From: Taylor Blau <ttaylorr at github.com>
Date: Tue, 7 Apr 2020 11:22:01 -0600

Team,

The Git project will release new versions on Tuesday, April 14th, 2020,
at or around 11:00am PDT (6:00pm UTC). Attached is a Git bundle which
you can fetch into a clone of 'https://github.com/git/git' via:

  $ git fetch /path/to/git_cve_2020_5260.bundle 'refs/tags/*:refs/tags/*'

containing the tags for versions v2.26.1, v2.25.3, v2.24.2, v2.23.2,
v2.22.3, v2.21.2, v2.20.3, v2.19.4, v2.18.3, and v2.17.4.

You can verify with `git tag -v <tag>` that the versions were signed by
the Git maintainer, using the same GPG key as v2.26.0.

Please use these tags to prepare `git` packages for your various
distributions, using the appropriate tagged versions.

In the case that you need to backport this fix to earlier versions,
please cherry-pick 9a6bbee800 (credential: avoid writing values with
newlines, 2020-03-11). The additional patches are nice-to-have, but are
not strictly necessary. The test case in 't0300-credentials.sh' can help
verify the cherry-pick's correctness.

The addressed issue is:

 * CVE-2020-5260:
   With a crafted URL that contains a newline in it, the credential
   helper machinery can be fooled to give credential information for a
   wrong host.  The attack has been made impossible by forbidding a
   newline character in any value passed via the credential protocol.

Credit for finding the vulnerability goes to Felix Wilhelm of Google
Project Zero.

Thanks,
Taylor