git-commit-vandalism/Documentation/RelNotes/2.17.5.txt
Jeff King df5be6dc3f Git 2.17.5
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Jonathan Nieder <jrnieder@gmail.com>
2020-04-19 16:10:58 -07:00

23 lines
828 B
Plaintext

Git v2.17.5 Release Notes
=========================
This release is to address a security issue: CVE-2020-11008
Fixes since v2.17.4
-------------------
* With a crafted URL that contains a newline or empty host, or lacks
a scheme, the credential helper machinery can be fooled into
providing credential information that is not appropriate for the
protocol in use and host being contacted.
Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
credentials are not for a host of the attacker's choosing; instead,
they are for some unspecified host (based on how the configured
credential helper handles an absent "host" parameter).
The attack has been made impossible by refusing to work with
under-specified credential patterns.
Credit for finding the vulnerability goes to Carlo Arenas.