| Git v2.17.5 Release Notes |
| ========================= |
| |
| This release is to address a security issue: CVE-2020-11008 |
| |
| Fixes since v2.17.4 |
| ------------------- |
| |
| * With a crafted URL that contains a newline or empty host, or lacks |
| a scheme, the credential helper machinery can be fooled into |
| providing credential information that is not appropriate for the |
| protocol in use and host being contacted. |
| |
| Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the |
| credentials are not for a host of the attacker's choosing; instead, |
| they are for some unspecified host (based on how the configured |
| credential helper handles an absent "host" parameter). |
| |
| The attack has been made impossible by refusing to work with |
| under-specified credential patterns. |
| |
| Credit for finding the vulnerability goes to Carlo Arenas. |