-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 21 Apr 2020 09:15:00 -0400 Source: git Binary: git git-man git-core git-doc git-arch git-cvs git-svn git-mediawiki git-email git-daemon-run git-daemon-sysvinit git-gui gitk git-el gitweb git-all Architecture: source amd64 all Version: 1:2.1.4-2.1+deb8u10 Distribution: jessie-security Urgency: high Maintainer: Gerrit Pape <pape@smarden.org> Changed-By: Roberto C. Sanchez <roberto@debian.org> Description: git - fast, scalable, distributed revision control system git-all - fast, scalable, distributed revision control system (all subpacka git-arch - fast, scalable, distributed revision control system (arch interop git-core - fast, scalable, distributed revision control system (obsolete) git-cvs - fast, scalable, distributed revision control system (cvs interope git-daemon-run - fast, scalable, distributed revision control system (git-daemon s git-daemon-sysvinit - fast, scalable, distributed revision control system (git-daemon s git-doc - fast, scalable, distributed revision control system (documentatio git-el - fast, scalable, distributed revision control system (emacs suppor git-email - fast, scalable, distributed revision control system (email add-on git-gui - fast, scalable, distributed revision control system (GUI) git-man - fast, scalable, distributed revision control system (manual pages git-mediawiki - fast, scalable, distributed revision control system (MediaWiki in git-svn - fast, scalable, distributed revision control system (svn interope gitk - fast, scalable, distributed revision control system (revision tre gitweb - fast, scalable, distributed revision control system (web interfac Changes: git (1:2.1.4-2.1+deb8u10) jessie-security; urgency=high . * Non-maintainer upload by the LTS Team. * Apply patches from 2.20.4 to address the security issue CVE-2020-11008. . With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. . Unlike the vulnerability fixed in 1:2.11.0-3+deb9u6, the credentials are not for a host of the attacker's choosing. Instead, they are for an unspecified host, based on how the configured credential helper handles an absent "host" parameter. . The attack has been made impossible by refusing to work with underspecified credential patterns. . Thanks to Carlo Arenas for reporting that Git was still vulnerable, Felix Wilhelm for providing the proof of concept demonstrating this issue, and Jeff King for promptly providing a corrected fix. . Tested using the proof of concept at https://crbug.com/project-zero/2021. Checksums-Sha1: 0deaf753b23ca13310c5e8ebf6abd18429313542 2821 git_2.1.4-2.1+deb8u10.dsc 94da0fb7680e94dc14a7e339a152bf4226a5a5cb 534760 git_2.1.4-2.1+deb8u10.debian.tar.xz eb9ca18a7564e22c0b74ebd78380f96bb026f73f 3226734 git_2.1.4-2.1+deb8u10_amd64.deb 0ec329ea809dd6ae5282d17b12e01889cb109274 1417624 git-doc_2.1.4-2.1+deb8u10_all.deb 5437a8504c61ab964dec1d2be89764a24ed9a7eb 591206 git-arch_2.1.4-2.1+deb8u10_all.deb f475fc1ee42e47e7d16c8723cebd0863644ad329 640858 git-cvs_2.1.4-2.1+deb8u10_all.deb c6167d8f7ad07bb110c6a2b1be0289c3e15c4c98 664850 git-svn_2.1.4-2.1+deb8u10_all.deb 16857cc5cda2d7cba3f3d8b583c952852a22200f 593494 git-mediawiki_2.1.4-2.1+deb8u10_all.deb 206be3d8e4b5ad8215bf6edc527766873bbf1965 579560 git-daemon-run_2.1.4-2.1+deb8u10_all.deb d8e64ec2679dad72ab8478c3312daab80fb14d3f 580648 git-daemon-sysvinit_2.1.4-2.1+deb8u10_all.deb 9a65d1829336350c054ad421005d659a6a081e62 597482 git-email_2.1.4-2.1+deb8u10_all.deb 6293b5ec5697e5729acf89a1bc488d6c25f65f06 768776 git-gui_2.1.4-2.1+deb8u10_all.deb ed95d1a37727f3e9eadb013ffedeb24f0c512c18 697766 gitk_2.1.4-2.1+deb8u10_all.deb 11dd300a014b629018dbe4967abce62e9c895b79 582414 gitweb_2.1.4-2.1+deb8u10_all.deb fadd40553e9e15783a2a583bc78e9826f0dea780 577916 git-all_2.1.4-2.1+deb8u10_all.deb f37bac850f47dd26a199de283b7eafc484fd53fa 597678 git-el_2.1.4-2.1+deb8u10_all.deb 35eeb02a1cea77c59d8636ea17cd9e3f0fd13ac4 1270758 git-man_2.1.4-2.1+deb8u10_all.deb cbe48b433f5af96f5ba1d93dfee5ffee778da23a 1492 git-core_2.1.4-2.1+deb8u10_all.deb Checksums-Sha256: 0f3e537b9001411e940fd6ba60dc4e04c3227b5ff455b3e5b53b7e6959faa484 2821 git_2.1.4-2.1+deb8u10.dsc 16620383020360e4bbc94d7d012ea89d44c5823e62e1724e5f730b57b398ec13 534760 git_2.1.4-2.1+deb8u10.debian.tar.xz bd9c4d1e6d93a770166d981eadb65fae40ba4af6550cee8f1086d36e3025102e 3226734 git_2.1.4-2.1+deb8u10_amd64.deb d48146987f36f2c1d071278bcab8a5bc370a068e2042e914fb6759602401b3a1 1417624 git-doc_2.1.4-2.1+deb8u10_all.deb 8a55b66716809bb3cbe9b7576ff21282d686d906b354580586052968adbfb382 591206 git-arch_2.1.4-2.1+deb8u10_all.deb 33a5c357f79f3879f739648f51701aa710c82b555d29a2f8f8a1184dc436e607 640858 git-cvs_2.1.4-2.1+deb8u10_all.deb 53948232b13faad66f1fff577a879dec15dd29d9885a004ea19b9dce247b68cd 664850 git-svn_2.1.4-2.1+deb8u10_all.deb fe31743b5618947b5a10cd7b303eb898a2d71c992142455a96cd8b3032b9b83f 593494 git-mediawiki_2.1.4-2.1+deb8u10_all.deb c20ad99d91a5cf2ba1e06b6c6de7cf7321df9399e0f9ebcb99715d34b235f97f 579560 git-daemon-run_2.1.4-2.1+deb8u10_all.deb 88d63a1bf5697311c72e0a5425a142d2479d6cab3b214606e071fe2ed9ec6194 580648 git-daemon-sysvinit_2.1.4-2.1+deb8u10_all.deb 574590c6de0fe84e48cb3814cd198a73b3099f9ec91af16840c5ff532079e28d 597482 git-email_2.1.4-2.1+deb8u10_all.deb 6f68ffbf833b080d430e53f68863b58114ef3d5de4834718df6744d396e84ce6 768776 git-gui_2.1.4-2.1+deb8u10_all.deb 91c30ba94c1d10f2d2d491c5fca63bca7cf01a92d55bfb42024deccfd2c8fe1c 697766 gitk_2.1.4-2.1+deb8u10_all.deb be2ac5bfa6b94822de0afa62e2826d1d21731aebeb51dd82de9eb4a1e14f4b90 582414 gitweb_2.1.4-2.1+deb8u10_all.deb 96abfc58822701ca48e54a6e8ff0f9dfc0faf8e3ab1de5f885651618f6dd8898 577916 git-all_2.1.4-2.1+deb8u10_all.deb 2960a367eadf7a0950f98b0baae8b99655d307a45ad516f7a2b3634b87cb62c1 597678 git-el_2.1.4-2.1+deb8u10_all.deb 470ee5353d58258d8d2f1873472fafa95dfb2a1824359ecccb6e884feafddc06 1270758 git-man_2.1.4-2.1+deb8u10_all.deb 5e4337172ec7ba65dadc823938357a7814eb5b179ec6d8b1d56748a5ff55fb30 1492 git-core_2.1.4-2.1+deb8u10_all.deb Files: ff0dbef42896174f35b2de813edc288e 2821 vcs optional git_2.1.4-2.1+deb8u10.dsc 388719886075fea6771c7077416bd09d 534760 vcs optional git_2.1.4-2.1+deb8u10.debian.tar.xz 59a886c8f8c28cc8f9735f6b9b3cb7a8 3226734 vcs optional git_2.1.4-2.1+deb8u10_amd64.deb f3ad0a91e36ece5950bbd28ba36a0cc2 1417624 doc optional git-doc_2.1.4-2.1+deb8u10_all.deb f12e9209fde0fc4dd68b8284038c5992 591206 vcs optional git-arch_2.1.4-2.1+deb8u10_all.deb b0f520bd2cd05054dcbdfb0f4e765d2c 640858 vcs optional git-cvs_2.1.4-2.1+deb8u10_all.deb 31237b716bef5b426fcd92ea5da32e43 664850 vcs optional git-svn_2.1.4-2.1+deb8u10_all.deb 9eef74771330c371218d3245c14d18d7 593494 vcs optional git-mediawiki_2.1.4-2.1+deb8u10_all.deb 4c7e3b8755d45bbfe2be135241722ce2 579560 vcs optional git-daemon-run_2.1.4-2.1+deb8u10_all.deb 3166986e1f8ee9038b9bc021a67c1f75 580648 vcs extra git-daemon-sysvinit_2.1.4-2.1+deb8u10_all.deb b76b9ec6091f4e19d17883080570e0c6 597482 vcs optional git-email_2.1.4-2.1+deb8u10_all.deb 598a6ff59df1aae074baa04ed9d6bf84 768776 vcs optional git-gui_2.1.4-2.1+deb8u10_all.deb 2c1db4eb6a91e824d9f0eb3900224f95 697766 vcs optional gitk_2.1.4-2.1+deb8u10_all.deb 7277e11cf698b526c6666447ae92e339 582414 vcs optional gitweb_2.1.4-2.1+deb8u10_all.deb 99a79be98c2751ce3a2a5a20bf670c31 577916 vcs optional git-all_2.1.4-2.1+deb8u10_all.deb 957186cdaaf56cd9f82254665c1ee973 597678 vcs optional git-el_2.1.4-2.1+deb8u10_all.deb 27bf99e51cff022bdd87835496a80a2c 1270758 doc optional git-man_2.1.4-2.1+deb8u10_all.deb 559036de9c75cf07ae625561132cc151 1492 vcs optional git-core_2.1.4-2.1+deb8u10_all.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6iKYYACgkQLNd4Xt2n sg9h8w/+O1Tvl8Vl5JbovuVbUvBAhg9V8Ge/rmwVPDkcgxXP1lkFzMyuYzKjPImq md3Hao1k6LEGQaJ5y9dlUrUuP2lFqRtC5AMagnBJU2jCF44hxxBbVxYRTgvDZV3D s6oROPJzxXCevocqbDvebfUahIdkowEgeAyYuN4sVixyrOeohm0uhJUixDvnvOLc ifkrngCfiVxWIgwhvso5TNsI6c+NX7rpClCkb3s/pYtfIbUaTpcx0GWcyilNrblH bLHgnHDwRYJh6csH9JU691SnykvmIr/KaWSycf6z3uTNksI/WOh3rHVzppZcaykk 4/4hWAkcF2Ee7bfBZMKuZR03S8e6kD+OOJG0LRFMaCT6OyyX45EUElD4DosfId01 eJURnmkyt70AepeYm6pfHB0Ra2AT51vDyP948aZMN+StoyONjZOluMiYiCw+UVro 7l0vzKMTVudDJubq6F2x5zn1H+y4bk/vQuRQ8SAvHZw+x1sZ7BgDwTt2GW3ePUTU EXyiENQ76mqGdhzbIABuYvRiLcCvqzKU5wGqR2lF4r9TMWXcbfc748culJXi9DIF nAJSthho+V4WskC6ktqzh0Z+n4N4ksyIUGUQKb9QLm0vVXX4rsHrE5oN93BnPZay YiKO1LBbnepms8BfN86ijteKdHSWu0DSGqHjIi5HdWktQjtlnvQ= =iq4h -----END PGP SIGNATURE-----