Accepted git 1:2.26.2-1~bpo10+1 (source) into buster-backports
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 20 Apr 2020 11:23:20 -0700
Source: git
Architecture: source
Version: 1:2.26.2-1~bpo10+1
Distribution: buster-backports
Urgency: high
Maintainer: Jonathan Nieder <jrnieder@gmail.com>
Changed-By: Jonathan Nieder <jrnieder@gmail.com>
Changes:
git (1:2.26.2-1~bpo10+1) buster-backports; urgency=high
.
* upload to buster-backports.
.
git (1:2.26.2-1) unstable; urgency=high
.
* new upstream point release (see RelNotes/2.26.2.txt).
* Addresses the security issue CVE-2020-11008.
.
With a crafted URL that contains a newline or empty host, or
lacks a scheme, the credential helper machinery can be fooled
into providing credential information that is not appropriate
for the protocol in use and host being contacted.
.
Unlike the vulnerability fixed in 2.26.1, the credentials are
not for a host of the attacker's choosing. Instead, they are
for an unspecified host, based on how the configured
credential helper handles an absent "host" parameter.
.
The attack has been made impossible by refusing to work with
underspecified credential patterns.
.
Thanks to Carlo Arenas for reporting that Git was still
vulnerable, Felix Wilhelm for providing the proof of concept
demonstrating this issue, and Jeff King for promptly providing
a corrected fix.
.
Tested using the proof of concept at
https://crbug.com/project-zero/2021.
Checksums-Sha1:
bd9b261ce8838ac3fe20fafab13fbd6f6945da59 2892 git_2.26.2-1~bpo10+1.dsc
bdb5eb6c014d7c372be70782a5155d964abe2c08 6007864 git_2.26.2.orig.tar.xz
0b1ac2a1d772c63d9c551e9f3d171f92c4dc10ca 646852 git_2.26.2-1~bpo10+1.debian.tar.xz
6ef41ba7b95942d3203f7b958f23bc766e7876eb 12910 git_2.26.2-1~bpo10+1_amd64.buildinfo
Checksums-Sha256:
0086b9b6f11bfdd630c57bf1649a9a6dcb2c4d81f2a8248ca781c0590c4268b7 2892 git_2.26.2-1~bpo10+1.dsc
6d65132471df9e531807cb2746f8be317e22a343b9385bbe11c9ce7f0d2fc848 6007864 git_2.26.2.orig.tar.xz
4d8af7b50454f9d665625dd28191876e2b198e9a2d4dca0d6e59eae0fde6382e 646852 git_2.26.2-1~bpo10+1.debian.tar.xz
83a8c87b07242a3fd98ec252396d603877e6478699f6b66d3a91592ded37add0 12910 git_2.26.2-1~bpo10+1_amd64.buildinfo
Files:
1db866ac98b18600eb153e8d6e150232 2892 vcs optional git_2.26.2-1~bpo10+1.dsc
f9a832256032e711973dd7be4981ab4c 6007864 vcs optional git_2.26.2.orig.tar.xz
025e54fedb220dd12992f77d590fd701 646852 vcs optional git_2.26.2-1~bpo10+1.debian.tar.xz
34a7f089edc07dfafe8859d1dd4ee56e 12910 vcs optional git_2.26.2-1~bpo10+1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEUh5Y8X6W1xKqD/EC38Zx7rMz+iUFAl6d6v0THGpybmllZGVy
QGdtYWlsLmNvbQAKCRDfxnHuszP6JToRD/4mDLMsQ/m5brKfFIXHO7/dgtf7E1PA
fKXtc7QvhoVsHdDuQeiDQ24wfxFkLNxkHeju7rylxZ4ixYrK8HVH9nUs2PKj+18q
lrDTuZ96EDVVmqN2E64vU0Fmb4ToZcU+rPoyRLPcqrCUVKS0c6Z4rJPgE16Wh+Vs
Ex/uVyzft5Ek4Ul+BLINBqs04m0iXjwz3/utYnwOnRMMtAc0v3Qw41NHlqFyzb3w
1LMigoLjlhIv1uQxopVEJNhTcWEBJE+39LEtWZxgcb0rTIDQymS8KpkCycNBYA+B
TvcVacvUte1igx/9RHH/tG39vQmgKcbhdFICNFQY60GwSvlO/JP5/S4oAUxrDKj2
LSAX8gh9xleUwvK5hRFM+9aZZQ2iHwO/UaXWJU+swTtySeUi/cVIMi+dk5zHq6DN
F2a+Hv7PwGZedFq94PvDLhTwL2w1VzPL6fDG7wdUGUKIAf/vf3KL9tW+mx9k9FuR
9XsqIr37QSkNl3FuK3v4qYKhhu4xL7GOSrKed9o85mBZ1GhndTIHWUX7VLA+PJHE
Djaoce8SqsSv9Owq7rMfH3WYeKrDItWndmPQufELglaxATVxScAaLR1+dqkew32L
yx4bRIbjShrQv3kUNoSqHO5IbmjkedVTCWmwwwKQ3SUWJHhj+kITfyCOL2U7dA9J
ENJ7cNGmEynLOA==
=iqRn
-----END PGP SIGNATURE-----
Reply to: