f4609b896f
This also bumps the stable nixpkgs to 20.09 as of 2020-11-21, because there is some breakage in the git build related to the netrc credentials helper which someone has taken care of in nixpkgs. The stable channel is not used for anything other than git, so this should be fine. Change-Id: I3575a19dab09e1e9556cf8231d717de9890484fb
22 lines
828 B
Text
22 lines
828 B
Text
Git v2.17.5 Release Notes
|
|
=========================
|
|
|
|
This release is to address a security issue: CVE-2020-11008
|
|
|
|
Fixes since v2.17.4
|
|
-------------------
|
|
|
|
* With a crafted URL that contains a newline or empty host, or lacks
|
|
a scheme, the credential helper machinery can be fooled into
|
|
providing credential information that is not appropriate for the
|
|
protocol in use and host being contacted.
|
|
|
|
Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
|
|
credentials are not for a host of the attacker's choosing; instead,
|
|
they are for some unspecified host (based on how the configured
|
|
credential helper handles an absent "host" parameter).
|
|
|
|
The attack has been made impossible by refusing to work with
|
|
under-specified credential patterns.
|
|
|
|
Credit for finding the vulnerability goes to Carlo Arenas.
|