MGASA-2020-0181 - Updated git packages fix security vulnerability

Publication date: 24 Apr 2020
URL: https://advisories.mageia.org/MGASA-2020-0181.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2020-11008

Updated git packages fix security vulnerability:

Malicious URLs can still cause Git to send a stored credential to
the wrong server (CvE-2020-111008).

With a crafted URL that contains a newline or empty host, or lacks a
scheme, the credential helper machinery can be fooled into providing
credential information that is not appropriate for the protocol in
use and host being contacted.

Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
credentials are not for a host of the attacker's choosing; instead,
they are for some unspecified host (based on how the configured
credential helper handles an absent "host" parameter).

The attack has been made impossible by refusing to work with
under-specified credential patterns.

References:
- https://bugs.mageia.org/show_bug.cgi?id=26516
- https://www.openwall.com/lists/oss-security/2020/04/20/1
- https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11008

SRPMS:
- 7/core/git-2.21.3-1.mga7