merge(3p/git): Merge git upstream at v2.26.2
This commit is contained in:
Vincent Ambo
commit
5229c9b232
1006 changed files with 149006 additions and 60819 deletions
22
third_party/git/Documentation/RelNotes/2.17.5.txt
vendored
Normal file
22
third_party/git/Documentation/RelNotes/2.17.5.txt
vendored
Normal file
|
|
@ -0,0 +1,22 @@
|
|||
Git v2.17.5 Release Notes
|
||||
=========================
|
||||
|
||||
This release is to address a security issue: CVE-2020-11008
|
||||
|
||||
Fixes since v2.17.4
|
||||
-------------------
|
||||
|
||||
* With a crafted URL that contains a newline or empty host, or lacks
|
||||
a scheme, the credential helper machinery can be fooled into
|
||||
providing credential information that is not appropriate for the
|
||||
protocol in use and host being contacted.
|
||||
|
||||
Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
|
||||
credentials are not for a host of the attacker's choosing; instead,
|
||||
they are for some unspecified host (based on how the configured
|
||||
credential helper handles an absent "host" parameter).
|
||||
|
||||
The attack has been made impossible by refusing to work with
|
||||
under-specified credential patterns.
|
||||
|
||||
Credit for finding the vulnerability goes to Carlo Arenas.
|
||||
Loading…
Add table
Add a link
Reference in a new issue