==================================================================== CERT-Renater Note d'Information No. 2020/VULN221 _____________________________________________________________________ DATE : 23/04/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Git versions prior to 2.26.2, 2.17.4. ===================================================================== https://www.openwall.com/lists/oss-security/2020/04/20/1 https://lore.kernel.org/git/xmqqy2qy7xn8.fsf@gitster.c.googlers.com/ _____________________________________________________________________ Team, Today, the Git project released v2.26.2 (and corresponding point releases as far back as the v2.17.x track) to address the following issue: * CVE-2020-11008: With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the credentials are not for a host of the attacker's choosing; instead, they are for some unspecified host (based on how the configured credential helper handles an absent "host" parameter). The attack has been made impossible by refusing to work with under-specified credential patterns. The distros list has been notified of this release in advance of its disclosure. This notification serves the same purpose for the oss-security list, too. Full details are available at the following link: https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7 Per the list guidelines, I am attaching a plaintext representation of the above so as to include all essential materials within the mail itself. Thanks, Taylor _____________________________________________________________________ Date: Tue, 14 Apr 2020 11:03:23 -0700 Message-ID: (raw) Today, the Git project is releasing the following Git versions: v2.26.1, v2.25.3, v2.24.2, v2.23.2, v2.22.3, v2.21.2, v2.20.3, v2.19.4, v2.18.3, and v2.17.4 These releases address the security issue CVE-2020-5260, which allowed a crafted URL to trick a Git client to send credential information for a wrong host to the attacker's site. Credit for finding the vulnerability goes to Felix Wilhelm of Google Project Zero, and credit for fixing it goes to Jeff King of GitHub. Users of the affected maintenance tracks are urged to upgrade. The tarballs are found at: https://www.kernel.org/pub/software/scm/git/ The following public repositories all have a copy of the 'v2.26.1' and other tags: url = https://kernel.googlesource.com/pub/scm/git/git url = git://repo.or.cz/alt-git.git url = https://github.com/gitster/git Attached below is the release notes for 2.17.4; all the newer maintenance tracks listed at the beginning of this message are updated with the same fix, so I won't repeat them here. Thanks. -------------------------------------------------- Git v2.17.4 Release Notes ========================= This release is to address the security issue: CVE-2020-5260 Fixes since v2.17.3 ------------------- * With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host. The attack has been made impossible by forbidding a newline character in any value passed via the credential protocol. Credit for finding the vulnerability goes to Felix Wilhelm of Google Project Zero. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================