diff --git a/.git.metadata b/.git.metadata
index ccb05e4..6c3341a 100644
--- a/.git.metadata
+++ b/.git.metadata
@@ -1,2 +1,2 @@
-db4ceed18908aafcdc563156d8c1cfd0bb3ae738 SOURCES/git-2.18.2.tar.xz
+49ba48976fcfc622947fb3689381ad46aa996a3e SOURCES/git-2.18.4.tar.xz
 097b8da13939ac9f51f97a5659184c1d96fb0973 SOURCES/gpgkey-junio.asc
diff --git a/.gitignore b/.gitignore
index 3a3eec6..7dfe222 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/git-2.18.2.tar.xz
+SOURCES/git-2.18.4.tar.xz
 SOURCES/gpgkey-junio.asc
diff --git a/SOURCES/git-2.18.2.tar.sign b/SOURCES/git-2.18.2.tar.sign
deleted file mode 100644
index 8abd6c9..0000000
Binary files a/SOURCES/git-2.18.2.tar.sign and /dev/null differ
diff --git a/SOURCES/git-2.18.4.tar.sign b/SOURCES/git-2.18.4.tar.sign
new file mode 100644
index 0000000..603d08e
Binary files /dev/null and b/SOURCES/git-2.18.4.tar.sign differ
diff --git a/SOURCES/git-cve-2020-5260.patch b/SOURCES/git-cve-2020-5260.patch
deleted file mode 100644
index 20d60b7..0000000
--- a/SOURCES/git-cve-2020-5260.patch
+++ /dev/null
@@ -1,201 +0,0 @@
-diff -ur b/credential.c a/credential.c
---- b/credential.c	2020-04-09 09:53:10.568938942 +0200
-+++ a/credential.c	2020-04-09 12:34:56.735418779 +0200
-@@ -195,6 +195,8 @@
- {
- 	if (!value)
- 		return;
-+	if (strchr(value, '\n'))
-+		die("credential value for %s contains newline", key);
- 	fprintf(fp, "%s=%s\n", key, value);
- }
- 
-@@ -321,8 +323,21 @@
- 	FREE_AND_NULL(c->password);
- 	c->approved = 0;
- }
--
--void credential_from_url(struct credential *c, const char *url)
-+static int check_url_component(const char *url, int quiet,
-+				const char *name, const char *value)
-+{
-+	if (!value)
-+		return 0;
-+	if (!strchr(value, '\n'))
-+		return 0;
-+
-+	if (!quiet)
-+		warning(_("url contains a newline in its %s component: %s"),
-+			name, url);
-+    return -1;
-+}
-+int credential_from_url_gently(struct credential *c, const char *url,
-+				int quiet)
- {
- 	const char *at, *colon, *cp, *slash, *host, *proto_end;
- 
-@@ -336,7 +351,7 @@
- 	 */
- 	proto_end = strstr(url, "://");
- 	if (!proto_end)
--		return;
-+		return 0;
- 	cp = proto_end + 3;
- 	at = strchr(cp, '@');
- 	colon = strchr(cp, ':');
-@@ -371,4 +386,21 @@
- 		while (p > c->path && *p == '/')
- 			*p-- = '\0';
- 	}
-+
-+    if (check_url_component(url, quiet, "username", c->username) < 0 ||
-+            check_url_component(url, quiet, "password", c->password) < 0 ||
-+            check_url_component(url, quiet, "protocol", c->protocol) < 0 ||
-+            check_url_component(url, quiet, "host", c->host) < 0 ||
-+            check_url_component(url, quiet, "path", c->path) < 0)
-+        return -1;
-+
-+    return 0;
-+}
-+
-+void credential_from_url(struct credential *c, const char *url)
-+{
-+    if (credential_from_url_gently(c, url, 0) < 0) {
-+        warning(_("skipping credential lookup for url: %s"), url);
-+        credential_clear(c);
-+    }
- }
-diff -ur b/credential.h a/credential.h
---- b/credential.h	2020-04-09 09:53:10.568938942 +0200
-+++ a/credential.h	2020-04-09 10:06:07.467159059 +0200
-@@ -28,7 +28,23 @@
- 
- int credential_read(struct credential *, FILE *);
- void credential_write(const struct credential *, FILE *);
-+
-+/*
-+ * Parse a url into a credential struct, replacing any existing contents.
-+ *
-+ * Ifthe url can't be parsed (e.g., a missing "proto://" component), the
-+ * resulting credential will be empty but we'll still return success from the
-+ * "gently" form.
-+ *
-+ * If we encounter a component which cannot be represented as a credential
-+ * value (e.g., because it contains a newline), the "gently" form will return
-+ * an error but leave the broken state in the credential object for further
-+ * examination.  The non-gentle form will issue a warning to stderr and return
-+ * an empty credential.
-+*/
- void credential_from_url(struct credential *, const char *url);
-+int credential_from_url_gently(struct credential *, const char *url, int quiet);
-+
- int credential_match(const struct credential *have,
- 		     const struct credential *want);
- 
-diff -ur b/fsck.c a/fsck.c
---- b/fsck.c	2020-04-09 09:53:10.569938954 +0200
-+++ a/fsck.c	2020-04-09 12:29:42.713615414 +0200
-@@ -14,6 +14,7 @@
- #include "packfile.h"
- #include "submodule-config.h"
- #include "config.h"
-+#include "credential.h"
- 
- static struct oidset gitmodules_found = OIDSET_INIT;
- static struct oidset gitmodules_done = OIDSET_INIT;
-@@ -945,6 +946,19 @@
- 	return fsck_tag_buffer(tag, data, size, options);
- }
- 
-+static int check_submodule_url(const char *url)
-+{
-+	struct credential c = CREDENTIAL_INIT;
-+	int ret;
-+
-+	if (looks_like_command_line_option(url))
-+		return -1;
-+
-+	ret = credential_from_url_gently(&c, url, 1);
-+	credential_clear(&c);
-+	return ret;
-+}
-+
- struct fsck_gitmodules_data {
- 	struct object *obj;
- 	struct fsck_options *options;
-@@ -969,8 +983,8 @@
- 				    "disallowed submodule name: %s",
- 				    name);
- 	if (!strcmp(key, "url") && value &&
--	    looks_like_command_line_option(value))
--		data->ret |= report(data->options, data->obj,
-+		check_submodule_url(value) < 0)
-+        data->ret |= report(data->options, data->obj,
- 				    FSCK_MSG_GITMODULES_URL,
- 				    "disallowed submodule url: %s",
- 				    value);
-diff -ur b/t/lib-credential.sh a/t/lib-credential.sh
---- b/t/lib-credential.sh	2020-04-09 09:53:10.501938148 +0200
-+++ a/t/lib-credential.sh	2020-04-09 12:28:10.369496961 +0200
-@@ -19,7 +19,7 @@
- 		false
- 	fi &&
- 	test_cmp expect-stdout stdout &&
--	test_cmp expect-stderr stderr
-+	test_i18ncmp expect-stderr stderr
- }
- 
- read_chunk() {
-diff -ur b/t/t0300-credentials.sh a/t/t0300-credentials.sh
---- b/t/t0300-credentials.sh	2020-04-09 09:53:10.506938208 +0200
-+++ a/t/t0300-credentials.sh	2020-04-09 12:26:42.660434645 +0200
-@@ -309,4 +309,18 @@
- 	EOF
- '
- 
-+test_expect_success 'url parser ignores embedded newlines' '
-+	check fill <<-EOF
-+	url=https://one.example.com?%0ahost=two.example.com/
-+	--
-+	username=askpass-username
-+	password=askpass-password
-+	--
-+	warning: url contains a newline in its host component: https://one.example.com?%0ahost=two.example.com/
-+	warning: skipping credential lookup for url: https://one.example.com?%0ahost=two.example.com/
-+	askpass: Username:
-+	askpass: Password:
-+	EOF
-+'
-+
- test_done
-diff -ur b/t/t7416-submodule-dash-url.sh a/t/t7416-submodule-dash-url.sh
---- b/t/t7416-submodule-dash-url.sh	2020-04-09 09:53:10.528938468 +0200
-+++ a/t/t7416-submodule-dash-url.sh	2020-04-09 12:27:15.594833539 +0200
-@@ -1,6 +1,6 @@
- #!/bin/sh
- 
--test_description='check handling of .gitmodule url with dash'
-+test_description='check handling of disallowed .gitmodule urls'
- . ./test-lib.sh
- 
- test_expect_success 'create submodule with protected dash in url' '
-@@ -60,4 +60,19 @@
- 	test_i18ngrep ! "unknown option" err
- '
- 
-+test_expect_success 'fsck rejects embedded newline in url' '
-+	git checkout --orphan newline &&
-+	cat >.gitmodules <<-\EOF &&
-+	[submodule "foo"]
-+	url = "https://one.example.com?%0ahost=two.example.com/foo.git"
-+	EOF
-+	git add .gitmodules &&
-+	git commit -m "gitmodules with newline" &&
-+	test_when_finished "rm -rf dst" &&
-+	git init --bare dst &&
-+	git -C dst config transfer.fsckObjects true &&
-+	test_must_fail git push dst HEAD 2>err &&
-+	grep gitmodulesUrl err
-+'
-+
- test_done
diff --git a/SPECS/git.spec b/SPECS/git.spec
index 032cc89..361db6c 100644
--- a/SPECS/git.spec
+++ b/SPECS/git.spec
@@ -102,7 +102,7 @@
 #global rcrev   .rc0
 
 Name:           %{?scl_prefix}git
-Version:        2.18.2
+Version:        2.18.4
 Release:        2%{?rcrev}%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
@@ -150,9 +150,6 @@ Patch5:         0001-config-document-value-2-for-protocol.version.patch
 Patch7:         0001-run-command-mark-path-lookup-errors-with-ENOENT.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1619113
 Patch8:         git-2.18.1-core-crypto-hmac.patch
-# CVE-2020-5260
-# https://bugzilla.redhat.com/show_bug.cgi?id=1822020
-Patch9:         git-cve-2020-5260.patch
 
 %if %{with docs}
 BuildRequires:  asciidoc >= 8.4.1
@@ -964,6 +961,10 @@ make test || ./print-failed-test-output
 %{?with_docs:%{_pkgdocdir}/git-instaweb.html}
 
 %changelog
+* Wed Apr 22 2020 Ondrej Pohorelsky <opohorel@redhat.com> - 2.18.4-2
+- Update to release 2.18.4
+- Resolves: CVE-2020-11008
+
 * Thu Apr 9 2020 Ondrej Pohorelsky <opohorel@redhat.com> - 2.18.2-2
 - Crafted URL containing new lines can cause credential leak  
 - Resolves: CVE-2020-5260
@@ -972,7 +973,7 @@ make test || ./print-failed-test-output
 - Update to release 2.18.2
 - Remote code execution in recursive clones with nested submodules
   Resolves: CVE-2019-1387
-- Fixes CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351,
+- Fixes CVE-2019-1348, CVE-2019-1349, CVE-2019-1350, CVE-2019-1351,	
   CVE-2019-1352, CVE-2019-1353, CVE-2019-1354
 
 * Tue Jun 11 2019 Marcel Plch <mplch@redhat.com> - 2.18.1-4