Git Mailing List Archive mirror
 help / color / mirror / Atom feed
From: Johannes Schindelin <>
Subject: [ANNOUNCE] Git for Windows 2.45.1 (security bug-fix release)
Date: Tue, 14 May 2024 19:17:40 +0200 (CEST)	[thread overview]
Message-ID: <> (raw)

Dear Git users,

I hereby announce that Git for Windows 2.45.1 is available from:

Changes since Git for Windows v2.45.0 (April 29th 2024):

Git for Windows for Windows v2.45 is the last version to support for
Windows 7 and for Windows 8, see MSYS2's corresponding deprecation
announcement (Git for Windows relies on MSYS2 for components such as
Bash and Perl).

Please also note that the 32-bit variant of Git for Windows is
deprecated; Its last official release is planned for 2025.

Note: the defense-in-depth protection in this update causes a regression
when cloning repositories enabled with Git LFS. The clone will fail with
an error message. The remedy is to call `git lfs pull` in the fresh clone.

New Features

  * Comes with Git v2.45.1.

Bug Fixes

  * CVE-2024-32002: Recursive clones on case-insensitive filesystems
    that support symbolic links are susceptible to case confusion that
    can be exploited to execute just-cloned code during the clone
  * CVE-2024-32004: Repositories can be configured to execute arbitrary
    code during local clones. To address this, the ownership checks
    introduced in v2.30.3 are now extended to cover cloning local
  * CVE-2024-32020: Local clones may end up hardlinking files into the
    target repository's object database when source and target
    repository reside on the same disk. If the source repository is
    owned by a different user, then those hardlinked files may be
    rewritten at any point in time by the untrusted user.
  * CVE-2024-32021: When cloning a local source repository that
    contains symlinks via the filesystem, Git may create hardlinks to
    arbitrary user-readable files on the same filesystem as the target
    repository in the objects/ directory.
  * CVE-2024-32465: It is supposed to be safe to clone untrusted
    repositories, even those unpacked from zip archives or tarballs
    originating from untrusted sources, but Git can be tricked to run
    arbitrary code as part of the clone.
  * Defense-in-depth: submodule: require the submodule path to contain
    directories only.
  * Defense-in-depth: clone: when symbolic links collide with
    directories, keep the latter.
  * Defense-in-depth: clone: prevent hooks from running during a clone.
  * Defense-in-depth: core.hooksPath: add some protection while
  * Defense-in-depth: fsck: warn about symlink pointing inside a
  * Various fix-ups on HTTP tests.
  * HTTP Header redaction code has been adjusted for a newer version of
    cURL library that shows its traces differently from earlier
  * Fix was added to work around a regression in libcURL 8.7.0 (which
    has already been fixed in their tip of the tree).
  * Replace macos-12 used at GitHub CI with macos-13.
  * ci(linux-asan/linux-ubsan): let's save some time
  * Tests with LSan from time to time seem to emit harmless message
    that makes our tests unnecessarily flakey; we work it around by
    filtering the uninteresting output.
  * Update GitHub Actions jobs to avoid warnings against using
    deprecated version of Node.js.

Git-2.45.1-64-bit.exe | 1b2b58fb516495feb70353aa91da230be0a2b4aa01acc3bc047ee1fe4846bc4e
Git-2.45.1-32-bit.exe | f46c2f013b6767fc5da15783643d7243f037cbdf6e0b2779ad157ab0741318ca
PortableGit-2.45.1-64-bit.7z.exe | f4be1f923e9cc1ee0cb09e99f0e90cf254b530bb622d12064361563307e2f505
PortableGit-2.45.1-32-bit.7z.exe | 43d0f03af3d5a12a60cab82a02f386896ed2d61af93496fa8110f2dac83ebee1 | f7ba0e2acdc603cf8893b446f6871c869b7644b88a1116b00d6b30fb30f18c74 | 9c1089f13f5873190ac9473375126ba697df6773188f01ca2d6a0cf920c44287 | b9151e9ff31d4cbf0b45c5dad1d45e115c3942bdf3822cf0729efe54d42d909f | 44c61ff4706c8db83009670bd6a67036f6ea5e0dc3c901bc1d37d7649879ece4
Git-2.45.1-64-bit.tar.bz2 | 3314914e47c080e80ddcbc543e374890bdfe4d60e9cd7d0faa996d3d0a174a05
Git-2.45.1-32-bit.tar.bz2 | e5d04b0228fda44f50f9d52730b72c2ad5773faebe12b54b009e3952f5b19f2b


                 reply	other threads:[~2024-05-14 17:17 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).