update to 2.26.2 (CVE-2020-11008)

From the upstream release notes¹:

  With a crafted URL that contains a newline or empty host, or lacks
  a scheme, the credential helper machinery can be fooled into
  providing credential information that is not appropriate for the
  protocol in use and host being contacted.

  Unlike the vulnerability CVE-2020-5260 fixed in v2.17.4, the
  credentials are not for a host of the attacker's choosing; instead,
  they are for some unspecified host (based on how the configured
  credential helper handles an absent "host" parameter).

  The attack has been made impossible by refusing to work with
  under-specified credential patterns.

¹ https://www.kernel.org/pub/software/scm/git/docs/RelNotes/2.17.5.txt

git.spec

@@ -84,7 +84,7 @@
 #global rcrev   .rc0
 
 Name:           git
-Version:        2.26.1
+Version:        2.26.2
 Release:        1%{?rcrev}%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
@@ -1060,6 +1060,9 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %{?with_docs:%{_pkgdocdir}/git-svn.html}
 
 %changelog
+* Mon Apr 20 2020 Todd Zullinger <tmz@pobox.com> - 2.26.2-1
+- update to 2.26.2 (CVE-2020-11008)
+
 * Tue Apr 14 2020 Todd Zullinger <tmz@pobox.com> - 2.26.1-1
 - update to 2.26.1 (CVE-2020-5260)
 

sources

@@ -1,2 +1,2 @@
-SHA512 (git-2.26.1.tar.xz) = 1defa0d94e26e474abd47ec8a0c43c05152e10a5aca5f1aee7480ef0db9f5abd03275fefb7c4e0ee816199c87c0b2a13c164c5f7aa5ff36cafdacf27b3573785
-SHA512 (git-2.26.1.tar.sign) = 9bf881b4d5f99ea4aaa9e77e0c753d8cd466cfc15c18f8a2392da6402c349f27c7e6d7c3844d46ec9e329a534029919bbfedb150a24d21bd27f24667726ee6d5
+SHA512 (git-2.26.2.tar.xz) = 5d92d07b171c5cd6e89a29c1211c73c1c900cd51c74d690aebfb4a3d0e93b541b09b42b6d6a1a82f5c3d953096771f9a8605c63be139f559f58698c1a0eabcfc
+SHA512 (git-2.26.2.tar.sign) = c53a607eda0bf83bf3593e8d68b833ef3ee99976434a97def5dcc25f31e79ff3e79f832b61508509d43d3111df106dde80ff6c9f7ada34ae53e7b4da17b06ed7