[ANNOUNCE] Git for Windows 2.50.1

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear Git users,

I hereby announce that Git for Windows 2.50.1 is available from:

    https://gitforwindows.org/

Changes since Git for Windows v2.50.0(2) (July 1st 2025):

This is a security fix release, addressing CVE-2024-50349,
CVE-2024-52006, CVE-2025-27613, CVE-2025-27614, CVE-2025-46334,
CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386.

New Features

  * Comes with Git v2.50.1.

Bug Fixes

  * CVE-2025-27613, Gitk: When a user clones an untrusted repository
    and runs Gitk without additional command arguments, any writable
    file can be created and truncated. The option "Support per-file
    encoding" must have been enabled. The operation "Show origin of
    this line" is affected as well, regardless of the option being
    enabled or not.
  * CVE-2025-27614, Gitk: A Git repository can be crafted in such a way
    that a user who has cloned the repository can be tricked into
    running any script supplied by the attacker by invoking gitk
    filename, where filename has a particular structure.
  * CVE-2025-46334, Git GUI (Windows only): A malicious repository can
    ship versions of sh.exe or typical textconv filter programs such as
    astextplain. On Windows, path lookup can find such executables in
    the worktree. These programs are invoked when the user selects "Git
    Bash" or "Browse Files" from the menu.
  * CVE-2025-46835, Git GUI: When a user clones an untrusted repository
    and is tricked into editing a file located in a maliciously named
    directory in the repository, then Git GUI can create and overwrite
    any writable file.
  * CVE-2025-48384, Git: When reading a config value, Git strips any
    trailing carriage return and line feed (CRLF). When writing a
    config entry, values with a trailing CR are not quoted, causing the
    CR to be lost when the config is later read. When initializing a
    submodule, if the submodule path contains a trailing CR, the
    altered path is read resulting in the submodule being checked out
    to an incorrect location. If a symlink exists that points the
    altered path to the submodule hooks directory, and the submodule
    contains an executable post-checkout hook, the script may be
    unintentionally executed after checkout.
  * CVE-2025-48385, Git: When cloning a repository Git knows to
    optionally fetch a bundle advertised by the remote server, which
    allows the server-side to offload parts of the clone to a CDN. The
    Git client does not perform sufficient validation of the advertised
    bundles, which allows the remote side to perform protocol
    injection. This protocol injection can cause the client to write
    the fetched bundle to a location controlled by the adversary. The
    fetched content is fully controlled by the server, which can in the
    worst case lead to arbitrary code execution.
  * CVE-2025-48386, Git: The wincred credential helper uses a static
    buffer (target) as a unique key for storing and comparing against
    internal storage. This credential helper does not properly bounds
    check the available space remaining in the buffer before appending
    to it with wcsncat(), leading to potential buffer overflows.

Note: As a courtesy, this release includes a last, unplanned, "after
warranty" 32-bit installer.

Git-2.50.1-64-bit.exe | 47fe1d46dbb7111f6693b04a8bd95fc869ce2062df7b4822b52849548fb457e4
Git-2.50.1-arm64.exe | 26e71db68bf5dd2ad47e13a07fb050fa0e8ab7e9802401b32bb55f2626f15f55
Git-2.50.1-32-bit.exe | 5191529725d9f0c1ffe6feb23f3d72b7abe585be84e09cb2e6b353adb280d35b
PortableGit-2.50.1-64-bit.7z.exe | c45a7dfa2bde34059f6dbd85f49a95d73d5aea29305f51b79595e56e4f323a3d
PortableGit-2.50.1-arm64.7z.exe | fa1c1df0d8bc9ccd36105964cfd2e088b50f3db974906c926dd1a4d271e1f90b
PortableGit-2.50.1-32-bit.7z.exe | 7692d9af16b08150e28dae6c63106a46995fb44e5f4c85182ac7eb1b840543c5
MinGit-2.50.1-64-bit.zip | 6f672aebe9e488a246efd6875f9197dbc0d9a40100e218acc3877cba2b206c45
MinGit-2.50.1-arm64.zip | 25d45da2f84c5faae01e55129498b8466ad26966f775964be761f14f24d11d75
MinGit-2.50.1-32-bit.zip | d312bd9d9ff19bc85dd6dc46d3d1c10f63ab65f29a3d595b6376074025dc0809
MinGit-2.50.1-busybox-64-bit.zip | 6d586bf5093baf312cd8141bb59d150416ee89a8e58240d8c1e9ae31a4be7758
MinGit-2.50.1-busybox-32-bit.zip | 7d138de6edf6f001f131de55b02d97ca9e240c51a2ec61f631b0fe5e9f2b266b
Git-2.50.1-64-bit.tar.bz2 | 9131f40e26985205432a1aa8583b3a90b5a64f3c6cc9324b2b63f05cb3448222
Git-2.50.1-arm64.tar.bz2 | 1edc852521562483eebcf9fcb016ffe5936a93099088de52fcd9b082d289396c
Git-2.50.1-32-bit.tar.bz2 | 796d8f4fdd19c668e348d04390a3528df61cfc9864d1f276d9dc585a8a0ac82c

Ciao,
Johannes
[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux