lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4a3c949a-416f-734d-f63b-cb1b7f9b362f@gmx.de>
Date: Tue, 14 Jan 2025 19:44:14 +0100 (CET)
From: Johannes Schindelin <Johannes.Schindelin@....de>
To: Junio C Hamano <gitster@...ox.com>
cc: git@...r.kernel.org, Linux Kernel <linux-kernel@...r.kernel.org>, 
    git-packagers@...glegroups.com
Subject: Re: [ANNOUNCE] Git v2.48.1 and friends

Hi Junio,

my apologies, I only realized _now_ that I had forgotten to update
`GIT-VERSION-GEN` in v2.47.2, it still has `DEF_VER=v2.47.1` (but all
other mentioned tagged versions have a correct `GIT-VERSION-GEN`). I am
very sorry about that.

Ciao,
Johannes

On Tue, 14 Jan 2025, Junio C Hamano wrote:

> A maintenance release Git v2.48.1, together with releases for older
> maintenance tracks (v2.40.4, v2.41.3, v2.42.4, v2.43.6, v2.44.3,
> v2.45.3, v2.46.3, and v2.47.2) are now available at the usual
> places.  These are to address a couple of security issues.
>
> The tarballs are found at:
>
>     https://www.kernel.org/pub/software/scm/git/
>
> The following public repositories all have a copy of the 'v2.48.1'
> tag, as well as the tags for older maintenance tracks listed above.
>
>   url = https://git.kernel.org/pub/scm/git/git
>   url = https://kernel.googlesource.com/pub/scm/git/git
>   url = git://repo.or.cz/alt-git.git
>   url = https://github.com/gitster/git
>
>
> These releases make Git refuse to accept URLs that contain control
> sequences to address CVE-2024-50349 and CVE-2024-52006.
>
>  - CVE-2024-50349:
>
>    Printing unsanitized URLs when asking for credentials made the
>    user susceptible to crafted URLs (e.g. in recursive clones) that
>    mislead the user into typing in passwords for trusted sites that
>    would then be sent to untrusted sites instead.
>
>  - CVE-2024-52006
>
>    Git may pass on Carriage Returns via the credential protocol to
>    credential helpers which use line-reading functions that
>    interpret said Carriage Returns as line endings, even though Git
>    did not intend that.
>
>
> Huge credit goes to Dscho who led and coordinated the fixes for this
> set of releases.
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ