From: Junio C Hamano <email@example.com> To: firstname.lastname@example.org Cc: Linux Kernel <email@example.com>, firstname.lastname@example.org Subject: [Announce] Git v2.26.1 and others Date: Tue, 14 Apr 2020 11:03:23 -0700 [thread overview] Message-ID: <email@example.com> (raw) Today, the Git project is releasing the following Git versions: v2.26.1, v2.25.3, v2.24.2, v2.23.2, v2.22.3, v2.21.2, v2.20.3, v2.19.4, v2.18.3, and v2.17.4 These releases address the security issue CVE-2020-5260, which allowed a crafted URL to trick a Git client to send credential information for a wrong host to the attacker's site. Credit for finding the vulnerability goes to Felix Wilhelm of Google Project Zero, and credit for fixing it goes to Jeff King of GitHub. Users of the affected maintenance tracks are urged to upgrade. The tarballs are found at: https://www.kernel.org/pub/software/scm/git/ The following public repositories all have a copy of the 'v2.26.1' and other tags: url = https://kernel.googlesource.com/pub/scm/git/git url = git://repo.or.cz/alt-git.git url = https://github.com/gitster/git Attached below is the release notes for 2.17.4; all the newer maintenance tracks listed at the beginning of this message are updated with the same fix, so I won't repeat them here. Thanks. -------------------------------------------------- Git v2.17.4 Release Notes ========================= This release is to address the security issue: CVE-2020-5260 Fixes since v2.17.3 ------------------- * With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host. The attack has been made impossible by forbidding a newline character in any value passed via the credential protocol. Credit for finding the vulnerability goes to Felix Wilhelm of Google Project Zero.
reply other threads:[~2020-04-14 18:03 UTC|newest] Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style List information: http://vger.kernel.org/majordomo-info.html * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --subject='Re: [Announce] Git v2.26.1 and others' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
Code repositories for project(s) associated with this inbox: https://80x24.org/mirrors/git.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).