<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
CVE-2020-11008: Git: Malicious URLs can still cause Git to send a stored credential to the wrong server
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: Taylor Blau <ttaylorr () github com>
Date: Mon, 20 Apr 2020 13:47:12 -0600
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Team,
Today, the Git project released v2.26.2 (and corresponding point
releases as far back as the v2.17.x track) to address the following
issue:
* CVE-2020-11008:
With a crafted URL that contains a newline or empty host, or lacks a
scheme, the credential helper machinery can be fooled into providing
credential information that is not appropriate for the protocol in
use and host being contacted.
Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
credentials are not for a host of the attacker's choosing; instead,
they are for some unspecified host (based on how the configured
credential helper handles an absent "host" parameter).
The attack has been made impossible by refusing to work with
under-specified credential patterns.
The distros list has been notified of this release in advance of its
disclosure. This notification serves the same purpose for the
oss-security list, too.
Full details are available at the following link:
https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7
Per the list guidelines, I am attaching a plaintext representation of
the above so as to include all essential materials within the mail
itself.
Thanks,
Taylor
Attachment:
cve-2020-11008.txt
Description:
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
CVE-2020-11008: Git: Malicious URLs can still cause Git to send a stored credential to the wrong server Taylor Blau (Apr 20)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->