Developer Briefing — March 17, 2020

Git 2.25.2 and backports addressed CVE-2020-5260 (credential leakage with partial clone over HTTPS) and CVE-2020-5267 (malicious URLs bypassing directory checks), prompting developers to upgrade clients and enforce safe URL handling.

Zeph Tech Research Lead

Research lead, Zeph Tech

2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: On 17 March 2020, the Git project released version 2.25.2 and security backports to address CVE-2020-5260 and CVE-2020-5267. The issues allowed credential leakage when using partial clone over HTTPS and permitted crafted submodules to bypass directory traversal protections on case-insensitive file systems.

Why it matters: Exploitation can disclose developer credentials or write files outside intended working trees during submodule operations, enabling supply-chain compromise. Client upgrades and tightened URL validation are required to protect CI/CD runners and developer workstations.

Upgrade clients: Roll out Git 2.25.2+ (or vendor backports) to developer machines and CI images; rebuild containers to pick up patched binaries.
Restrict clones: Disable partial clone over HTTPS for sensitive repositories until patched and enforce insteadOf URL mappings to trusted endpoints.
Validate submodules: Audit submodule URLs in manifests and block untrusted repositories; enforce safe.directory settings in CI to mitigate path confusion.
Credential hygiene: Rotate credentials used by automated jobs that performed partial clones over HTTPS prior to patching.

Timeline plotting source publication cadence sized by credibility. — 2 publication timestamps supporting this briefing. Source data (JSON)

Horizontal bar chart of credibility scores per cited source. — Credibility scores for every source cited in this briefing. Source data (JSON)

Visit pillar hub

Latest guides

Secure Software Supply Chain Tooling Guide — Zeph Tech
Engineer developer platforms that deliver verifiable provenance, SBOM distribution, vendor assurance, and runtime integrity aligned with SLSA v1.0, NIST SP 800-204D, and CISA SBOM…
AI-Assisted Development Governance Guide — Zeph Tech
Govern GitHub Copilot, Azure AI, and internal generative assistants with controls aligned to NIST AI RMF 1.0, EU AI Act enforcement timelines, OMB M-24-10, and enterprise privacy…
Developer Enablement & Platform Operations Guide — Zeph Tech
Plan AI-assisted development, secure SDLC controls, and runtime upgrades using Zeph Tech research on GitHub Copilot, GitHub Advanced Security, and major language lifecycles.

Related briefings

OpenSSL 1.1.1e released with certificate chain validation fixes

Developer Briefing — March 18, 2020

Firefox 74 strengthens default TLS and extension controls

Developer Briefing — Kubernetes 1.18 general availability

GitLab issues critical security release for CVE-2020-10977

Continue in the Developer pillar

Latest guides