From df5be6dc3fd18c294ec93a9af0321334e3f92c9c Mon Sep 17 00:00:00 2001 From: Jeff King Date: Sun, 19 Apr 2020 02:34:55 -0400 Subject: [PATCH] Git 2.17.5 Signed-off-by: Jeff King Signed-off-by: Jonathan Nieder --- Documentation/RelNotes/2.17.5.txt | 22 ++++++++++++++++++++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 24 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.17.5.txt diff --git a/Documentation/RelNotes/2.17.5.txt b/Documentation/RelNotes/2.17.5.txt new file mode 100644 index 0000000000..2abb821a73 --- /dev/null +++ b/Documentation/RelNotes/2.17.5.txt @@ -0,0 +1,22 @@ +Git v2.17.5 Release Notes +========================= + +This release is to address a security issue: CVE-2020-11008 + +Fixes since v2.17.4 +------------------- + + * With a crafted URL that contains a newline or empty host, or lacks + a scheme, the credential helper machinery can be fooled into + providing credential information that is not appropriate for the + protocol in use and host being contacted. + + Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the + credentials are not for a host of the attacker's choosing; instead, + they are for some unspecified host (based on how the configured + credential helper handles an absent "host" parameter). + + The attack has been made impossible by refusing to work with + under-specified credential patterns. + +Credit for finding the vulnerability goes to Carlo Arenas. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index cdb21b3311..85d9db5600 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.17.4 +DEF_VER=v2.17.5 LF=' ' diff --git a/RelNotes b/RelNotes index 196ab8077e..07012e884f 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.17.4.txt \ No newline at end of file +Documentation/RelNotes/2.17.5.txt \ No newline at end of file