Arch Linux alert ASA-202004-21 (git)
| From: | Remi Gacogne <rgacogne@archlinux.org> | |
| To: | arch-security@archlinux.org | |
| Subject: | [ASA-202004-21] git: information disclosure | |
| Date: | Thu, 30 Apr 2020 10:05:12 +0200 | |
| Message-ID: | <12dc63bb-94a0-0048-1286-e83479b6010d@archlinux.org> |
Arch Linux Security Advisory ASA-202004-21 ========================================== Severity: High Date : 2020-04-22 CVE-ID : CVE-2020-11008 Package : git Type : information disclosure Remote : Yes Link : https://security.archlinux.org/AVG-1138 Summary ======= The package git before version 2.26.2-1 is vulnerable to information disclosure. Resolution ========== Upgrade to 2.26.2-1. # pacman -Syu "git>=2.26.2-1" The problem has been fixed upstream in version 2.26.2. Workaround ========== None. Description =========== A vulnerability has been found in git before 2.26.2. With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. Unlike the vulnerability CVE-2020-5260 fixed in v2.26.1, the credentials are not for a host of the attacker's choosing; instead, they are for some unspecified host (based on how the configured credential helper handles an absent "host" parameter). The attack has been made impossible by refusing to work with under- specified credential patterns. Impact ====== A remote attacker might be able to retrieve passwords or other credentials by tricking a user into cloning from a crafted URL, either directly or via Git submodules, or package systems built around Git. References ========== https://github.com/git/git/security/advisories/GHSA-hjc9-... https://github.com/git/git/compare/v2.17.4...v2.17.5 https://security.archlinux.org/CVE-2020-11008