Accepted git 1:2.1.4-2.1+deb8u10 (source amd64 all) into oldoldstable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 21 Apr 2020 09:15:00 -0400
Source: git
Binary: git git-man git-core git-doc git-arch git-cvs git-svn git-mediawiki git-email git-daemon-run git-daemon-sysvinit git-gui gitk git-el gitweb git-all
Architecture: source amd64 all
Version: 1:2.1.4-2.1+deb8u10
Distribution: jessie-security
Urgency: high
Maintainer: Gerrit Pape <pape@smarden.org>
Changed-By: Roberto C. Sanchez <roberto@debian.org>
Description:
git - fast, scalable, distributed revision control system
git-all - fast, scalable, distributed revision control system (all subpacka
git-arch - fast, scalable, distributed revision control system (arch interop
git-core - fast, scalable, distributed revision control system (obsolete)
git-cvs - fast, scalable, distributed revision control system (cvs interope
git-daemon-run - fast, scalable, distributed revision control system (git-daemon s
git-daemon-sysvinit - fast, scalable, distributed revision control system (git-daemon s
git-doc - fast, scalable, distributed revision control system (documentatio
git-el - fast, scalable, distributed revision control system (emacs suppor
git-email - fast, scalable, distributed revision control system (email add-on
git-gui - fast, scalable, distributed revision control system (GUI)
git-man - fast, scalable, distributed revision control system (manual pages
git-mediawiki - fast, scalable, distributed revision control system (MediaWiki in
git-svn - fast, scalable, distributed revision control system (svn interope
gitk - fast, scalable, distributed revision control system (revision tre
gitweb - fast, scalable, distributed revision control system (web interfac
Changes:
git (1:2.1.4-2.1+deb8u10) jessie-security; urgency=high
.
* Non-maintainer upload by the LTS Team.
* Apply patches from 2.20.4 to address the security issue
CVE-2020-11008.
.
With a crafted URL that contains a newline or empty host, or
lacks a scheme, the credential helper machinery can be fooled
into providing credential information that is not appropriate
for the protocol in use and host being contacted.
.
Unlike the vulnerability fixed in 1:2.11.0-3+deb9u6, the
credentials are not for a host of the attacker's choosing.
Instead, they are for an unspecified host, based on how the
configured credential helper handles an absent "host"
parameter.
.
The attack has been made impossible by refusing to work with
underspecified credential patterns.
.
Thanks to Carlo Arenas for reporting that Git was still
vulnerable, Felix Wilhelm for providing the proof of concept
demonstrating this issue, and Jeff King for promptly providing
a corrected fix.
.
Tested using the proof of concept at
https://crbug.com/project-zero/2021.
Checksums-Sha1:
0deaf753b23ca13310c5e8ebf6abd18429313542 2821 git_2.1.4-2.1+deb8u10.dsc
94da0fb7680e94dc14a7e339a152bf4226a5a5cb 534760 git_2.1.4-2.1+deb8u10.debian.tar.xz
eb9ca18a7564e22c0b74ebd78380f96bb026f73f 3226734 git_2.1.4-2.1+deb8u10_amd64.deb
0ec329ea809dd6ae5282d17b12e01889cb109274 1417624 git-doc_2.1.4-2.1+deb8u10_all.deb
5437a8504c61ab964dec1d2be89764a24ed9a7eb 591206 git-arch_2.1.4-2.1+deb8u10_all.deb
f475fc1ee42e47e7d16c8723cebd0863644ad329 640858 git-cvs_2.1.4-2.1+deb8u10_all.deb
c6167d8f7ad07bb110c6a2b1be0289c3e15c4c98 664850 git-svn_2.1.4-2.1+deb8u10_all.deb
16857cc5cda2d7cba3f3d8b583c952852a22200f 593494 git-mediawiki_2.1.4-2.1+deb8u10_all.deb
206be3d8e4b5ad8215bf6edc527766873bbf1965 579560 git-daemon-run_2.1.4-2.1+deb8u10_all.deb
d8e64ec2679dad72ab8478c3312daab80fb14d3f 580648 git-daemon-sysvinit_2.1.4-2.1+deb8u10_all.deb
9a65d1829336350c054ad421005d659a6a081e62 597482 git-email_2.1.4-2.1+deb8u10_all.deb
6293b5ec5697e5729acf89a1bc488d6c25f65f06 768776 git-gui_2.1.4-2.1+deb8u10_all.deb
ed95d1a37727f3e9eadb013ffedeb24f0c512c18 697766 gitk_2.1.4-2.1+deb8u10_all.deb
11dd300a014b629018dbe4967abce62e9c895b79 582414 gitweb_2.1.4-2.1+deb8u10_all.deb
fadd40553e9e15783a2a583bc78e9826f0dea780 577916 git-all_2.1.4-2.1+deb8u10_all.deb
f37bac850f47dd26a199de283b7eafc484fd53fa 597678 git-el_2.1.4-2.1+deb8u10_all.deb
35eeb02a1cea77c59d8636ea17cd9e3f0fd13ac4 1270758 git-man_2.1.4-2.1+deb8u10_all.deb
cbe48b433f5af96f5ba1d93dfee5ffee778da23a 1492 git-core_2.1.4-2.1+deb8u10_all.deb
Checksums-Sha256:
0f3e537b9001411e940fd6ba60dc4e04c3227b5ff455b3e5b53b7e6959faa484 2821 git_2.1.4-2.1+deb8u10.dsc
16620383020360e4bbc94d7d012ea89d44c5823e62e1724e5f730b57b398ec13 534760 git_2.1.4-2.1+deb8u10.debian.tar.xz
bd9c4d1e6d93a770166d981eadb65fae40ba4af6550cee8f1086d36e3025102e 3226734 git_2.1.4-2.1+deb8u10_amd64.deb
d48146987f36f2c1d071278bcab8a5bc370a068e2042e914fb6759602401b3a1 1417624 git-doc_2.1.4-2.1+deb8u10_all.deb
8a55b66716809bb3cbe9b7576ff21282d686d906b354580586052968adbfb382 591206 git-arch_2.1.4-2.1+deb8u10_all.deb
33a5c357f79f3879f739648f51701aa710c82b555d29a2f8f8a1184dc436e607 640858 git-cvs_2.1.4-2.1+deb8u10_all.deb
53948232b13faad66f1fff577a879dec15dd29d9885a004ea19b9dce247b68cd 664850 git-svn_2.1.4-2.1+deb8u10_all.deb
fe31743b5618947b5a10cd7b303eb898a2d71c992142455a96cd8b3032b9b83f 593494 git-mediawiki_2.1.4-2.1+deb8u10_all.deb
c20ad99d91a5cf2ba1e06b6c6de7cf7321df9399e0f9ebcb99715d34b235f97f 579560 git-daemon-run_2.1.4-2.1+deb8u10_all.deb
88d63a1bf5697311c72e0a5425a142d2479d6cab3b214606e071fe2ed9ec6194 580648 git-daemon-sysvinit_2.1.4-2.1+deb8u10_all.deb
574590c6de0fe84e48cb3814cd198a73b3099f9ec91af16840c5ff532079e28d 597482 git-email_2.1.4-2.1+deb8u10_all.deb
6f68ffbf833b080d430e53f68863b58114ef3d5de4834718df6744d396e84ce6 768776 git-gui_2.1.4-2.1+deb8u10_all.deb
91c30ba94c1d10f2d2d491c5fca63bca7cf01a92d55bfb42024deccfd2c8fe1c 697766 gitk_2.1.4-2.1+deb8u10_all.deb
be2ac5bfa6b94822de0afa62e2826d1d21731aebeb51dd82de9eb4a1e14f4b90 582414 gitweb_2.1.4-2.1+deb8u10_all.deb
96abfc58822701ca48e54a6e8ff0f9dfc0faf8e3ab1de5f885651618f6dd8898 577916 git-all_2.1.4-2.1+deb8u10_all.deb
2960a367eadf7a0950f98b0baae8b99655d307a45ad516f7a2b3634b87cb62c1 597678 git-el_2.1.4-2.1+deb8u10_all.deb
470ee5353d58258d8d2f1873472fafa95dfb2a1824359ecccb6e884feafddc06 1270758 git-man_2.1.4-2.1+deb8u10_all.deb
5e4337172ec7ba65dadc823938357a7814eb5b179ec6d8b1d56748a5ff55fb30 1492 git-core_2.1.4-2.1+deb8u10_all.deb
Files:
ff0dbef42896174f35b2de813edc288e 2821 vcs optional git_2.1.4-2.1+deb8u10.dsc
388719886075fea6771c7077416bd09d 534760 vcs optional git_2.1.4-2.1+deb8u10.debian.tar.xz
59a886c8f8c28cc8f9735f6b9b3cb7a8 3226734 vcs optional git_2.1.4-2.1+deb8u10_amd64.deb
f3ad0a91e36ece5950bbd28ba36a0cc2 1417624 doc optional git-doc_2.1.4-2.1+deb8u10_all.deb
f12e9209fde0fc4dd68b8284038c5992 591206 vcs optional git-arch_2.1.4-2.1+deb8u10_all.deb
b0f520bd2cd05054dcbdfb0f4e765d2c 640858 vcs optional git-cvs_2.1.4-2.1+deb8u10_all.deb
31237b716bef5b426fcd92ea5da32e43 664850 vcs optional git-svn_2.1.4-2.1+deb8u10_all.deb
9eef74771330c371218d3245c14d18d7 593494 vcs optional git-mediawiki_2.1.4-2.1+deb8u10_all.deb
4c7e3b8755d45bbfe2be135241722ce2 579560 vcs optional git-daemon-run_2.1.4-2.1+deb8u10_all.deb
3166986e1f8ee9038b9bc021a67c1f75 580648 vcs extra git-daemon-sysvinit_2.1.4-2.1+deb8u10_all.deb
b76b9ec6091f4e19d17883080570e0c6 597482 vcs optional git-email_2.1.4-2.1+deb8u10_all.deb
598a6ff59df1aae074baa04ed9d6bf84 768776 vcs optional git-gui_2.1.4-2.1+deb8u10_all.deb
2c1db4eb6a91e824d9f0eb3900224f95 697766 vcs optional gitk_2.1.4-2.1+deb8u10_all.deb
7277e11cf698b526c6666447ae92e339 582414 vcs optional gitweb_2.1.4-2.1+deb8u10_all.deb
99a79be98c2751ce3a2a5a20bf670c31 577916 vcs optional git-all_2.1.4-2.1+deb8u10_all.deb
957186cdaaf56cd9f82254665c1ee973 597678 vcs optional git-el_2.1.4-2.1+deb8u10_all.deb
27bf99e51cff022bdd87835496a80a2c 1270758 doc optional git-man_2.1.4-2.1+deb8u10_all.deb
559036de9c75cf07ae625561132cc151 1492 vcs optional git-core_2.1.4-2.1+deb8u10_all.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEz9ERzDttUsU/BH8iLNd4Xt2nsg8FAl6iKYYACgkQLNd4Xt2n
sg9h8w/+O1Tvl8Vl5JbovuVbUvBAhg9V8Ge/rmwVPDkcgxXP1lkFzMyuYzKjPImq
md3Hao1k6LEGQaJ5y9dlUrUuP2lFqRtC5AMagnBJU2jCF44hxxBbVxYRTgvDZV3D
s6oROPJzxXCevocqbDvebfUahIdkowEgeAyYuN4sVixyrOeohm0uhJUixDvnvOLc
ifkrngCfiVxWIgwhvso5TNsI6c+NX7rpClCkb3s/pYtfIbUaTpcx0GWcyilNrblH
bLHgnHDwRYJh6csH9JU691SnykvmIr/KaWSycf6z3uTNksI/WOh3rHVzppZcaykk
4/4hWAkcF2Ee7bfBZMKuZR03S8e6kD+OOJG0LRFMaCT6OyyX45EUElD4DosfId01
eJURnmkyt70AepeYm6pfHB0Ra2AT51vDyP948aZMN+StoyONjZOluMiYiCw+UVro
7l0vzKMTVudDJubq6F2x5zn1H+y4bk/vQuRQ8SAvHZw+x1sZ7BgDwTt2GW3ePUTU
EXyiENQ76mqGdhzbIABuYvRiLcCvqzKU5wGqR2lF4r9TMWXcbfc748culJXi9DIF
nAJSthho+V4WskC6ktqzh0Z+n4N4ksyIUGUQKb9QLm0vVXX4rsHrE5oN93BnPZay
YiKO1LBbnepms8BfN86ijteKdHSWu0DSGqHjIi5HdWktQjtlnvQ=
=iq4h
-----END PGP SIGNATURE-----
Reply to: