[Buildroot] [PATCH-2020.02.x] package/git: security bump to version 2.24.3

Peter Korsgaard peter at korsgaard.com
Mon May 25 19:57:09 UTC 2020


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security issues:
 >  * (2.24.2) With a crafted URL that contains a newline in it, the credential
 >    helper machinery can be fooled to give credential information for a wrong
 >    host.  The attack has been made impossible by forbidding a newline
 >    character in any value passed via the credential protocol.

 >  * (2.24.3) With a crafted URL that contains a newline or empty host, or
 >    lacks a scheme, the credential helper machinery can be fooled into
 >    providing credential information that is not appropriate for the protocol
 >    in use and host being contacted.

 >    Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
 >    credentials are not for a host of the attacker's choosing; instead,
 >    they are for some unspecified host (based on how the configured
 >    credential helper handles an absent "host" parameter).

 >    The attack has been made impossible by refusing to work with
 >    under-specified credential patterns.

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed to 2020.02.x, thanks.

-- 
Bye, Peter Korsgaard



More information about the buildroot mailing list