update to 2.25.4 (CVE-2020-11008)

From the upstream release notes¹:

  With a crafted URL that contains a newline or empty host, or lacks
  a scheme, the credential helper machinery can be fooled into
  providing credential information that is not appropriate for the
  protocol in use and host being contacted.

  Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
  credentials are not for a host of the attacker's choosing; instead,
  they are for some unspecified host (based on how the configured
  credential helper handles an absent "host" parameter).

  The attack has been made impossible by refusing to work with
  under-specified credential patterns.

¹ https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.17.5.txt

git.spec

@@ -82,7 +82,7 @@
 #global rcrev   .rc0
 
 Name:           git
-Version:        2.25.3
+Version:        2.25.4
 Release:        1%{?rcrev}%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
@@ -1028,6 +1028,9 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %{?with_docs:%{_pkgdocdir}/git-svn.html}
 
 %changelog
+* Mon Apr 20 2020 Todd Zullinger <tmz@pobox.com> - 2.25.4-1
+- update to 2.25.3 (CVE-2020-11008)
+
 * Tue Apr 14 2020 Todd Zullinger <tmz@pobox.com> - 2.25.3-1
 - update to 2.25.3 (CVE-2020-5260)
 

sources

@@ -1,2 +1,2 @@
-SHA512 (git-2.25.3.tar.xz) = 1ea2f0727baa29200f33469463c3b6db04a2e228e83ff552faa47fefe31063d92966d7502b2f13546c36cfc2756d42d71a26e41141c0fb972af9d6760f3aa471
-SHA512 (git-2.25.3.tar.sign) = 4fd58605192c3528ec2d8dac6fde830ec53e9196eb7c552c1add919ece9f8590a6412e272eca9bc3aa7d9b92d88fb089c33ac1bf758322aa812ff4d564938f12
+SHA512 (git-2.25.4.tar.xz) = ca2ecc561d06dbb393fe47d445f0d69423d114766d9bcc125ef1d6d37e350ad903c456540cea420c1a51635b750cde3901e4196f29ce95b315fda11270173450
+SHA512 (git-2.25.4.tar.sign) = 069a20b8711a4b46aebc49a5237982bc205581c81256edc9b142ca067354faaa7eb12f873e8ca0001cc647db12724ddc968167e66cdbf9fca6093ea596484410