From 86dce7281ce0dec0a05dbc7aa89f46f29c9d35c8 Mon Sep 17 00:00:00 2001 From: Todd Zullinger Date: Mon, 20 Apr 2020 15:04:05 -0400 Subject: [PATCH] update to 2.25.4 (CVE-2020-11008) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From the upstream release notes¹: With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the credentials are not for a host of the attacker's choosing; instead, they are for some unspecified host (based on how the configured credential helper handles an absent "host" parameter). The attack has been made impossible by refusing to work with under-specified credential patterns. ¹ https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.17.5.txt --- git.spec | 5 ++++- sources | 4 ++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/git.spec b/git.spec index 887e49f..7a65ce7 100644 --- a/git.spec +++ b/git.spec @@ -82,7 +82,7 @@ #global rcrev .rc0 Name: git -Version: 2.25.3 +Version: 2.25.4 Release: 1%{?rcrev}%{?dist} Summary: Fast Version Control System License: GPLv2 @@ -1028,6 +1028,9 @@ rmdir --ignore-fail-on-non-empty "$testdir" %{?with_docs:%{_pkgdocdir}/git-svn.html} %changelog +* Mon Apr 20 2020 Todd Zullinger - 2.25.4-1 +- update to 2.25.3 (CVE-2020-11008) + * Tue Apr 14 2020 Todd Zullinger - 2.25.3-1 - update to 2.25.3 (CVE-2020-5260) diff --git a/sources b/sources index aa2bdbe..4236e42 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (git-2.25.3.tar.xz) = 1ea2f0727baa29200f33469463c3b6db04a2e228e83ff552faa47fefe31063d92966d7502b2f13546c36cfc2756d42d71a26e41141c0fb972af9d6760f3aa471 -SHA512 (git-2.25.3.tar.sign) = 4fd58605192c3528ec2d8dac6fde830ec53e9196eb7c552c1add919ece9f8590a6412e272eca9bc3aa7d9b92d88fb089c33ac1bf758322aa812ff4d564938f12 +SHA512 (git-2.25.4.tar.xz) = ca2ecc561d06dbb393fe47d445f0d69423d114766d9bcc125ef1d6d37e350ad903c456540cea420c1a51635b750cde3901e4196f29ce95b315fda11270173450 +SHA512 (git-2.25.4.tar.sign) = 069a20b8711a4b46aebc49a5237982bc205581c81256edc9b142ca067354faaa7eb12f873e8ca0001cc647db12724ddc968167e66cdbf9fca6093ea596484410