Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Fedora 31: FEDORA-2020-f6b3b6fb18 Critical: Git Credential Leak

fedora
Calendar Grey April 25, 2020
Dist Fedora Esm H88
Essential Fedora Patch FEDORA-2020-ab9e7d2d34 resolves an authentication breach in the git framework, improving overall system integrity.
Security fix for CVE-2020-5260 From the upstream [release notes](): > With a crafted URL that contains a newline or empty host, or lacks > a scheme, the credential helper mac...

Summary

Git is a fast, scalable, distributed revision control system with an

unusually rich command set that provides both high-level operations

and full access to internals.

The git rpm installs common set of tools which are usually using with

small amount of dependencies. To install all git packages, including

tools for integrating with other SCMs, install the git-all meta-package.

Security fix for CVE-2020-5260 From the upstream [release

notes](): >

With a crafted URL that contains a newline or empty host, or lacks > a scheme,

the credential helper machinery can be fooled into > providing credential

information that is not appropriate for the > protocol in use and host being

contacted. > > Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the >

credentials are not for a host of the attacker's choosing; instead, > they are

for some unspecified host (based on how the configured > credential helper

handles an absent "host" parameter). > > The attack has been made impossible by

refusing to work with > under-specified credential patterns.

* Mon Apr 20 2020 Todd Zullinger - 2.25.4-1

- update to 2.25.3 (CVE-2020-11008)

[ 1 ] Bug #1826001 - CVE-2020-11008 git: Crafted URL containing new lines, empty host or lacks a scheme can cause credential leak

https://bugzilla.redhat.com/show_bug.cgi?id=1826001

su -c 'dnf upgrade --advisory FEDORA-2020-f6b3b6fb18' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/

Topics%20covered

Topics Covered

security advisory Fedora remote access DoS credential leak git

Change Log

References

Update Instructions

Severity
critical
Lowest
Low
Medium
High
Critical

Product: Fedora 31
Version: 2.25.4
Release: 1.fc31
URL: https://git-scm.com/
Summary: Fast Version Control System

Topics%20covered

Topics Covered

security advisory Fedora remote access DoS credential leak git

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here