update to 2.21.3 (CVE-2020-11008)

From the upstream release notes¹: With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the credentials are not for a host of the attacker's choosing; instead, they are for some unspecified host (based on how the configured credential helper handles an absent "host" parameter). The attack has been made impossible by refusing to work with under-specified credential patterns. ¹ https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.17.5.txt
update to 2.21.2 (CVE-2020-5260)
2020-04-20 15:07:46 -04:00 · 2020-04-14 17:53:38 -04:00 · 2019-12-10 13:40:55 -05:00
2 changed files with 13 additions and 3 deletions
--- a/git.spec
+++ b/git.spec
@ -87,7 +87,7 @@
 #global rcrev   .rc0

 Name:           git
-Version:        2.21.0
+Version:        2.21.3
 Release:        1%{?rcrev}%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
@ -955,6 +955,16 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %{?with_docs:%{_pkgdocdir}/git-svn.html}

 %changelog
+* Mon Apr 20 2020 Todd Zullinger <tmz@pobox.com> - 2.21.3-1
+- update to 2.21.3 (CVE-2020-11008)
+
+* Tue Apr 14 2020 Todd Zullinger <tmz@pobox.com> - 2.21.2-1
+- update to 2.21.2 (CVE-2020-5260)
+
+* Tue Dec 10 2019 Todd Zullinger <tmz@pobox.com> - 2.21.1-1
+- update to 2.21.1 (CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351,
+  CVE-2019-1352, CVE-2019-1353, CVE-2019-1354, and CVE-2019-1387)
+
 * Sun Feb 24 2019 Todd Zullinger <tmz@pobox.com> - 2.21.0-1
 - Update to 2.21.0
 - Move gitweb manpages to gitweb package
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (git-2.21.0.tar.xz) = 83f57c3950a07f6773a3aea66611d22daba0e5599e5d8f0751a16f6fdbeab0f3844d942a39a5642051212df99d1d4513253c36829b1454b4f0977cc6026fd973
-SHA512 (git-2.21.0.tar.sign) = fbde8164e0c6d5f1447849ab573d5fe6d3585c1c463b75a81ce3f65cba0559cb84a2c63f13663e5c7fe5119e607a304e52cb13183babc40da72421a5c1a5db1b
+SHA512 (git-2.21.3.tar.xz) = d87f8058519ab447d7833735635c8b176c74d3d2ae97ebeecaccdb7bd4056b9be37d2d770c6176cfafdd71e0d6b601515f1d4070e0c75b2fa664be9eb8525373
+SHA512 (git-2.21.3.tar.sign) = 6072eded2637edfa8bf7724ce05abef74832fb775e35101405e334a720ff5cb2b9be6bfd609fd14cea5903d10bbb336165eb06027db463da3795b22da63c0d24