public inbox for
 help / color / mirror / Atom feed
* Security vulnerability in Git for Cygwin
@ 2021-04-24 20:28 Adam Dinwoodie
  0 siblings, 0 replies; only message in thread
From: Adam Dinwoodie @ 2021-04-24 20:28 UTC (permalink / raw)
  To: cygwin-announce

Hi folks,

Version 2.31.1-2 of Git has been uploaded and should be coming soon to
a mirror near you.

This update addresses CVE-2021-29468, which would cause Git to
overwrite arbitrary files with attacker-controlled contents when
checking out content from a malicious repository, and in particular
would allow an attacker to overwrite Git hooks to execute arbitrary

This vulnerability is present on all Cygwin Git versions prior to
v2.31.1-2. Until you have that release, the best mitigation is to not
clone or check out from any untrusted Git repositories.

There is a small amount of additional information in the GitHub
Security Advisory at

If you compile Git on Cygwin yourself, there is currently no upstream
patch that addresses the vulnerability. Until there is, I would
recommend applying the preliminary patch at

I'd like to thank RyotaK ( / for finding and responsibly disclosing
this vulnerability, and Johannes Schindelin for helping manage the

Kind regards,


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2021-04-24 20:28 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-24 20:28 Security vulnerability in Git for Cygwin Adam Dinwoodie

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).