Documentation/RelNotes/2.17.5.txt - git - Git at Google

 Git v2.17.5 Release Notes
 =========================

 This release is to address a security issue: CVE-2020-11008

 Fixes since v2.17.4
 -------------------

  * With a crafted URL that contains a newline or empty host, or lacks
    a scheme, the credential helper machinery can be fooled into
    providing credential information that is not appropriate for the
    protocol in use and host being contacted.

    Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
    credentials are not for a host of the attacker's choosing; instead,
    they are for some unspecified host (based on how the configured
    credential helper handles an absent "host" parameter).

    The attack has been made impossible by refusing to work with
    under-specified credential patterns.

 Credit for finding the vulnerability goes to Carlo Arenas.
	Git v2.17.5 Release Notes
	=========================

	This release is to address a security issue: CVE-2020-11008

	Fixes since v2.17.4
	-------------------

	* With a crafted URL that contains a newline or empty host, or lacks
	a scheme, the credential helper machinery can be fooled into
	providing credential information that is not appropriate for the
	protocol in use and host being contacted.

	Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
	credentials are not for a host of the attacker's choosing; instead,
	they are for some unspecified host (based on how the configured
	credential helper handles an absent "host" parameter).

	The attack has been made impossible by refusing to work with
	under-specified credential patterns.

	Credit for finding the vulnerability goes to Carlo Arenas.