pkgsrc.se | The NetBSD package collection

./devel/git, GIT version control suite meta-package

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: pkgsrc-2020Q1, Version: 2.25.4, Package name: git-2.25.4, Maintainer: pkgsrc-users

This package is a meta package, collecting the components that are
widely expected to be installed for the GIT distributed version
control suite, i.e., the tool itself, the man pages, and contrib scripts.

See git-base for a minimal installation of the command-line tools.
See git-gitk for the tk-based browser gitk, no longer included in the
git meta-package.

Required to run:
[devel/git-docs] [devel/git-base] [devel/git-contrib]

Required to build:
[pkgtools/cwrappers]

Master sites:

http://www.kernel.org/pub/software/scm/git/

Version history: (Expand)

(2020-05-06) Updated to version: git-2.25.4
(2020-04-20) Package has been reborn
(2020-04-19) Package added to pkgsrc.se, version git-2.25.3 (created)

CVS history: (Expand)

2020-05-06 11:53:00 by Benny Siegert | Files touched by this commit (2)

Log message:
Pullup ticket #6181 - requested by leot
devel/git-base: security fix

(via patch)

---
   git: Update to 2.25.4

   Changes:
   2.25.4
   ------
   This release is to address the security issue: CVE-2020-11008

    * With a crafted URL that contains a newline or empty host, or lacks
      a scheme, the credential helper machinery can be fooled into
      providing credential information that is not appropriate for the
      protocol in use and host being contacted.

      Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
      credentials are not for a host of the attacker's choosing; instead,
      they are for some unspecified host (based on how the configured
      credential helper handles an absent "host" parameter).

      The attack has been made impossible by refusing to work with
      under-specified credential patterns.

   Credit for finding the vulnerability goes to Carlo Arenas.