deb 646844 vcs optional git_2.26.2-1.debian.tar.xz
0b529eaa23da663c1e8d08e92cd817f6 12103 vcs optional git_2.26.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEUh5Y8X6W1xKqD/EC38Zx7rMz+iUFAl6d560THGpybmllZGVy
QGdtYWlsLmNvbQAKCRDfxnHuszP6JePAD/wP7Rzt+9xUFacuOHtxQlX2EOFZHYfU
VdgpUoOzvX++NzmWhFpkXLPxw4xFl1HdHFqNtauAVkpE8Tp0PJUDwc5GS6nM1bpz
bPCYIL+pshq0bFfQDVyxZPjxbQcYQppAUIGZ8rDe/PLLWnBAjXIH0Qsd7EypBwFj
cFahRsC8v7+OFXNF7PEpSAKPPjmrecb9FZeqBzK5w+LtQ8iADy8VCRG/BUrBNv7e
1wqI0jdQPySneOHIpDZkrcCItFnjmBlgCy5zn4ERdD3WRqQ6W0VQf1160XqY3p+6
dofm//JNw+4mE4dErcPJqqngfInDNq7VBP/3+B2GPH9AhX+Mbn9BpaXJalqfXFeo
tSpt8Ocw/U67xy5BpPU5zBSYXD8Q3Vzh0EeuEO70Og8dSeglvVg8zVhtx+rwPiek
LEc5cSYdSNgPs5zO2kI1ElPj9aD6hDdIl21pX4IMa6OriBk21E4ttqwE69/yJL4w
YXPYzapiMAAF5uDEFBX5a43Bbqq48Z9eU30t5LQH9WWTsTfS3qEUFv8UXeXtaRz7
aRsnfUf3hJPvsCAMbLjZFQDmMLvDsfpPokBbxRIGXmVDId7fM7BZNosMOE/7IqFd
6U2VMvUNjhF39VaGsyOc1D/a0xQAau3akE16u5yPLjkG2AJ8hqjCdQk8TYjwavgB
JWwIc/IbSAGqjw==
=kwBB
-----END PGP SIGNATURE-----
