CVE-2020-11008: Git: Malicious URLs can still cause Git to send a stored credential to the wrong server

[Taylor Blau <ttaylorr () github com>]

Team,

Today, the Git project released v2.26.2 (and corresponding point
releases as far back as the v2.17.x track) to address the following
issue:

  * CVE-2020-11008:
    With a crafted URL that contains a newline or empty host, or lacks a
    scheme, the credential helper machinery can be fooled into providing
    credential information that is not appropriate for the protocol in
    use and host being contacted.

    Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
    credentials are not for a host of the attacker's choosing; instead,
    they are for some unspecified host (based on how the configured
    credential helper handles an absent "host" parameter).

    The attack has been made impossible by refusing to work with
    under-specified credential patterns.

The distros list has been notified of this release in advance of its
disclosure. This notification serves the same purpose for the
oss-security list, too.

Full details are available at the following link:

  https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7

Per the list guidelines, I am attaching a plaintext representation of
the above so as to include all essential materials within the mail
itself.


Thanks,
Taylor

Attachment: cve-2020-11008.txt
Description: