Gentoo Archives: gentoo-announce

From: Thomas Deutschmann <whissi@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 202004-13 ] Git: Information disclosure
Date: Thu, 23 Apr 2020 15:19:03
Message-Id: e445776d-5cd8-fca4-9a54-b5db42c3b805@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 202004-13
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Low
8 Title: Git: Information disclosure
9 Date: April 23, 2020
10 Bugs: #717156, #718710
11 ID: 202004-13
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been found in Git which might all allow
19 attackers to access sensitive information.
20
21 Background
22 ==========
23
24 Git is a free and open source distributed version control system
25 designed to handle everything from small to very large projects with
26 speed and efficiency.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 dev-vcs/git < 2.26.2 *>= 2.23.3
35 *>= 2.24.3
36 *>= 2.25.4
37 *>= 2.26.2
38
39 Description
40 ===========
41
42 Multiple vulnerabilities have been discovered in Git. Please review the
43 CVE identifiers referenced below for details.
44
45 Impact
46 ======
47
48 A remote attacker, by providing a specially crafted URL, could possibly
49 trick Git into returning credential information for a wrong host.
50
51 Workaround
52 ==========
53
54 Disabling credential helpers will prevent this vulnerability.
55
56 Resolution
57 ==========
58
59 All Git 2.23.x users should upgrade to the latest version:
60
61 # emerge --sync
62 # emerge --ask --oneshot --verbose ">=dev-vcs/git-2.23.3"
63
64 All Git 2.24.x users should upgrade to the latest version:
65
66 # emerge --sync
67 # emerge --ask --oneshot --verbose ">=dev-vcs/git-2.24.3"
68
69 All Git 2.25.x users should upgrade to the latest version:
70
71 # emerge --sync
72 # emerge --ask --oneshot --verbose ">=dev-vcs/git-2.25.4"
73
74 All Git 2.26.x users should upgrade to the latest version:
75
76 # emerge --sync
77 # emerge --ask --oneshot --verbose ">=dev-vcs/git-2.26.2"
78
79 References
80 ==========
81
82 [ 1 ] CVE-2020-11008
83 https://nvd.nist.gov/vuln/detail/CVE-2020-11008
84 [ 2 ] CVE-2020-5260
85 https://nvd.nist.gov/vuln/detail/CVE-2020-5260
86
87 Availability
88 ============
89
90 This GLSA and any updates to it are available for viewing at
91 the Gentoo Security Website:
92
93 https://security.gentoo.org/glsa/202004-13
94
95 Concerns?
96 =========
97
98 Security is a primary focus of Gentoo Linux and ensuring the
99 confidentiality and security of our users' machines is of utmost
100 importance to us. Any security concerns should be addressed to
101 security@g.o or alternatively, you may file a bug at
102 https://bugs.gentoo.org.
103
104 License
105 =======
106
107 Copyright 2020 Gentoo Foundation, Inc; referenced text
108 belongs to its owner(s).
109
110 The contents of this document are licensed under the
111 Creative Commons - Attribution / Share Alike license.
112
113 https://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature