Git Sees Another Round Of New Releases Due To Security Issue
Written by Michael Larabel in Programming on 20 April 2020 at 03:12 PM EDT. 4 Comments
PROGRAMMING --
Last week saw a slew of new Git releases due to a security issue over the newline character creating a possible credential leak. This week is another round of emergency Git releases due to a similar security bug.

Git 2.26.2 is out today along with new point releases from Git 2.25 through Git 2.17. These new Git releases are coming as a result of a similar security bug to last week's problem.

In today's announcement the latest security woe is summed up as:
With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted.

Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the credentials are not for a host of the attacker's choosing; instead, they are for some unspecified host (based on how the configured credential helper handles an absent "host" parameter).

The attack has been made impossible by refusing to work with under-specified credential patterns.

More commentary on this latest security update via the GitHub blog.
Related News
About The Author
Author picture

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter or contacted via MichaelLarabel.com.

Popular News This Week