26483 – Update request: git-2.21.2-1.mga7 (fixes CVE-2020-5260)

Bug 26483 - Update request: git-2.21.2-1.mga7 (fixes CVE-2020-5260)

Summary: Update request: git-2.21.2-1.mga7 (fixes CVE-2020-5260)

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2020-04-15 10:52 CEST by Thomas Backlund
Modified:	2020-04-23 20:22 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	git
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Thomas Backlund 2020-04-15 10:52:00 CEST

Cauldron is fixed with 2.26.1 uploaded

Fixes securty issue CVE-2020-5260:

With a crafted URL that contains a newline in it, the credential
helper machinery can be fooled to give credential information for
a wrong host.  The attack has been made impossible by forbidding
a newline character in any value passed via the credential
protocol.



SRPM:
git-2.21.2-1.mga7.src.rpm


i586:
git-2.21.2-1.mga7.i586.rpm
git-arch-2.21.2-1.mga7.i586.rpm
git-core-2.21.2-1.mga7.i586.rpm
git-core-oldies-2.21.2-1.mga7.i586.rpm
git-cvs-2.21.2-1.mga7.i586.rpm
git-email-2.21.2-1.mga7.i586.rpm
gitk-2.21.2-1.mga7.i586.rpm
git-prompt-2.21.2-1.mga7.i586.rpm
git-subtree-2.21.2-1.mga7.i586.rpm
git-svn-2.21.2-1.mga7.i586.rpm
gitweb-2.21.2-1.mga7.i586.rpm
libgit-devel-2.21.2-1.mga7.i586.rpm
perl-Git-2.21.2-1.mga7.i586.rpm
perl-Git-SVN-2.21.2-1.mga7.i586.rpm


x86_64:
git-2.21.2-1.mga7.x86_64.rpm
git-arch-2.21.2-1.mga7.x86_64.rpm
git-core-2.21.2-1.mga7.x86_64.rpm
git-core-oldies-2.21.2-1.mga7.x86_64.rpm
git-cvs-2.21.2-1.mga7.x86_64.rpm
git-email-2.21.2-1.mga7.x86_64.rpm
gitk-2.21.2-1.mga7.x86_64.rpm
git-prompt-2.21.2-1.mga7.x86_64.rpm
git-subtree-2.21.2-1.mga7.x86_64.rpm
git-svn-2.21.2-1.mga7.x86_64.rpm
gitweb-2.21.2-1.mga7.x86_64.rpm
lib64git-devel-2.21.2-1.mga7.x86_64.rpm
perl-Git-2.21.2-1.mga7.x86_64.rpm
perl-Git-SVN-2.21.2-1.mga7.x86_64.rpm

Thomas Backlund 2020-04-15 11:40:35 CEST

Keywords: (none) => advisory

David Walser 2020-04-15 13:02:32 CEST

Summary: Update request: git-2.21.2-1.mga7 => Update request: git-2.21.2-1.mga7 (fixes CVE-2020-5260)

Comment 1 David Walser 2020-04-16 05:31:05 CEST

Upstream advisory:
https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q

Comment 2 Herman Viaene 2020-04-16 21:00:06 CEST

MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref bug 22067 Comment 6 for some little test.
$ git init
Initialized empty Git repository in /home/tester7/.git/
[tester7@mach5 ~ (master)]$ git config --global user.name "tester7"
[tester7@mach5 ~ (master)]$ git config --global user.email "herman.viaene@hotmail.be"
[tester7@mach5 ~ (master)]$ git add ~/Documents/okra/zwe
zwemmen2.ods  zwemmen.ods   zwemmen.xls   zwemmen.xlsx  
[tester7@mach5 ~ (master)]$ git add ~/Documents/okra/zwemmen.ods 
Looks all OK.

Checked that in the past only one person has doen real tests on a live system: PC LX.
Leaving the OK for the expert.

CC: (none) => herman.viaene

Comment 3 Thomas Backlund 2020-04-17 00:35:43 CEST

works here on 2 systems, and has been running on Mageia infra since it was built...

Whiteboard: (none) => MGA7-64-OK

Thomas Backlund 2020-04-17 00:35:54 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2020-04-17 01:02:33 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0175.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 5 David Walser 2020-04-23 20:22:09 CEST

RedHat has issued an advisory for this on April 21:
https://access.redhat.com/errata/RHSA-2020:1511

Note You need to log in before you can comment on or make changes to this bug.