376a76c4a7
From the upstream release notes¹: With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the credentials are not for a host of the attacker's choosing; instead, they are for some unspecified host (based on how the configured credential helper handles an absent "host" parameter). The attack has been made impossible by refusing to work with under-specified credential patterns. ¹ https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.17.5.txt
2 lines
318 B
Text
2 lines
318 B
Text
SHA512 (git-2.21.3.tar.xz) = d87f8058519ab447d7833735635c8b176c74d3d2ae97ebeecaccdb7bd4056b9be37d2d770c6176cfafdd71e0d6b601515f1d4070e0c75b2fa664be9eb8525373
|
|
SHA512 (git-2.21.3.tar.sign) = 6072eded2637edfa8bf7724ce05abef74832fb775e35101405e334a720ff5cb2b9be6bfd609fd14cea5903d10bbb336165eb06027db463da3795b22da63c0d24
|