public inbox for
 help / color / mirror / Atom feed
From: Adam Dinwoodie <>
Subject: Security vulnerability in Git for Cygwin
Date: Sat, 24 Apr 2021 21:28:23 +0100	[thread overview]
Message-ID: <> (raw)

Hi folks,

Version 2.31.1-2 of Git has been uploaded and should be coming soon to
a mirror near you.

This update addresses CVE-2021-29468, which would cause Git to
overwrite arbitrary files with attacker-controlled contents when
checking out content from a malicious repository, and in particular
would allow an attacker to overwrite Git hooks to execute arbitrary

This vulnerability is present on all Cygwin Git versions prior to
v2.31.1-2. Until you have that release, the best mitigation is to not
clone or check out from any untrusted Git repositories.

There is a small amount of additional information in the GitHub
Security Advisory at

If you compile Git on Cygwin yourself, there is currently no upstream
patch that addresses the vulnerability. Until there is, I would
recommend applying the preliminary patch at

I'd like to thank RyotaK ( / for finding and responsibly disclosing
this vulnerability, and Johannes Schindelin for helping manage the

Kind regards,


                 reply	other threads:[~2021-04-24 20:28 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='' \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).