correction releases of the distributed source control system Git 2.26.2, 2.25.4, 2.24.3, 2.23.3, 2.22.4, 2.21.3, 2.20.4, 2.19.5, 2.18.4 and 2.17.5, in which eliminated (), reminiscent of removed last week. The new vulnerability also affects "credential.helper" handlers and is exploited when passing a specially crafted URL containing a newline character, an empty host, or an unspecified query scheme. When processing such a URL, credential.helper sends information about credentials that do not match the requested protocol or the host being accessed.
Unlike the previous problem, when exploiting a new vulnerability, an attacker cannot directly control the host from which someone else's credentials will be transmitted. Which credentials are leaked depends on how the missing "host" parameter in credential.helper is handled. The crux of the problem is that empty fields in the URL are interpreted by many credential.helper handlers as instructions to apply any credentials to the current hit. In this way, credential.helper can send credentials stored for another server to the attacker's server specified in the URL.
The problem manifests itself when performing operations such as "git clone" and "git fetch", but is most dangerous when processing submodules - when performing "git submodule update", the URLs set in the .gitmodules file from the repository are automatically processed. As a workaround for blocking the problem don't use credential.helper when accessing public repositories, and don't use "git clone" in "--recurse-submodules" mode with unchecked repositories.
Suggested in new Git releases disables calling credential.helper for URLs containing (for example, when specifying three slashes instead of two - "http:///host" or without a protocol scheme - "http::ftp.example.com/"). The issue affects the store (built-in Git credential storage), cache (built-in credential cache), and osxkeychain (macOS storage) handlers. The Git Credential Manager (Windows Repository) handler is not affected.
You can follow the release of package updates in distributions on the pages , , , , , , , .
Source: opennet.ru