Date: Thu, 4 Jun 2020 12:41:05 +0000 (UTC) From: Renato Botelho <garga@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r537893 - head/security/vuxml Message-ID: <202006041241.054Cf5o7069750@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: garga Date: Thu Jun 4 12:41:05 2020 New Revision: 537893 URL: https://svnweb.freebsd.org/changeset/ports/537893 Log: vuxml: Document git vulnerability CVE-2020-5260 PR: 245821 Submitted by: rob2g2 <spam123@bitbert.com> Sponsored by: Rubicon Communications, LLC (Netgate) Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Jun 4 12:40:00 2020 (r537892) +++ head/security/vuxml/vuln.xml Thu Jun 4 12:41:05 2020 (r537893) @@ -58,6 +58,73 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="ced2d47e-8469-11ea-a283-b42e99a1b9c3"> + <topic>malicious URLs may present credentials to wrong server</topic> + <affects> + <package> + <name>git</name> + <range><ge>2.26.0</ge><lt>2.26.1</lt></range> + <range><ge>2.25.0</ge><lt>2.25.3</lt></range> + <range><ge>2.24.0</ge><lt>2.24.2</lt></range> + <range><ge>2.23.0</ge><lt>2.23.2</lt></range> + <range><ge>2.22.0</ge><lt>2.22.3</lt></range> + <range><ge>2.21.0</ge><lt>2.21.2</lt></range> + <range><ge>2.20.0</ge><lt>2.20.3</lt></range> + <range><ge>2.19.0</ge><lt>2.19.4</lt></range> + <range><ge>2.18.0</ge><lt>2.18.3</lt></range> + <range><ge>0</ge><lt>2.17.4</lt></range> + </package> + <package> + <name>git-lite</name> + <range><ge>2.26.0</ge><lt>2.26.1</lt></range> + <range><ge>2.25.0</ge><lt>2.25.3</lt></range> + <range><ge>2.24.0</ge><lt>2.24.2</lt></range> + <range><ge>2.23.0</ge><lt>2.23.2</lt></range> + <range><ge>2.22.0</ge><lt>2.22.3</lt></range> + <range><ge>2.21.0</ge><lt>2.21.2</lt></range> + <range><ge>2.20.0</ge><lt>2.20.3</lt></range> + <range><ge>2.19.0</ge><lt>2.19.4</lt></range> + <range><ge>2.18.0</ge><lt>2.18.3</lt></range> + <range><ge>0</ge><lt>2.17.4</lt></range> + </package> + <package> + <name>git-gui</name> + <range><ge>2.26.0</ge><lt>2.26.1</lt></range> + <range><ge>2.25.0</ge><lt>2.25.3</lt></range> + <range><ge>2.24.0</ge><lt>2.24.2</lt></range> + <range><ge>2.23.0</ge><lt>2.23.2</lt></range> + <range><ge>2.22.0</ge><lt>2.22.3</lt></range> + <range><ge>2.21.0</ge><lt>2.21.2</lt></range> + <range><ge>2.20.0</ge><lt>2.20.3</lt></range> + <range><ge>2.19.0</ge><lt>2.19.4</lt></range> + <range><ge>2.18.0</ge><lt>2.18.3</lt></range> + <range><ge>0</ge><lt>2.17.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>git security advisory reports:</p> + <blockquote cite="https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q">; + <p>Git uses external "credential helper" programs to store and retrieve passwords or + other credentials from secure storage provided by the operating system. + Specially-crafted URLs that contain an encoded newline can inject unintended values + into the credential helper protocol stream, causing the credential helper to retrieve + the password for one server for an HTTP request being made to another + server, resulting in credentials for the former being sent to the + latter.</p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/git/git/security/advisories/GHSA-qm7j-c969-7j4q</url>; + <cvename>CVE-2020-5260</cvename> + </references> + <dates> + <discovery>2020-04-14</discovery> + <entry>2020-04-22</entry> + </dates> + </vuln> + <vuln vid="67765237-8470-11ea-a283-b42e99a1b9c3"> <topic>malicious URLs can cause git to send a stored credential to wrong server</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202006041241.054Cf5o7069750>