Univention Bugzilla – Bug 51170
git: Multiple issues (4.4)
Last modified: 2020-04-29 12:32:18 CEST
New Debian git 1:2.11.0-3+deb9u7 fixes: This update addresses the following issue: * Crafted URL containing new lines, empty host or lacks a scheme can cause credential leak (CVE-2020-11008)
--- mirror/ftp/4.4/unmaintained/component/4.4-4-errata/source/git_2.11.0-3+deb9u6.dsc +++ apt/ucs_4.4-0-errata4.4-4/source/git_2.11.0-3+deb9u7.dsc @@ -1,3 +1,30 @@ +1:2.11.0-3+deb9u7 [Sun, 19 Apr 2020 19:07:44 -0700] Jonathan Nieder <jrnieder@gmail.com>: + + * Apply patches from 2.20.4 to address the security issue + CVE-2020-11008. + + With a crafted URL that contains a newline or empty host, or + lacks a scheme, the credential helper machinery can be fooled + into providing credential information that is not appropriate + for the protocol in use and host being contacted. + + Unlike the vulnerability fixed in 1:2.11.0-3+deb9u6, the + credentials are not for a host of the attacker's choosing. + Instead, they are for an unspecified host, based on how the + configured credential helper handles an absent "host" + parameter. + + The attack has been made impossible by refusing to work with + underspecified credential patterns. + + Thanks to Carlo Arenas for reporting that Git was still + vulnerable, Felix Wilhelm for providing the proof of concept + demonstrating this issue, and Jeff King for promptly providing + a corrected fix. + + Tested using the proof of concept at + https://crbug.com/project-zero/2021. + 1:2.11.0-3+deb9u6 [Sun, 12 Apr 2020 17:49:00 -0700] Jonathan Nieder <jrnieder@gmail.com>: [ Salvatore Bonaccorso ] <http://10.200.17.11/4.4-4/#748036788754765133>
OK: yaml OK: announce_errata OK: no patch OK: piuparts Verified
<http://errata.software-univention.de/ucs/4.4/552.html>