MGASA-2020-0181

See a problem?
Please try reporting it to the source first.

Source

https://advisories.mageia.org/MGASA-2020-0181.html

Import Source

https://advisories.mageia.org/MGASA-2020-0181.json

JSON Data

https://api.test.osv.dev/v1/vulns/MGASA-2020-0181

Related

CVE-2020-11008

Published

2020-04-24T17:03:35Z

Modified

2020-04-24T16:36:31Z

Summary

Updated git packages fix security vulnerability

Details

Updated git packages fix security vulnerability:

Malicious URLs can still cause Git to send a stored credential to the wrong server (CvE-2020-111008).

With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted.

Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the credentials are not for a host of the attacker's choosing; instead, they are for some unspecified host (based on how the configured credential helper handles an absent "host" parameter).

The attack has been made impossible by refusing to work with under-specified credential patterns.

References

Credits

- Mageia - COORDINATOR
- - https://wiki.mageia.org/en/Packages_Security_Team

Affected packages

Mageia:7 / git

Package

Name: git
Purl: pkg:rpm/mageia/git?distro=mageia-7

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.21.3-1.mga7

Ecosystem specific

{
    "section": "core"
}