| From 191fa298b66f2145f210573b4322bf61adbc303f Mon Sep 17 00:00:00 2001 |
| From: Junio C Hamano <gitster@pobox.com> |
| Date: Tue, 17 Mar 2020 13:23:48 -0700 |
| Subject: Git 2.17.4 |
| |
| Signed-off-by: Junio C Hamano <gitster@pobox.com> |
| (cherry picked from commit c42c0f12972194564f039dcf580d89ca14ae72d6) |
| Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> |
| --- |
| Documentation/RelNotes/2.17.4.txt | 16 ++++++++++++++++ |
| 1 file changed, 16 insertions(+) |
| create mode 100644 Documentation/RelNotes/2.17.4.txt |
| |
| diff --git a/Documentation/RelNotes/2.17.4.txt b/Documentation/RelNotes/2.17.4.txt |
| new file mode 100644 |
| index 0000000000..7d794ca01a |
| --- /dev/null |
| +++ b/Documentation/RelNotes/2.17.4.txt |
| @@ -0,0 +1,16 @@ |
| +Git v2.17.4 Release Notes |
| +========================= |
| + |
| +This release is to address the security issue: CVE-2020-5260 |
| + |
| +Fixes since v2.17.3 |
| +------------------- |
| + |
| + * With a crafted URL that contains a newline in it, the credential |
| + helper machinery can be fooled to give credential information for |
| + a wrong host. The attack has been made impossible by forbidding |
| + a newline character in any value passed via the credential |
| + protocol. |
| + |
| +Credit for finding the vulnerability goes to Felix Wilhelm of Google |
| +Project Zero. |
| -- |
| 2.26.0.292.g33ef6b2f38 |
| |
