Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-changes@lists.debian.org>
Subject: Accepted git 1:2.11.0-3+deb9u7 (source) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates
Date: Sat, 25 Apr 2020 10:47:44 +0000
Signed by: Jonathan Nieder <jrnieder@gmail.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 19 Apr 2020 19:07:44 -0700
Source: git
Binary: git git-man git-core git-doc git-arch git-cvs git-svn git-mediawiki git-email git-daemon-run git-daemon-sysvinit git-gui gitk git-el gitweb git-all
Architecture: source
Version: 1:2.11.0-3+deb9u7
Distribution: stretch-security
Urgency: high
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Jonathan Nieder <jrnieder@gmail.com>
Description:
 git        - fast, scalable, distributed revision control system
 git-all    - fast, scalable, distributed revision control system (all subpacka
 git-arch   - fast, scalable, distributed revision control system (arch interop
 git-core   - fast, scalable, distributed revision control system (obsolete)
 git-cvs    - fast, scalable, distributed revision control system (cvs interope
 git-daemon-run - fast, scalable, distributed revision control system (git-daemon s
 git-daemon-sysvinit - fast, scalable, distributed revision control system (git-daemon s
 git-doc    - fast, scalable, distributed revision control system (documentatio
 git-el     - fast, scalable, distributed revision control system (emacs suppor
 git-email  - fast, scalable, distributed revision control system (email add-on
 git-gui    - fast, scalable, distributed revision control system (GUI)
 git-man    - fast, scalable, distributed revision control system (manual pages
 git-mediawiki - fast, scalable, distributed revision control system (MediaWiki re
 git-svn    - fast, scalable, distributed revision control system (svn interope
 gitk       - fast, scalable, distributed revision control system (revision tre
 gitweb     - fast, scalable, distributed revision control system (web interfac
Changes:
 git (1:2.11.0-3+deb9u7) stretch-security; urgency=high
 .
   * Apply patches from 2.20.4 to address the security issue
     CVE-2020-11008.
 .
     With a crafted URL that contains a newline or empty host, or
     lacks a scheme, the credential helper machinery can be fooled
     into providing credential information that is not appropriate
     for the protocol in use and host being contacted.
 .
     Unlike the vulnerability fixed in 1:2.11.0-3+deb9u6, the
     credentials are not for a host of the attacker's choosing.
     Instead, they are for an unspecified host, based on how the
     configured credential helper handles an absent "host"
     parameter.
 .
     The attack has been made impossible by refusing to work with
     underspecified credential patterns.
 .
     Thanks to Carlo Arenas for reporting that Git was still
     vulnerable, Felix Wilhelm for providing the proof of concept
     demonstrating this issue, and Jeff King for promptly providing
     a corrected fix.
 .
     Tested using the proof of concept at
     https://crbug.com/project-zero/2021.
Checksums-Sha1:
 376bc1d45fc181f701b4885253802be9c5032c85 2944 git_2.11.0-3+deb9u7.dsc
 242f1e6bddf81be0eb5c821c4f3989a20dea9e1a 610188 git_2.11.0-3+deb9u7.debian.tar.xz
 acdb1dde230b3e6f4181a89f74309267edeb416e 13070 git_2.11.0-3+deb9u7_amd64.buildinfo
Checksums-Sha256:
 7f2be1b1709c216ad06590687cc8fc0ff6b55a6c3e0ad6ec32b2567ce10adec1 2944 git_2.11.0-3+deb9u7.dsc
 3f54b7ea7b8cda477ddb559c63de063c5bd49d8ab772330c05c79ace546ce38d 610188 git_2.11.0-3+deb9u7.debian.tar.xz
 47e8f8a6748ecabb1623beed1ece3d53e5175138d5c9a3a60da0ead430c28e97 13070 git_2.11.0-3+deb9u7_amd64.buildinfo
Files:
 e594aeada05ecb15253cc5768412ce3b 2944 vcs optional git_2.11.0-3+deb9u7.dsc
 e8d896e5307397f0e106e6a85c1b8682 610188 vcs optional git_2.11.0-3+deb9u7.debian.tar.xz
 97dd308c9a8c313a4f5d3c188534b54e 13070 vcs optional git_2.11.0-3+deb9u7_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCAAxFiEEUh5Y8X6W1xKqD/EC38Zx7rMz+iUFAl6dCTMTHGpybmllZGVy
QGdtYWlsLmNvbQAKCRDfxnHuszP6JRkvEACLErSkhOuvNH9mTtk8drkg/6gmYXIt
RBDxDwW+XWSGz7DKJ5JTN/jY8EZxxvvJrCDJ2JDrpXtpot/vBwBOkB4k4AunfzlM
v70QYgslfrd51qrt9md/L/WkNBb/ixt68a0vjBwQh+9xK1FKHoxEQL2ujhJygEfS
xlS3u0VgqsjUAQcLJPa+P1xWfZWIKvRPnRkUD7Bypaeps6S1yUBGCNh82STtnOJL
mG4a0LwAZrEdEfG0qC6wGWqtptv4VvuhiKTPYrAwNWqdIrp0sZUiWO1HBgJkpffw
UO5dW5Y9Klksyi4zeBl7gp4wCfd4vbnnSnZdKe0z8smxD6mmyuxgXzoJ3gF6SpQS
PKUzu/SRZDo3WMc2rHWbkxUgO+r0di32/gRA7yQhza5fgNjhCLMVMhgS9oGEpKwU
Hn8RIAHKAu7NuWJQNNwrNLE4af5V1p7vwzZC/lygT4wVFFizirjJ/rcorIAury9J
QbYJQtShvRk7sbD+rXAELjNFc9+BJsV5PhtYyT+J+AbY2BvLjrHCIoE4U3pTc8+F
YEFFswRmuCAGiJNNxOMqzlj2VM4b0JbFXtrTLKEEs/hn0AFju3751U2BDr/2cIFu
nUc4iqvqY2eLQ6bg2Gqh0KFkGmI8whgNK12uiV8tFawWzDEtZK7hRlW1nKOb5CDO
ji6Q+Qbh8NiF6A==
=bQf2
-----END PGP SIGNATURE-----
News for package git
