Team,
The Git project released new security bug-fix versions today, January
14th, 2025: v2.48.1, v2.47.1, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4,
v2.41.3, and v2.40.4.
The addressed issues are:
- CVE-2024-50349:
Printing unsanitized URLs when asking for credentials makes the user
susceptible to crafted URLs (e.g. in recursive clones). These URLs
can mislead the user into typing in passwords for trusted sites that
would then be sent to untrusted sites instead.
A potential scenario of how this can be exploited is a recursive
clone where one of the submodules prompts for a password, pretending
to ask for a different host than the password will be sent to.
- CVE-2024-52006:
Git may pass on Carriage Returns via the credential protocol to
credential helpers which use line-reading functions that interpret
Carriage Returns as line endings, even though this is not what was
intended (but Git’s documentation did not clarify that "newline"
meant "Line Feed character").
This affected the popular .NET-based Git Credential Manager, which
has been updated accordingly in coordination with the Git project.
Ciao,
Johannes
