MGASA-2020-0181 - Updated git packages fix security vulnerability Publication date: 24 Apr 2020 URL: https://advisories.mageia.org/MGASA-2020-0181.html Type: security Affected Mageia releases: 7 CVE: CVE-2020-11008 Updated git packages fix security vulnerability: Malicious URLs can still cause Git to send a stored credential to the wrong server (CvE-2020-111008). With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted. Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the credentials are not for a host of the attacker's choosing; instead, they are for some unspecified host (based on how the configured credential helper handles an absent "host" parameter). The attack has been made impossible by refusing to work with under-specified credential patterns. References: - https://bugs.mageia.org/show_bug.cgi?id=26516 - https://www.openwall.com/lists/oss-security/2020/04/20/1 - https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11008 SRPMS: - 7/core/git-2.21.3-1.mga7
Mageia 2020-0181: git security update
Updated git packages fix security vulnerability: Malicious URLs can still cause Git to send a stored credential to the wrong server (CvE-2020-111008)
Summary
Updated git packages fix security vulnerability:
Malicious URLs can still cause Git to send a stored credential to
the wrong server (CvE-2020-111008).
With a crafted URL that contains a newline or empty host, or lacks a
scheme, the credential helper machinery can be fooled into providing
credential information that is not appropriate for the protocol in
use and host being contacted.
Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
credentials are not for a host of the attacker's choosing; instead,
they are for some unspecified host (based on how the configured
credential helper handles an absent "host" parameter).
The attack has been made impossible by refusing to work with
under-specified credential patterns.
References
- https://bugs.mageia.org/show_bug.cgi?id=26516
- https://www.openwall.com/lists/oss-security/2020/04/20/1
- https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11008
Resolution
MGASA-2020-0181 - Updated git packages fix security vulnerability
SRPMS
- 7/core/git-2.21.3-1.mga7
Severity
Publication date: 24 Apr 2020
URL: https://advisories.mageia.org/MGASA-2020-0181.html
Type: security
CVE: CVE-2020-11008
News
HOWTOs
About Us
Powered By
