From: Taylor Blau Date: Tue, 7 Apr 2020 11:22:01 -0600 Team, The Git project will release new versions on Tuesday, April 14th, 2020, at or around 11:00am PDT (6:00pm UTC). Attached is a Git bundle which you can fetch into a clone of 'https://github.com/git/git' via: $ git fetch /path/to/git_cve_2020_5260.bundle 'refs/tags/*:refs/tags/*' containing the tags for versions v2.26.1, v2.25.3, v2.24.2, v2.23.2, v2.22.3, v2.21.2, v2.20.3, v2.19.4, v2.18.3, and v2.17.4. You can verify with `git tag -v ` that the versions were signed by the Git maintainer, using the same GPG key as v2.26.0. Please use these tags to prepare `git` packages for your various distributions, using the appropriate tagged versions. In the case that you need to backport this fix to earlier versions, please cherry-pick 9a6bbee800 (credential: avoid writing values with newlines, 2020-03-11). The additional patches are nice-to-have, but are not strictly necessary. The test case in 't0300-credentials.sh' can help verify the cherry-pick's correctness. The addressed issue is: * CVE-2020-5260: With a crafted URL that contains a newline in it, the credential helper machinery can be fooled to give credential information for a wrong host. The attack has been made impossible by forbidding a newline character in any value passed via the credential protocol. Credit for finding the vulnerability goes to Felix Wilhelm of Google Project Zero. Thanks, Taylor