Back to git PTS page

Accepted git 1:2.26.2-1 (source) into unstable

To: debian-devel-changes@lists.debian.org
Subject: Accepted git 1:2.26.2-1 (source) into unstable
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Mon, 20 Apr 2020 18:34:07 +0000
Mail-followup-to: debian-devel@lists.debian.org
Message-id: <E1jQbF9-000Hg6-DI@fasolo.debian.org>
Reply-to: debian-devel@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 20 Apr 2020 10:44:09 -0700
Source: git
Architecture: source
Version: 1:2.26.2-1
Distribution: unstable
Urgency: high
Maintainer: Jonathan Nieder <jrnieder@gmail.com>
Changed-By: Jonathan Nieder <jrnieder@gmail.com>
Changes:
 git (1:2.26.2-1) unstable; urgency=high
 .
   * new upstream point release (see RelNotes/2.26.2.txt).
     * Addresses the security issue CVE-2020-11008.
 .
       With a crafted URL that contains a newline or empty host, or
       lacks a scheme, the credential helper machinery can be fooled
       into providing credential information that is not appropriate
       for the protocol in use and host being contacted.
 .
       Unlike the vulnerability fixed in 2.26.1, the credentials are
       not for a host of the attacker's choosing.  Instead, they are
       for an unspecified host, based on how the configured
       credential helper handles an absent "host" parameter.
 .
       The attack has been made impossible by refusing to work with
       underspecified credential patterns.
 .
       Thanks to Carlo Arenas for reporting that Git was still
       vulnerable, Felix Wilhelm for providing the proof of concept
       demonstrating this issue, and Jeff King for promptly providing
       a corrected fix.
 .
       Tested using the proof of concept at
       https://crbug.com/project-zero/2021.
Checksums-Sha1:
 977bf82f2a640efaa44f6b402f60f668ff189a5d 2860 git_2.26.2-1.dsc
 bdb5eb6c014d7c372be70782a5155d964abe2c08 6007864 git_2.26.2.orig.tar.xz
 9687e228a58fcc6cd199c5095e8585bc09cb8578 646844 git_2.26.2-1.debian.tar.xz
 3efec9f4d673c771fa995c56c7fcfddfa0ddf67d 12103 git_2.26.2-1_amd64.buildinfo
Checksums-Sha256:
 2ac1155aad5cf16ca6a1c11d33ac2efb8a2b9d2a7eac6c8597c0a842ca15d0e2 2860 git_2.26.2-1.dsc
 6d65132471df9e531807cb2746f8be317e22a343b9385bbe11c9ce7f0d2fc848 6007864 git_2.26.2.orig.tar.xz
 0a5d96cb3199411220b6ae2cf4ac39f100b606d7a89a4b7328a25ef1c76f1326 646844 git_2.26.2-1.debian.tar.xz
 00df86912813e3258e9945c1b52c6d9f356fbdd5523e95675146d380a7e4f640 12103 git_2.26.2-1_amd64.buildinfo
Files:
 3fd6e121108c1ed66f3ee8e18eb958db 2860 vcs optional git_2.26.2-1.dsc
 f9a832256032e711973dd7be4981ab4c 6007864 vcs optional git_2.26.2.orig.tar.xz
 f0e2c740be97e16c026fef45869f5deb 646844 vcs optional git_2.26.2-1.debian.tar.xz
 0b529eaa23da663c1e8d08e92cd817f6 12103 vcs optional git_2.26.2-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCAAxFiEEUh5Y8X6W1xKqD/EC38Zx7rMz+iUFAl6d560THGpybmllZGVy
QGdtYWlsLmNvbQAKCRDfxnHuszP6JePAD/wP7Rzt+9xUFacuOHtxQlX2EOFZHYfU
VdgpUoOzvX++NzmWhFpkXLPxw4xFl1HdHFqNtauAVkpE8Tp0PJUDwc5GS6nM1bpz
bPCYIL+pshq0bFfQDVyxZPjxbQcYQppAUIGZ8rDe/PLLWnBAjXIH0Qsd7EypBwFj
cFahRsC8v7+OFXNF7PEpSAKPPjmrecb9FZeqBzK5w+LtQ8iADy8VCRG/BUrBNv7e
1wqI0jdQPySneOHIpDZkrcCItFnjmBlgCy5zn4ERdD3WRqQ6W0VQf1160XqY3p+6
dofm//JNw+4mE4dErcPJqqngfInDNq7VBP/3+B2GPH9AhX+Mbn9BpaXJalqfXFeo
tSpt8Ocw/U67xy5BpPU5zBSYXD8Q3Vzh0EeuEO70Og8dSeglvVg8zVhtx+rwPiek
LEc5cSYdSNgPs5zO2kI1ElPj9aD6hDdIl21pX4IMa6OriBk21E4ttqwE69/yJL4w
YXPYzapiMAAF5uDEFBX5a43Bbqq48Z9eU30t5LQH9WWTsTfS3qEUFv8UXeXtaRz7
aRsnfUf3hJPvsCAMbLjZFQDmMLvDsfpPokBbxRIGXmVDId7fM7BZNosMOE/7IqFd
6U2VMvUNjhF39VaGsyOc1D/a0xQAau3akE16u5yPLjkG2AJ8hqjCdQk8TYjwavgB
JWwIc/IbSAGqjw==
=kwBB
-----END PGP SIGNATURE-----