![]() ![]() ![]() The vulnerability can be triggered by feeding a malicious URL to git clone. Many helpers will interpret this as matching any URL, and will return some unspecified stored password, leaking the password to an attacker's server. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a "blank" pattern to helpers, missing hostname and protocol fields. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. The fix for that bug still left the door open for an exploit where some credential is leaked (but the attacker cannot control which one). See How to fix? for Alpine:3.10 relevant fixed versions and status.Īffected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Alpine:3.10. ![]() ![]() Upgrade Alpine:3.10 expat to version 2.2.7-r1 or higher. In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. See How to fix? for Alpine:3.10 relevant fixed versions and status. Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Alpine:3.10. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |