From 7a1903ad46b5cc7524c0734a5034dccaec07209b Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Wed, 28 May 2025 14:42:12 -0400 Subject: Git 2.43.7 Signed-off-by: Taylor Blau --- Documentation/RelNotes/2.43.7.txt | 73 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 Documentation/RelNotes/2.43.7.txt (limited to 'Documentation/RelNotes') diff --git a/Documentation/RelNotes/2.43.7.txt b/Documentation/RelNotes/2.43.7.txt new file mode 100644 index 0000000000..95702a036e --- /dev/null +++ b/Documentation/RelNotes/2.43.7.txt @@ -0,0 +1,73 @@ +Git v2.43.7 Release Notes +========================= + +This release includes fixes for CVE-2025-27613, CVE-2025-27614, +CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and +CVE-2025-48386. + +Fixes since v2.43.6 +------------------- + + * CVE-2025-27613, Gitk: + + When a user clones an untrusted repository and runs Gitk without + additional command arguments, any writable file can be created and + truncated. The option "Support per-file encoding" must have been + enabled. The operation "Show origin of this line" is affected as + well, regardless of the option being enabled or not. + + * CVE-2025-27614, Gitk: + + A Git repository can be crafted in such a way that a user who has + cloned the repository can be tricked into running any script + supplied by the attacker by invoking `gitk filename`, where + `filename` has a particular structure. + + * CVE-2025-46334, Git GUI (Windows only): + + A malicious repository can ship versions of sh.exe or typical + textconv filter programs such as astextplain. On Windows, path + lookup can find such executables in the worktree. These programs + are invoked when the user selects "Git Bash" or "Browse Files" from + the menu. + + * CVE-2025-46835, Git GUI: + + When a user clones an untrusted repository and is tricked into + editing a file located in a maliciously named directory in the + repository, then Git GUI can create and overwrite any writable + file. + + * CVE-2025-48384, Git: + + When reading a config value, Git strips any trailing carriage + return and line feed (CRLF). When writing a config entry, values + with a trailing CR are not quoted, causing the CR to be lost when + the config is later read. When initializing a submodule, if the + submodule path contains a trailing CR, the altered path is read + resulting in the submodule being checked out to an incorrect + location. If a symlink exists that points the altered path to the + submodule hooks directory, and the submodule contains an executable + post-checkout hook, the script may be unintentionally executed + after checkout. + + * CVE-2025-48385, Git: + + When cloning a repository Git knows to optionally fetch a bundle + advertised by the remote server, which allows the server-side to + offload parts of the clone to a CDN. The Git client does not + perform sufficient validation of the advertised bundles, which + allows the remote side to perform protocol injection. + + This protocol injection can cause the client to write the fetched + bundle to a location controlled by the adversary. The fetched + content is fully controlled by the server, which can in the worst + case lead to arbitrary code execution. + + * CVE-2025-48386, Git: + + The wincred credential helper uses a static buffer (`target`) as a + unique key for storing and comparing against internal storage. This + credential helper does not properly bounds check the available + space remaining in the buffer before appending to it with + `wcsncat()`, leading to potential buffer overflows. -- cgit v1.3 From 080b728d4b2bbdd2c0b9eb9ed6a41195f8303088 Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Wed, 28 May 2025 14:51:12 -0400 Subject: Git 2.44.4 Signed-off-by: Taylor Blau --- Documentation/RelNotes/2.44.4.txt | 7 +++++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.44.4.txt (limited to 'Documentation/RelNotes') diff --git a/Documentation/RelNotes/2.44.4.txt b/Documentation/RelNotes/2.44.4.txt new file mode 100644 index 0000000000..8db4d5b537 --- /dev/null +++ b/Documentation/RelNotes/2.44.4.txt @@ -0,0 +1,7 @@ +Git v2.44.4 Release Notes +========================= + +This release merges up the fixes that appears in v2.43.7 to address +the following CVEs: CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, +CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386. +See the release notes for v2.43.7 for details. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index 33476e262d..8a9fdd06d7 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.44.3 +DEF_VER=v2.44.4 LF=' ' diff --git a/RelNotes b/RelNotes index 509eba5f1a..4437ce1347 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.44.3.txt \ No newline at end of file +Documentation/RelNotes/2.44.4.txt \ No newline at end of file -- cgit v1.3 From f94b90ad6e49cc7f15c4171c5a434aa459e82d2d Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Wed, 28 May 2025 14:54:04 -0400 Subject: Git 2.45.4 Signed-off-by: Taylor Blau --- Documentation/RelNotes/2.45.4.txt | 7 +++++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.45.4.txt (limited to 'Documentation/RelNotes') diff --git a/Documentation/RelNotes/2.45.4.txt b/Documentation/RelNotes/2.45.4.txt new file mode 100644 index 0000000000..5b50d8daf0 --- /dev/null +++ b/Documentation/RelNotes/2.45.4.txt @@ -0,0 +1,7 @@ +Git v2.45.4 Release Notes +========================= + +This release merges up the fixes that appears in v2.43.7, and v2.44.4 +to address the following CVEs: CVE-2025-27613, CVE-2025-27614, +CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and +CVE-2025-48386. See the release notes for v2.43.7 for details. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index f7c5d8f070..277d3715fb 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.45.3 +DEF_VER=v2.45.4 LF=' ' diff --git a/RelNotes b/RelNotes index 36d6ed4435..d915c8e057 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.45.3.txt \ No newline at end of file +Documentation/RelNotes/2.45.4.txt \ No newline at end of file -- cgit v1.3 From 47d3b506d48b7971080f09770f5b06b42569c967 Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Wed, 28 May 2025 14:58:48 -0400 Subject: Git 2.46.4 Signed-off-by: Taylor Blau --- Documentation/RelNotes/2.46.4.txt | 7 +++++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 9 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.46.4.txt (limited to 'Documentation/RelNotes') diff --git a/Documentation/RelNotes/2.46.4.txt b/Documentation/RelNotes/2.46.4.txt new file mode 100644 index 0000000000..622f4c752f --- /dev/null +++ b/Documentation/RelNotes/2.46.4.txt @@ -0,0 +1,7 @@ +Git v2.46.4 Release Notes +========================= + +This release merges up the fixes that appears in v2.43.7, v2.44.4, and +v2.45.4 to address the following CVEs: CVE-2025-27613, CVE-2025-27614, +CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and +CVE-2025-48386. See the release notes for v2.43.7 for details. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index 7cde816ede..0c7a842fc5 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.46.3 +DEF_VER=v2.46.4 LF=' ' diff --git a/RelNotes b/RelNotes index 686ec8709b..1cdc9ff7d0 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.46.3.txt \ No newline at end of file +Documentation/RelNotes/2.46.4.txt \ No newline at end of file -- cgit v1.3 From a52a24e03c8c711f1d5e252fba78f9276908129b Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Wed, 28 May 2025 15:16:03 -0400 Subject: Git 2.47.3 Signed-off-by: Taylor Blau --- Documentation/RelNotes/2.47.3.txt | 8 ++++++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.47.3.txt (limited to 'Documentation/RelNotes') diff --git a/Documentation/RelNotes/2.47.3.txt b/Documentation/RelNotes/2.47.3.txt new file mode 100644 index 0000000000..bc2a2b833b --- /dev/null +++ b/Documentation/RelNotes/2.47.3.txt @@ -0,0 +1,8 @@ +Git v2.47.3 Release Notes +========================= + +This release merges up the fixes that appears in v2.43.7, v2.44.4, +v2.45.4, and v2.46.4 to address the following CVEs: CVE-2025-27613, +CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, +CVE-2025-48385, and CVE-2025-48386. See the release notes for v2.43.7 +for details. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index 5fcb9ded7f..5382ff4f89 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,7 +1,7 @@ #!/bin/sh GVF=GIT-VERSION-FILE -DEF_VER=v2.47.1 +DEF_VER=v2.47.3 LF=' ' diff --git a/RelNotes b/RelNotes index 768c16d81b..cc01df8574 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.47.1.txt \ No newline at end of file +Documentation/RelNotes/2.47.3.txt \ No newline at end of file -- cgit v1.3 From fbae1f06cbb04a6592c32f465e9bc28149039358 Mon Sep 17 00:00:00 2001 From: Taylor Blau Date: Wed, 28 May 2025 15:18:19 -0400 Subject: Git 2.48.2 Signed-off-by: Taylor Blau --- Documentation/RelNotes/2.48.2.txt | 8 ++++++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.48.2.txt (limited to 'Documentation/RelNotes') diff --git a/Documentation/RelNotes/2.48.2.txt b/Documentation/RelNotes/2.48.2.txt new file mode 100644 index 0000000000..f3f2f90c2b --- /dev/null +++ b/Documentation/RelNotes/2.48.2.txt @@ -0,0 +1,8 @@ +Git v2.48.2 Release Notes +========================= + +This release merges up the fixes that appears in v2.43.7, v2.44.4, +v2.45.4, v2.46.4, and v2.47.3 to address the following CVEs: +CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, +CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386. See the release +notes for v2.43.7 for details. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index 570cc11622..df11f29d8d 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,6 +1,6 @@ #!/bin/sh -DEF_VER=v2.48.1 +DEF_VER=v2.48.2 LF=' ' diff --git a/RelNotes b/RelNotes index f28189867b..87db0ec215 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.48.1.txt \ No newline at end of file +Documentation/RelNotes/2.48.2.txt \ No newline at end of file -- cgit v1.3 From aadf8ae518afd80b73d49eff8aff475161aa5157 Mon Sep 17 00:00:00 2001 From: Junio C Hamano Date: Fri, 13 Jun 2025 07:51:58 -0700 Subject: Git 2.49.1 Signed-off-by: Junio C Hamano --- Documentation/RelNotes/2.49.1.txt | 12 ++++++++++++ GIT-VERSION-GEN | 2 +- RelNotes | 2 +- 3 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 Documentation/RelNotes/2.49.1.txt (limited to 'Documentation/RelNotes') diff --git a/Documentation/RelNotes/2.49.1.txt b/Documentation/RelNotes/2.49.1.txt new file mode 100644 index 0000000000..c619e8b495 --- /dev/null +++ b/Documentation/RelNotes/2.49.1.txt @@ -0,0 +1,12 @@ +Git v2.49.1 Release Notes +========================= + +This release merges up the fixes that appear in v2.43.7, v2.44.4, +v2.45.4, v2.46.4, v2.47.3, and v2.48.2 to address the following CVEs: +CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, +CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386. See the release +notes for v2.43.7 for details. + +It also contains some updates to various CI bits to work around +and/or to adjust to the deprecation of use of Ubuntu 20.04 GitHub +Actions CI, updates to to Fedora base image. diff --git a/GIT-VERSION-GEN b/GIT-VERSION-GEN index 3abfe7d3d7..4b2c88140e 100755 --- a/GIT-VERSION-GEN +++ b/GIT-VERSION-GEN @@ -1,6 +1,6 @@ #!/bin/sh -DEF_VER=v2.49.0 +DEF_VER=v2.49.1 LF=' ' diff --git a/RelNotes b/RelNotes index ac72bdf04d..e8a7222a34 120000 --- a/RelNotes +++ b/RelNotes @@ -1 +1 @@ -Documentation/RelNotes/2.49.0.adoc \ No newline at end of file +Documentation/RelNotes/2.49.1.txt \ No newline at end of file -- cgit v1.3