git-2.18.2-2.el8

エラータID: AXSA:2020-270:05

Release date: 
Friday, August 21, 2020 - 11:46
Subject: 
git-2.18.2-2.el8
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.

Security Fix(es):

* git: Crafted URL containing new lines can cause credential leak (CVE-2020-5260)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-5260
Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. git-2.18.2-2.el8.src.rpm
    MD5: ea9329c390eea3de1c4c3a607897a066
    SHA-256: 81ea4b769b21c5db9099a431be7f55557fcd6b5be328122e7096b97dd66264af
    Size: 4.96 MB

Asianux Server 8 for x86_64
  1. git-2.18.2-2.el8.x86_64.rpm
    MD5: 31d2bd349a7d264053e396d53fa0858c
    SHA-256: 654a954f15ca56285298b95876f25e0515d8eb2b56eed58e7fbd7419a1181320
    Size: 185.38 kB
  2. git-all-2.18.2-2.el8.noarch.rpm
    MD5: 803c29814a21eec0478245b648a44c9e
    SHA-256: 512cde12645606ae274f527e428bd71409bc819befe53b4864ff3ce35ab48d0c
    Size: 46.73 kB
  3. git-core-2.18.2-2.el8.x86_64.rpm
    MD5: 1006361cca661eead1749e69fb65a24c
    SHA-256: 66c0098c91d6fb5dd93ec474a4386c6e4e5e88ae9f85c552150bceeda1f65ea5
    Size: 5.01 MB
  4. git-core-doc-2.18.2-2.el8.noarch.rpm
    MD5: aed2bff6d4aa41ee45c562f9c3700e1a
    SHA-256: 3cff03efae375b14ee0523d7cea4e35e8ae7c7c2b4b5e1f1d204a2b229e1b774
    Size: 2.27 MB
  5. git-daemon-2.18.2-2.el8.x86_64.rpm
    MD5: 3610d262efd5f9e719617baf7f847b07
    SHA-256: 744ae59fd84b04026f4f2ee95c2d79e2d689e87d6f5e687f3bdc2b5659f5d253
    Size: 709.05 kB
  6. git-email-2.18.2-2.el8.noarch.rpm
    MD5: ca0f64342d271a738f0210d91ed9321f
    SHA-256: 5be2b1678e692605059a8deb3ebc2aab82f91291ffff9b7324bddd9c30fcb9a9
    Size: 86.38 kB
  7. git-gui-2.18.2-2.el8.noarch.rpm
    MD5: 32f7eb09da8aac5fbdf47ae15319aef3
    SHA-256: d94180f38737a4169574bf289b5e4392d9082cd4010c3a98bf1bf961d3816397
    Size: 294.86 kB
  8. git-instaweb-2.18.2-2.el8.x86_64.rpm
    MD5: a6e9ae5e40a653657092d3a7ce09e28b
    SHA-256: ff56ec6c5a76b3c49b932d3aede72e4d90731903f53288fee445cdc0819db90b
    Size: 60.68 kB
  9. git-subtree-2.18.2-2.el8.x86_64.rpm
    MD5: 4d8bf2a7e71d7816db9d8e05e2d0dae0
    SHA-256: 4dcddf686fe45ad9ed39a585bde78b3971785c9eddbf9522c38ede1f012c949b
    Size: 68.66 kB
  10. git-svn-2.18.2-2.el8.x86_64.rpm
    MD5: ccca3e80344c77594eeba06c22d535d2
    SHA-256: 378588b31ae05303bdbee58aded4c6c73201e0e82117127b3eee35fa07577553
    Size: 755.93 kB
  11. gitk-2.18.2-2.el8.noarch.rpm
    MD5: 0488541553a49e212ee1e16fdf9f3a5d
    SHA-256: b1866c37a3eacfa37e83cc7c590d65108471fab66f92b60971aaf4e0f1813050
    Size: 199.54 kB
  12. gitweb-2.18.2-2.el8.noarch.rpm
    MD5: 6169e0054b7b75765914f24f96105276
    SHA-256: bde9a2c24141a7a4dba50d835b69f2ba1b1ca83639ac87d61099ce09add46688
    Size: 164.00 kB
  13. perl-Git-2.18.2-2.el8.noarch.rpm
    MD5: 5ca10f5f699385c86284ef75e4363925
    SHA-256: b7c0815fed484e16471c2fcc7e905b3465d1b1f49476e65623f2c55d98952637
    Size: 76.10 kB
  14. perl-Git-SVN-2.18.2-2.el8.noarch.rpm
    MD5: 9776c25c9e43d504f7b74ebbb2bcd9b3
    SHA-256: 2b0939d8496d3fcd843ea468c1f5fbdd689fa76dee5d18d8056a1275af79a8fe
    Size: 93.14 kB