Security fix for CVE-2020-5260 and CVE-2020-11008
CVE-2020-5260 - From the upstream release notes:
With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host. The attack has been made impossible by forbidding a newline character in any value passed via the credential protocol.
CVE-2020-11008 - From the upstream release notes:
With a crafted URL that contains a newline or empty host, or lacks a scheme, the credential helper machinery can be fooled into providing credential information that is not appropriate for the protocol in use and host being contacted.
Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the credentials are not for a host of the attacker's choosing; instead, they are for some unspecified host (based on how the configured credential helper handles an absent "host" parameter).
The attack has been made impossible by refusing to work with under-specified credential patterns.
Updates may require up to 24 hours to propagate to mirrors. If the following command doesn't work, please retry later:
sudo dnf upgrade --refresh --advisory=FEDORA-2020-4e093619bb
Please login to add feedback.
This update has been submitted for testing by tmz.
This update's test gating status has been changed to 'waiting'.
This update has obsoleted git-2.21.2-1.fc30, and has inherited its bugs and notes.
This update's test gating status has been changed to 'ignored'.
This update has been pushed to testing.
tmz edited this update.
Works
This update can be pushed to stable now if the maintainer wishes
This update has been submitted for stable by tmz.
This update has been pushed to stable.