Back to git PTS page

Accepted git 1:2.20.1-2+deb10u3 (source) into proposed-updates->stable-new, proposed-updates

To: debian-changes@lists.debian.org
Subject: Accepted git 1:2.20.1-2+deb10u3 (source) into proposed-updates->stable-new, proposed-updates
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sat, 25 Apr 2020 10:47:09 +0000
Mail-followup-to: debian-devel@lists.debian.org
Message-id: <E1jSIKz-0006xn-A8@fasolo.debian.org>
Reply-to: debian-devel@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 19 Apr 2020 17:19:12 -0700
Source: git
Architecture: source
Version: 1:2.20.1-2+deb10u3
Distribution: buster-security
Urgency: high
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Jonathan Nieder <jrnieder@gmail.com>
Changes:
 git (1:2.20.1-2+deb10u3) buster-security; urgency=high
 .
   * new upstream point release (see RelNotes/2.20.4.txt).
     * Addresses the security issue CVE-2020-11008.
 .
       With a crafted URL that contains a newline or empty host, or
       lacks a scheme, the credential helper machinery can be fooled
       into providing credential information that is not appropriate
       for the protocol in use and host being contacted.
 .
       Unlike the vulnerability fixed in 1:2.20.1-2+deb10u2, the
       credentials are not for a host of the attacker's choosing.
       Instead, they are for an unspecified host, based on how the
       configured credential helper handles an absent "host"
       parameter.
 .
       The attack has been made impossible by refusing to work with
       underspecified credential patterns.
 .
       Thanks to Carlo Arenas for reporting that Git was still
       vulnerable, Felix Wilhelm for providing the proof of concept
       demonstrating this issue, and Jeff King for promptly providing
       a corrected fix.
 .
       Tested using the proof of concept at
       https://crbug.com/project-zero/2021.
Checksums-Sha1:
 c7d8f6c08f90eb8563244a88e48ec613786847dd 2923 git_2.20.1-2+deb10u3.dsc
 05abda873095debf9a2bbabcd70d97c9eb1dc0d0 646216 git_2.20.1-2+deb10u3.debian.tar.xz
 d1c62848c0b1e921b6d8ec6dd68c2529dec1deb0 12645 git_2.20.1-2+deb10u3_amd64.buildinfo
Checksums-Sha256:
 6322d0dbe9b867a6cd1cd75f95a4a20335faa2030c38688f460ddaaaacbd4d06 2923 git_2.20.1-2+deb10u3.dsc
 3c6e2f8495350bccd0981d579d4d1cac6b0e051e1f7ba8b1d22c842bd4cb3453 646216 git_2.20.1-2+deb10u3.debian.tar.xz
 c9a1f2ad4e987f3f4ee2d0be9cc2d1beeabd185f86a2e692d36bfbb42e3b9887 12645 git_2.20.1-2+deb10u3_amd64.buildinfo
Files:
 fcfb1e01b74dfa383f8171ae7d331de9 2923 vcs optional git_2.20.1-2+deb10u3.dsc
 3b629f9b0d2da6fa6ce5816478a57e09 646216 vcs optional git_2.20.1-2+deb10u3.debian.tar.xz
 f225b02444e391f83f7c895b34f52a41 12645 vcs optional git_2.20.1-2+deb10u3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCAAxFiEEUh5Y8X6W1xKqD/EC38Zx7rMz+iUFAl6dCTQTHGpybmllZGVy
QGdtYWlsLmNvbQAKCRDfxnHuszP6JaUDD/0Ykkq4VHRkjtQBUYECDU5keINK6BAM
jnkYKgzVFVHUedQQJCwwns+yoRPcgj57Mjk3NRFd1NPu7mRXFBLqBqoZBb5Ynpv9
WtGaYq6327GprN5IhjMXC8JKnHXJQQAWzoazqF95C6UZc+Myc9jgV+GW1xGu0t9D
N/HsYAf7bktp/7STMzXegIjnuyv+dTutlsfu9fxicN38dcvki1Yr40Wd0wLHHbCr
iky+6XiddNT/U7H4Q3Kpxj9lovXCIxmB5AHkxIWnzEVKIq9O+KVtvS89XUxjAC2A
N4dETx+xmEIACBmGP3AIoYXSraRhD3E9qBsX/Cmg1wmrIsn0U7ANYumsjh2hABqZ
GQnHBiXv5CX7lE6CGP846Xgma7gzBeKU9C+0J7LTfsgrYsSiCAElo2lTE8bL+rPQ
Uk4TR1xQ/6ldyx2i59ylf91g4HfsDkNevz0drS3IL2Dgs6LIOlTJyhliVuaTq9rZ
cjzHtsavaRsTtn7l2LhdWeVdt/sTZvGsXqZ3AQmgRXQ1zTS6TJceu8S1CZTk3J36
GcX0QFCjrCy3sCBR4NUa+by7lKkOrMw3FidyTPCpLVHpRdnHZaWuKqr86hskg+F3
k2cxKOD1edqPUQxWmpS/AZ0IJTWoqJIqF8yaoMeC+2qZhXTDQhmRW99vEqtEHTl0
qcDjKeKYxW98JA==
=jLqq
-----END PGP SIGNATURE-----