diff options
| author | Junio C Hamano <gitster@pobox.com> | 2025-06-15 21:52:28 -0700 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2025-06-15 21:54:23 -0700 |
| commit | e1775c06465436437f2db0d3b6f59a61cfde0f2d (patch) | |
| tree | ee5fb0758ceb486902d80df4edb6d63ee5f3e53e /Documentation/RelNotes | |
| parent | 16bd9f20a403117f2e0d9bcda6c6e621d3763e77 (diff) | |
| parent | aadf8ae518afd80b73d49eff8aff475161aa5157 (diff) | |
Sync with 2.49.1
Diffstat (limited to 'Documentation/RelNotes')
| -rw-r--r-- | Documentation/RelNotes/2.43.7.adoc | 73 | ||||
| -rw-r--r-- | Documentation/RelNotes/2.44.4.adoc | 7 | ||||
| -rw-r--r-- | Documentation/RelNotes/2.45.4.adoc | 7 | ||||
| -rw-r--r-- | Documentation/RelNotes/2.46.4.adoc | 7 | ||||
| -rw-r--r-- | Documentation/RelNotes/2.47.3.adoc | 8 | ||||
| -rw-r--r-- | Documentation/RelNotes/2.48.2.adoc | 8 | ||||
| -rw-r--r-- | Documentation/RelNotes/2.49.1.adoc | 12 |
7 files changed, 122 insertions, 0 deletions
diff --git a/Documentation/RelNotes/2.43.7.adoc b/Documentation/RelNotes/2.43.7.adoc new file mode 100644 index 0000000000..95702a036e --- /dev/null +++ b/Documentation/RelNotes/2.43.7.adoc @@ -0,0 +1,73 @@ +Git v2.43.7 Release Notes +========================= + +This release includes fixes for CVE-2025-27613, CVE-2025-27614, +CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and +CVE-2025-48386. + +Fixes since v2.43.6 +------------------- + + * CVE-2025-27613, Gitk: + + When a user clones an untrusted repository and runs Gitk without + additional command arguments, any writable file can be created and + truncated. The option "Support per-file encoding" must have been + enabled. The operation "Show origin of this line" is affected as + well, regardless of the option being enabled or not. + + * CVE-2025-27614, Gitk: + + A Git repository can be crafted in such a way that a user who has + cloned the repository can be tricked into running any script + supplied by the attacker by invoking `gitk filename`, where + `filename` has a particular structure. + + * CVE-2025-46334, Git GUI (Windows only): + + A malicious repository can ship versions of sh.exe or typical + textconv filter programs such as astextplain. On Windows, path + lookup can find such executables in the worktree. These programs + are invoked when the user selects "Git Bash" or "Browse Files" from + the menu. + + * CVE-2025-46835, Git GUI: + + When a user clones an untrusted repository and is tricked into + editing a file located in a maliciously named directory in the + repository, then Git GUI can create and overwrite any writable + file. + + * CVE-2025-48384, Git: + + When reading a config value, Git strips any trailing carriage + return and line feed (CRLF). When writing a config entry, values + with a trailing CR are not quoted, causing the CR to be lost when + the config is later read. When initializing a submodule, if the + submodule path contains a trailing CR, the altered path is read + resulting in the submodule being checked out to an incorrect + location. If a symlink exists that points the altered path to the + submodule hooks directory, and the submodule contains an executable + post-checkout hook, the script may be unintentionally executed + after checkout. + + * CVE-2025-48385, Git: + + When cloning a repository Git knows to optionally fetch a bundle + advertised by the remote server, which allows the server-side to + offload parts of the clone to a CDN. The Git client does not + perform sufficient validation of the advertised bundles, which + allows the remote side to perform protocol injection. + + This protocol injection can cause the client to write the fetched + bundle to a location controlled by the adversary. The fetched + content is fully controlled by the server, which can in the worst + case lead to arbitrary code execution. + + * CVE-2025-48386, Git: + + The wincred credential helper uses a static buffer (`target`) as a + unique key for storing and comparing against internal storage. This + credential helper does not properly bounds check the available + space remaining in the buffer before appending to it with + `wcsncat()`, leading to potential buffer overflows. diff --git a/Documentation/RelNotes/2.44.4.adoc b/Documentation/RelNotes/2.44.4.adoc new file mode 100644 index 0000000000..8db4d5b537 --- /dev/null +++ b/Documentation/RelNotes/2.44.4.adoc @@ -0,0 +1,7 @@ +Git v2.44.4 Release Notes +========================= + +This release merges up the fixes that appears in v2.43.7 to address +the following CVEs: CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, +CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386. +See the release notes for v2.43.7 for details. diff --git a/Documentation/RelNotes/2.45.4.adoc b/Documentation/RelNotes/2.45.4.adoc new file mode 100644 index 0000000000..5b50d8daf0 --- /dev/null +++ b/Documentation/RelNotes/2.45.4.adoc @@ -0,0 +1,7 @@ +Git v2.45.4 Release Notes +========================= + +This release merges up the fixes that appears in v2.43.7, and v2.44.4 +to address the following CVEs: CVE-2025-27613, CVE-2025-27614, +CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and +CVE-2025-48386. See the release notes for v2.43.7 for details. diff --git a/Documentation/RelNotes/2.46.4.adoc b/Documentation/RelNotes/2.46.4.adoc new file mode 100644 index 0000000000..622f4c752f --- /dev/null +++ b/Documentation/RelNotes/2.46.4.adoc @@ -0,0 +1,7 @@ +Git v2.46.4 Release Notes +========================= + +This release merges up the fixes that appears in v2.43.7, v2.44.4, and +v2.45.4 to address the following CVEs: CVE-2025-27613, CVE-2025-27614, +CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and +CVE-2025-48386. See the release notes for v2.43.7 for details. diff --git a/Documentation/RelNotes/2.47.3.adoc b/Documentation/RelNotes/2.47.3.adoc new file mode 100644 index 0000000000..bc2a2b833b --- /dev/null +++ b/Documentation/RelNotes/2.47.3.adoc @@ -0,0 +1,8 @@ +Git v2.47.3 Release Notes +========================= + +This release merges up the fixes that appears in v2.43.7, v2.44.4, +v2.45.4, and v2.46.4 to address the following CVEs: CVE-2025-27613, +CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, +CVE-2025-48385, and CVE-2025-48386. See the release notes for v2.43.7 +for details. diff --git a/Documentation/RelNotes/2.48.2.adoc b/Documentation/RelNotes/2.48.2.adoc new file mode 100644 index 0000000000..f3f2f90c2b --- /dev/null +++ b/Documentation/RelNotes/2.48.2.adoc @@ -0,0 +1,8 @@ +Git v2.48.2 Release Notes +========================= + +This release merges up the fixes that appears in v2.43.7, v2.44.4, +v2.45.4, v2.46.4, and v2.47.3 to address the following CVEs: +CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, +CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386. See the release +notes for v2.43.7 for details. diff --git a/Documentation/RelNotes/2.49.1.adoc b/Documentation/RelNotes/2.49.1.adoc new file mode 100644 index 0000000000..c619e8b495 --- /dev/null +++ b/Documentation/RelNotes/2.49.1.adoc @@ -0,0 +1,12 @@ +Git v2.49.1 Release Notes +========================= + +This release merges up the fixes that appear in v2.43.7, v2.44.4, +v2.45.4, v2.46.4, v2.47.3, and v2.48.2 to address the following CVEs: +CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, +CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386. See the release +notes for v2.43.7 for details. + +It also contains some updates to various CI bits to work around +and/or to adjust to the deprecation of use of Ubuntu 20.04 GitHub +Actions CI, updates to to Fedora base image. |