update to 2.25.4 (CVE-2020-11008)

From the upstream release notes¹: With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the credentials are not for a host of the attacker's choosing; instead, they are for some unspecified host (based on how the configured credential helper handles an absent "host" parameter). The attack has been made impossible by refusing to work with under-specified credential patterns. ¹ https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.17.5.txt
update to 2.25.3 (CVE-2020-5260)
2020-04-20 15:04:05 -04:00 · 2020-04-14 17:51:26 -04:00 · 2020-03-18 03:14:25 -04:00
2 changed files with 13 additions and 4 deletions
--- a/git.spec
+++ b/git.spec
@ -82,8 +82,8 @@
 #global rcrev   .rc0

 Name:           git
-Version:        2.25.1
-Release:        2%{?rcrev}%{?dist}
+Version:        2.25.4
+Release:        1%{?rcrev}%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
 URL:            https://git-scm.com/
@ -1028,6 +1028,15 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %{?with_docs:%{_pkgdocdir}/git-svn.html}

 %changelog
+* Mon Apr 20 2020 Todd Zullinger <tmz@pobox.com> - 2.25.4-1
+- update to 2.25.3 (CVE-2020-11008)
+
+* Tue Apr 14 2020 Todd Zullinger <tmz@pobox.com> - 2.25.3-1
+- update to 2.25.3 (CVE-2020-5260)
+
+* Wed Mar 18 2020 Todd Zullinger <tmz@pobox.com> - 2.25.2-1
+- update to 2.25.2
+
 * Wed Feb 19 2020 Todd Zullinger <tmz@pobox.com> - 2.25.1-2
 - split libsecret credential helper into a subpackage (#1804741)
 - consolidate macros for Fedora/EPEL
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (git-2.25.1.tar.xz) = 15241143acfd8542d85d2709ac3c80dbd6e8d5234438f70c4f33cc71a2bdec3e32938df7f6351e2746d570b021d3bd0b70474ea4beec0c51d1fc45f9c287b344
-SHA512 (git-2.25.1.tar.sign) = 29a4fd59227d74b233416fa17ce184c0f57d824fdfc4554e37aa9dd06176fdfa0e7cbade77c661d5d9aa1e62d206f7f4816a690984845baa3ca691069de65a6b
+SHA512 (git-2.25.4.tar.xz) = ca2ecc561d06dbb393fe47d445f0d69423d114766d9bcc125ef1d6d37e350ad903c456540cea420c1a51635b750cde3901e4196f29ce95b315fda11270173450
+SHA512 (git-2.25.4.tar.sign) = 069a20b8711a4b46aebc49a5237982bc205581c81256edc9b142ca067354faaa7eb12f873e8ca0001cc647db12724ddc968167e66cdbf9fca6093ea596484410