-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 20 Apr 2020 11:23:20 -0700 Source: git Architecture: source Version: 1:2.26.2-1~bpo10+1 Distribution: buster-backports Urgency: high Maintainer: Jonathan Nieder <jrnieder@gmail.com> Changed-By: Jonathan Nieder <jrnieder@gmail.com> Changes: git (1:2.26.2-1~bpo10+1) buster-backports; urgency=high . * upload to buster-backports. . git (1:2.26.2-1) unstable; urgency=high . * new upstream point release (see RelNotes/2.26.2.txt). * Addresses the security issue CVE-2020-11008. . With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. . Unlike the vulnerability fixed in 2.26.1, the credentials are not for a host of the attacker's choosing. Instead, they are for an unspecified host, based on how the configured credential helper handles an absent "host" parameter. . The attack has been made impossible by refusing to work with underspecified credential patterns. . Thanks to Carlo Arenas for reporting that Git was still vulnerable, Felix Wilhelm for providing the proof of concept demonstrating this issue, and Jeff King for promptly providing a corrected fix. . Tested using the proof of concept at https://crbug.com/project-zero/2021. Checksums-Sha1: bd9b261ce8838ac3fe20fafab13fbd6f6945da59 2892 git_2.26.2-1~bpo10+1.dsc bdb5eb6c014d7c372be70782a5155d964abe2c08 6007864 git_2.26.2.orig.tar.xz 0b1ac2a1d772c63d9c551e9f3d171f92c4dc10ca 646852 git_2.26.2-1~bpo10+1.debian.tar.xz 6ef41ba7b95942d3203f7b958f23bc766e7876eb 12910 git_2.26.2-1~bpo10+1_amd64.buildinfo Checksums-Sha256: 0086b9b6f11bfdd630c57bf1649a9a6dcb2c4d81f2a8248ca781c0590c4268b7 2892 git_2.26.2-1~bpo10+1.dsc 6d65132471df9e531807cb2746f8be317e22a343b9385bbe11c9ce7f0d2fc848 6007864 git_2.26.2.orig.tar.xz 4d8af7b50454f9d665625dd28191876e2b198e9a2d4dca0d6e59eae0fde6382e 646852 git_2.26.2-1~bpo10+1.debian.tar.xz 83a8c87b07242a3fd98ec252396d603877e6478699f6b66d3a91592ded37add0 12910 git_2.26.2-1~bpo10+1_amd64.buildinfo Files: 1db866ac98b18600eb153e8d6e150232 2892 vcs optional git_2.26.2-1~bpo10+1.dsc f9a832256032e711973dd7be4981ab4c 6007864 vcs optional git_2.26.2.orig.tar.xz 025e54fedb220dd12992f77d590fd701 646852 vcs optional git_2.26.2-1~bpo10+1.debian.tar.xz 34a7f089edc07dfafe8859d1dd4ee56e 12910 vcs optional git_2.26.2-1~bpo10+1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJHBAEBCAAxFiEEUh5Y8X6W1xKqD/EC38Zx7rMz+iUFAl6d6v0THGpybmllZGVy QGdtYWlsLmNvbQAKCRDfxnHuszP6JToRD/4mDLMsQ/m5brKfFIXHO7/dgtf7E1PA fKXtc7QvhoVsHdDuQeiDQ24wfxFkLNxkHeju7rylxZ4ixYrK8HVH9nUs2PKj+18q lrDTuZ96EDVVmqN2E64vU0Fmb4ToZcU+rPoyRLPcqrCUVKS0c6Z4rJPgE16Wh+Vs Ex/uVyzft5Ek4Ul+BLINBqs04m0iXjwz3/utYnwOnRMMtAc0v3Qw41NHlqFyzb3w 1LMigoLjlhIv1uQxopVEJNhTcWEBJE+39LEtWZxgcb0rTIDQymS8KpkCycNBYA+B TvcVacvUte1igx/9RHH/tG39vQmgKcbhdFICNFQY60GwSvlO/JP5/S4oAUxrDKj2 LSAX8gh9xleUwvK5hRFM+9aZZQ2iHwO/UaXWJU+swTtySeUi/cVIMi+dk5zHq6DN F2a+Hv7PwGZedFq94PvDLhTwL2w1VzPL6fDG7wdUGUKIAf/vf3KL9tW+mx9k9FuR 9XsqIr37QSkNl3FuK3v4qYKhhu4xL7GOSrKed9o85mBZ1GhndTIHWUX7VLA+PJHE Djaoce8SqsSv9Owq7rMfH3WYeKrDItWndmPQufELglaxATVxScAaLR1+dqkew32L yx4bRIbjShrQv3kUNoSqHO5IbmjkedVTCWmwwwKQ3SUWJHhj+kITfyCOL2U7dA9J ENJ7cNGmEynLOA== =iqRn -----END PGP SIGNATURE-----