Advisories » MGASA-2020-0181

Updated git packages fix security vulnerability

Publication date: 24 Apr 2020
Modification date: 24 Apr 2020
Type: security
Affected Mageia releases : 7
CVE: CVE-2020-11008

Description

Updated git packages fix security vulnerability:

Malicious URLs can still cause Git to send a stored credential to
the wrong server (CvE-2020-111008).

With a crafted URL that contains a newline or empty host, or lacks a
scheme, the credential helper machinery can be fooled into providing
credential information that is not appropriate for the protocol in
use and host being contacted.

Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
credentials are not for a host of the attacker's choosing; instead,
they are for some unspecified host (based on how the configured
credential helper handles an absent "host" parameter).

The attack has been made impossible by refusing to work with
under-specified credential patterns.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=26516
• https://www.openwall.com/lists/oss-security/2020/04/20/1
• https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11008

SRPMS

7/core

• git-2.21.3-1.mga7