public inbox for
 help / color / mirror / Atom feed
From: Adam Dinwoodie <>
Subject: [ANNOUNCEMENT] Security update: Git v2.38.1
Date: Wed, 19 Oct 2022 12:58:38 +0100	[thread overview]
Message-ID: <> (raw)

Version 2.38.1-1 of Git has been uploaded to the Cygwin distribution
servers, and should be coming soon to a mirror near you.

Git is a free and open source distributed version control system
designed to handle everything from small to very large projects with
speed and efficiency.

This is an update to the latest upstream release, and includes the
following packages:

- git
- git-cvs
- git-debuginfo
- git-email
- git-gui
- gitk
- git-p4
- git-svn

Selected extracts from the changelog:

> This release addresses the security issues CVE-2022-39253 and
> CVE-2022-39260.
>  * CVE-2022-39253:
>    When relying on the `--local` clone optimization, Git dereferences
>    symbolic links in the source repository before creating hardlinks
>    (or copies) of the dereferenced link in the destination repository.
>    This can lead to surprising behavior where arbitrary files are
>    present in a repository's `$GIT_DIR` when cloning from a malicious
>    repository.
>    Git will no longer dereference symbolic links via the `--local`
>    clone mechanism, and will instead refuse to clone repositories that
>    have symbolic links present in the `$GIT_DIR/objects` directory.
>    Additionally, the value of `protocol.file.allow` is changed to be
>    "user" by default.
>  * CVE-2022-39260:
>    An overly-long command string given to `git shell` can result in
>    overflow in `split_cmdline()`, leading to arbitrary heap writes and
>    remote code execution when `git shell` is exposed and the directory
>    `$HOME/git-shell-commands` exists.
>    `git shell` is taught to refuse interactive commands that are
>    longer than 4MiB in size. `split_cmdline()` is hardened to reject
>    inputs larger than 2GiB.

For a full list of the upstream changes in this release, please refer to
the upstream changelogs:



                 reply	other threads:[~2022-10-19 11:59 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).