-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 14 Apr 2020 10:29:38 -0700
Source: git
Architecture: source
Version: 1:2.26.1-1
Distribution: unstable
Urgency: high
Maintainer: Jonathan Nieder <jrnie...@gmail.com>
Changed-By: Jonathan Nieder <jrnie...@gmail.com>
Changes:
git (1:2.26.1-1) unstable; urgency=high
.
* new upstream point release (see RelNotes/2.26.1.txt).
* Addresses the security issue CVE-2020-5260.
.
With a crafted URL that contains a newline, the credential
helper machinery can be fooled to supply credential information
for the wrong host. The attack has been made impossible by
forbidding a newline character in any value passed via the
credential protocol.
.
Thanks to Felix Wilhelm of Google Project Zero for finding
this vulnerability and Jeff King for fixing it.
Checksums-Sha1:
666eeea45bf8a95d91daf017e6959bd6e1e0041f 2860 git_2.26.1-1.dsc
9ec4ef53d157cb376aaedc0ca529d3857c3f8bf6 6006104 git_2.26.1.orig.tar.xz
a2cc8fda6f1c3b1ffb5045298fd31fc226102324 646124 git_2.26.1-1.debian.tar.xz
863c9e45c9853a2ffb65cac2eb75d25d200a0892 12103 git_2.26.1-1_amd64.buildinfo
Checksums-Sha256:
15f08a650808a188e996302aabc9668d906498919b02508110f6343e581a0d7e 2860
git_2.26.1-1.dsc
888228408f254634330234df3cece734d190ef6381063821f31ec020538f0368 6006104
git_2.26.1.orig.tar.xz
986608f95e65f719a429ada5954f6fa6ca90d8243f6dbdefeade2d8411033d3d 646124
git_2.26.1-1.debian.tar.xz
cf827b04a7e3ff6fd25257e2c467b03b9e646b9b4aec7ec903380e98f0ad7664 12103
git_2.26.1-1_amd64.buildinfo
Files:
726b2b329c8e27b82810e8e72f010786 2860 vcs optional git_2.26.1-1.dsc
50e68aaebbb554f4946d170a2765bfe7 6006104 vcs optional git_2.26.1.orig.tar.xz
d96147752d87af1ca90532be40b8f5c1 646124 vcs optional git_2.26.1-1.debian.tar.xz
beb0f91ceff24f62b0c0cb6d6bbe24d4 12103 vcs optional
git_2.26.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCAAxFiEEUh5Y8X6W1xKqD/EC38Zx7rMz+iUFAl6WAIkTHGpybmllZGVy
QGdtYWlsLmNvbQAKCRDfxnHuszP6JajEEACofH4zYgWWGjQCmstnqrPkBINn1Cy2
lXHMIC6UE17X2M/DuFR0pK7/OsvQeaxtiqr0T+MOzChlJ7IQuWOgQDjbiQE9Xbyx
9wdi/pHuEvDG2mjl8zPh3f+3oHMFFpPm0uhbUcfA57SOKImu+ZEJhaZlzF/kE4UM
s/Fl9ZxQilHyLgPlyIwj0rZacuCkyX6lst6F7HgATY1Kiagdi4MGUIjv7+SYMokn
DmbmlJ6MLAEeE3fjJ9JEegDH3l5XIeHX7cKSq6jZWsgwudU9GAMLCZFigxYH2iV0
QZD8ICO/1nJsyxeJBRcKb4voNKAgLQ1Rlx8SvWTLv8xgHLIv8tkRPRImi5A1nX3o
tRoaLy+6bIujkhBZTBYz04OVkVI0kpZe1Gv+qeg7cZFGLuiCbKFbU9bhYdkA6ruM
ZqvreqHgs5nu+L1JPCunzZU1s8QwFvjHFePsyuqmCj+e8NzX/CM+2QaLYWrhxBXk
lxQ1qioVSkknhDExcyoN/If3I1rYaZWLYPoAl5KMpKYPjB4BUQx/B6KMYd16fNzl
QXKuKYMBahA4ssDvcHEFWZU/ez63qnBnVqa1jrDzxiVyzRBQdnDyyBXHSQpSYoDG
jowCv1LOqi2b0bP9/dgn2ZMXWQWmlRBRE8cDPshHvq+OdVJWiOl1yTLmqlAJFAAC
aOSeN4pbaBh4rA==
=KkyZ
-----END PGP SIGNATURE-----
