Git Sees Another Round Of New Releases Due To Security Issue

Last week saw a slew of new Git releases due to a security issue over the newline character creating a possible credential leak. This week is another round of emergency Git releases due to a similar security bug.

Git 2.26.2 is out today along with new point releases from Git 2.25 through Git 2.17. These new Git releases are coming as a result of a similar security bug to last week's problem.

In today's announcement the latest security woe is summed up as:

With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted.

Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the credentials are not for a host of the attacker's choosing; instead, they are for some unspecified host (based on how the configured credential helper handles an absent "host" parameter).

The attack has been made impossible by refusing to work with under-specified credential patterns.

More commentary on this latest security update via the GitHub blog.