[Buildroot] [PATCH-2020.02.x] package/git: security bump to version 2.24.3
Peter Korsgaard
peter at korsgaard.com
Mon May 25 19:57:09 UTC 2020
>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:
> Fixes the following security issues:
> * (2.24.2) With a crafted URL that contains a newline in it, the credential
> helper machinery can be fooled to give credential information for a wrong
> host. The attack has been made impossible by forbidding a newline
> character in any value passed via the credential protocol.
> * (2.24.3) With a crafted URL that contains a newline or empty host, or
> lacks a scheme, the credential helper machinery can be fooled into
> providing credential information that is not appropriate for the protocol
> in use and host being contacted.
> Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
> credentials are not for a host of the attacker's choosing; instead,
> they are for some unspecified host (based on how the configured
> credential helper handles an absent "host" parameter).
> The attack has been made impossible by refusing to work with
> under-specified credential patterns.
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Committed to 2020.02.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list