Date: Thu, 4 Jun 2020 12:37:35 +0000 (UTC) From: Renato Botelho <garga@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r537891 - head/security/vuxml Message-ID: <202006041237.054CbZ9Z067027@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: garga Date: Thu Jun 4 12:37:35 2020 New Revision: 537891 URL: https://svnweb.freebsd.org/changeset/ports/537891 Log: vuxml: Document git vulnerability CVE-2020-11008 PR: 245822 Submitted by: rob2g2 <spam123@bitbert.com> Sponsored by: Rubicon Communications, LLC (Netgate) Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Jun 4 12:37:17 2020 (r537890) +++ head/security/vuxml/vuln.xml Thu Jun 4 12:37:35 2020 (r537891) @@ -58,6 +58,72 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="67765237-8470-11ea-a283-b42e99a1b9c3"> + <topic>malicious URLs can cause git to send a stored credential to wrong server</topic> + <affects> + <package> + <name>git</name> + <range><ge>2.26.0</ge><lt>2.26.2</lt></range> + <range><ge>2.25.0</ge><lt>2.25.4</lt></range> + <range><ge>2.24.0</ge><lt>2.24.3</lt></range> + <range><ge>2.23.0</ge><lt>2.23.3</lt></range> + <range><ge>2.22.0</ge><lt>2.22.4</lt></range> + <range><ge>2.21.0</ge><lt>2.21.3</lt></range> + <range><ge>2.20.0</ge><lt>2.20.4</lt></range> + <range><ge>2.19.0</ge><lt>2.19.5</lt></range> + <range><ge>2.18.0</ge><lt>2.18.4</lt></range> + <range><ge>0</ge><lt>2.17.5</lt></range> + </package> + <package> + <name>git-lite</name> + <range><ge>2.26.0</ge><lt>2.26.2</lt></range> + <range><ge>2.25.0</ge><lt>2.25.4</lt></range> + <range><ge>2.24.0</ge><lt>2.24.3</lt></range> + <range><ge>2.23.0</ge><lt>2.23.3</lt></range> + <range><ge>2.22.0</ge><lt>2.22.4</lt></range> + <range><ge>2.21.0</ge><lt>2.21.3</lt></range> + <range><ge>2.20.0</ge><lt>2.20.4</lt></range> + <range><ge>2.19.0</ge><lt>2.19.5</lt></range> + <range><ge>2.18.0</ge><lt>2.18.4</lt></range> + <range><ge>0</ge><lt>2.17.5</lt></range> + </package> + <package> + <name>git-gui</name> + <range><ge>2.26.0</ge><lt>2.26.2</lt></range> + <range><ge>2.25.0</ge><lt>2.25.4</lt></range> + <range><ge>2.24.0</ge><lt>2.24.3</lt></range> + <range><ge>2.23.0</ge><lt>2.23.3</lt></range> + <range><ge>2.22.0</ge><lt>2.22.4</lt></range> + <range><ge>2.21.0</ge><lt>2.21.3</lt></range> + <range><ge>2.20.0</ge><lt>2.20.4</lt></range> + <range><ge>2.19.0</ge><lt>2.19.5</lt></range> + <range><ge>2.18.0</ge><lt>2.18.4</lt></range> + <range><ge>0</ge><lt>2.17.5</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>git security advisory reports:</p> + <blockquote cite="https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7">; + <p>Git uses external "credential helper" programs to store and retrieve passwords or + other credentials from secure storage provided by the operating system. Specially-crafted + URLs that are considered illegal as of the recently published Git versions can cause Git + to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers + will interpret this as matching any URL, and will return some unspecified stored password, + leaking the password to an attacker's server.</p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/git/git/security/advisories/GHSA-hjc9-x69f-jqj7</url>; + <cvename>CVE-2020-11008</cvename> + </references> + <dates> + <discovery>2020-04-20</discovery> + <entry>2020-04-22</entry> + </dates> + </vuln> + <vuln vid="ef5b4f5f-a658-11ea-80d7-001cc0382b2f"> <topic>GnuTLS -- flaw in TLS session ticket key construction</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202006041237.054CbZ9Z067027>