pkgsrc.se | The NetBSD package collection

./devel/git-base, GIT Tree History Storage Tool (base package)

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: pkgsrc-2020Q1, Version: 2.25.4, Package name: git-base-2.25.4, Maintainer: pkgsrc-users

Git is a free and open source distributed version control system
designed to handle everything from small to very large projects with
speed and efficiency.

Git is easy to learn and has a tiny footprint with lightning fast
performance. It outclasses SCM tools like Subversion, CVS, Perforce,
and ClearCase with features like cheap local branching, convenient
staging areas, and multiple workflows.

This package contains only the git program (and subcommands). It does
not contain man pages or the tk-based repository browser.

Required to run:
[devel/p5-Error] [devel/pcre2] [lang/perl5] [www/curl] [mail/p5-Email-Valid] [mail/p5-MailTools] [mail/p5-Net-SMTP-SSL] [security/p5-Authen-SASL] [security/openssl]

Required to build:
[pkgtools/cwrappers]

Master sites:

https://www.kernel.org/pub/software/scm/git/ (Download)

SHA1: 7fb514cf5682b21fc0829428ceae0ff1544b7dfa
RMD160: a04c830a714df73e777d0c84ae5bb32fe18e8a82
Filesize: 5743.141 KB

Version history: (Expand)

(2020-05-06) Updated to version: git-base-2.25.4
(2020-04-20) Package has been reborn
(2020-04-19) Package added to pkgsrc.se, version git-base-2.25.3 (created)

CVS history: (Expand)

2020-05-06 11:53:00 by Benny Siegert | Files touched by this commit (2)

Log message:
Pullup ticket #6181 - requested by leot
devel/git-base: security fix

(via patch)

---
   git: Update to 2.25.4

   Changes:
   2.25.4
   ------
   This release is to address the security issue: CVE-2020-11008

    * With a crafted URL that contains a newline or empty host, or lacks
      a scheme, the credential helper machinery can be fooled into
      providing credential information that is not appropriate for the
      protocol in use and host being contacted.

      Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
      credentials are not for a host of the attacker's choosing; instead,
      they are for some unspecified host (based on how the configured
      credential helper handles an absent "host" parameter).

      The attack has been made impossible by refusing to work with
      under-specified credential patterns.

   Credit for finding the vulnerability goes to Carlo Arenas.