Tags: git-for-windows/git
Tags
Git for Windows v2.50.1
Changes since Git for Windows v2.50.0(2) (July 1st 2025):
This is a security fix release, addressing CVE-2024-50349,
CVE-2024-52006, CVE-2025-27613, CVE-2025-27614, CVE-2025-46334,
CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386.
New Features
* Comes with Git v2.50.1.
Bug Fixes
* CVE-2025-27613, Gitk: When a user clones an untrusted repository
and runs Gitk without additional command arguments, any writable
file can be created and truncated. The option "Support per-file
encoding" must have been enabled. The operation "Show origin of
this line" is affected as well, regardless of the option being
enabled or not.
* CVE-2025-27614, Gitk: A Git repository can be crafted in such a way
that a user who has cloned the repository can be tricked into
running any script supplied by the attacker by invoking gitk
filename, where filename has a particular structure.
* CVE-2025-46334, Git GUI (Windows only): A malicious repository can
ship versions of sh.exe or typical textconv filter programs such as
astextplain. On Windows, path lookup can find such executables in
the worktree. These programs are invoked when the user selects "Git
Bash" or "Browse Files" from the menu.
* CVE-2025-46835, Git GUI: When a user clones an untrusted repository
and is tricked into editing a file located in a maliciously named
directory in the repository, then Git GUI can create and overwrite
any writable file.
* CVE-2025-48384, Git: When reading a config value, Git strips any
trailing carriage return and line feed (CRLF). When writing a
config entry, values with a trailing CR are not quoted, causing the
CR to be lost when the config is later read. When initializing a
submodule, if the submodule path contains a trailing CR, the
altered path is read resulting in the submodule being checked out
to an incorrect location. If a symlink exists that points the
altered path to the submodule hooks directory, and the submodule
contains an executable post-checkout hook, the script may be
unintentionally executed after checkout.
* CVE-2025-48385, Git: When cloning a repository Git knows to
optionally fetch a bundle advertised by the remote server, which
allows the server-side to offload parts of the clone to a CDN. The
Git client does not perform sufficient validation of the advertised
bundles, which allows the remote side to perform protocol
injection. This protocol injection can cause the client to write
the fetched bundle to a location controlled by the adversary. The
fetched content is fully controlled by the server, which can in the
worst case lead to arbitrary code execution.
* CVE-2025-48386, Git: The wincred credential helper uses a static
buffer (target) as a unique key for storing and comparing against
internal storage. This credential helper does not properly bounds
check the available space remaining in the buffer before appending
to it with wcsncat(), leading to potential buffer overflows.
Git for Windows v2.50.0(2)
Changes since Git for Windows v2.50.0 (June 16th 2025)
New Features
* Comes with Git LFS v3.7.0.
Bug Fixes
* Cloning large repositories via SSH frequently hung with Git for
Windows v2.50.0, which was fixed.
* In Git for Windows v2.50.0, operations using the POSIX emulation
layer (cloning via SSH, generating the Bash prompt) cannot be
interrupted by Ctrl+C, which has been fixed.
* Git for Windows v2.50.0 is unable to initialize Git repositories on
Windows Server 2016, which has been fixed.
Git for Windows v2.50.0
Changes since Git for Windows v2.49.0 (March 17th 2025)
New Features
* Comes with Git v2.50.0.
* Comes with MinTTY v3.7.8.
* Comes with OpenSSH v10.0.P1.
* Comes with cURL v8.14.1.
* Comes with the MSYS2 runtime (Git for Windows flavor) based on
Cygwin v3.6.3.
Bug Fixes
* On Windows Server 2022, Git v2.48.1 introduced a regression where
it failed to write files on ReFS drives, which was fixed.
* Git for Windows 2.48.1 introduced a regression when fetching long
branches under core.longPaths = true, which was fixed.
* Git for Windows' installer used a non-writable file for testing
custom editors, which was fixed.
Git for Windows v2.49.1
Changes since Git for Windows v2.49.0 (March 17th 2025):
This is a security fix release, addressing CVE-2024-50349,
CVE-2024-52006, CVE-2025-27613, CVE-2025-27614, CVE-2025-46334,
CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386.
New Features
* Comes with Git v2.49.1.
Bug Fixes
* CVE-2025-27613, Gitk: When a user clones an untrusted repository
and runs Gitk without additional command arguments, any writable
file can be created and truncated. The option "Support per-file
encoding" must have been enabled. The operation "Show origin of
this line" is affected as well, regardless of the option being
enabled or not.
* CVE-2025-27614, Gitk: A Git repository can be crafted in such a way
that a user who has cloned the repository can be tricked into
running any script supplied by the attacker by invoking gitk
filename, where filename has a particular structure.
* CVE-2025-46334, Git GUI (Windows only): A malicious repository can
ship versions of sh.exe or typical textconv filter programs such as
astextplain. On Windows, path lookup can find such executables in
the worktree. These programs are invoked when the user selects "Git
Bash" or "Browse Files" from the menu.
* CVE-2025-46835, Git GUI: When a user clones an untrusted repository
and is tricked into editing a file located in a maliciously named
directory in the repository, then Git GUI can create and overwrite
any writable file.
* CVE-2025-48384, Git: When reading a config value, Git strips any
trailing carriage return and line feed (CRLF). When writing a
config entry, values with a trailing CR are not quoted, causing the
CR to be lost when the config is later read. When initializing a
submodule, if the submodule path contains a trailing CR, the
altered path is read resulting in the submodule being checked out
to an incorrect location. If a symlink exists that points the
altered path to the submodule hooks directory, and the submodule
contains an executable post-checkout hook, the script may be
unintentionally executed after checkout.
* CVE-2025-48385, Git: When cloning a repository Git knows to
optionally fetch a bundle advertised by the remote server, which
allows the server-side to offload parts of the clone to a CDN. The
Git client does not perform sufficient validation of the advertised
bundles, which allows the remote side to perform protocol
injection. This protocol injection can cause the client to write
the fetched bundle to a location controlled by the adversary. The
fetched content is fully controlled by the server, which can in the
worst case lead to arbitrary code execution.
* CVE-2025-48386, Git: The wincred credential helper uses a static
buffer (target) as a unique key for storing and comparing against
internal storage. This credential helper does not properly bounds
check the available space remaining in the buffer before appending
to it with wcsncat(), leading to potential buffer overflows.
MinGit for Windows v2.47.3
Changes since Git for Windows v2.47.1(2) (January 14th 2025):
This is a security fix release, addressing CVE-2024-50349,
CVE-2024-52006, CVE-2025-27613, CVE-2025-27614, CVE-2025-46334,
CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386.
New Features
* Comes with Git v2.47.3.
Bug Fixes
* CVE-2025-27613, Gitk: When a user clones an untrusted repository
and runs Gitk without additional command arguments, any writable
file can be created and truncated. The option "Support per-file
encoding" must have been enabled. The operation "Show origin of
this line" is affected as well, regardless of the option being
enabled or not.
* CVE-2025-27614, Gitk: A Git repository can be crafted in such a way
that a user who has cloned the repository can be tricked into
running any script supplied by the attacker by invoking gitk
filename, where filename has a particular structure.
* CVE-2025-46334, Git GUI (Windows only): A malicious repository can
ship versions of sh.exe or typical textconv filter programs such as
astextplain. On Windows, path lookup can find such executables in
the worktree. These programs are invoked when the user selects "Git
Bash" or "Browse Files" from the menu.
* CVE-2025-46835, Git GUI: When a user clones an untrusted repository
and is tricked into editing a file located in a maliciously named
directory in the repository, then Git GUI can create and overwrite
any writable file.
* CVE-2025-48384, Git: When reading a config value, Git strips any
trailing carriage return and line feed (CRLF). When writing a
config entry, values with a trailing CR are not quoted, causing the
CR to be lost when the config is later read. When initializing a
submodule, if the submodule path contains a trailing CR, the
altered path is read resulting in the submodule being checked out
to an incorrect location. If a symlink exists that points the
altered path to the submodule hooks directory, and the submodule
contains an executable post-checkout hook, the script may be
unintentionally executed after checkout.
* CVE-2025-48385, Git: When cloning a repository Git knows to
optionally fetch a bundle advertised by the remote server, which
allows the server-side to offload parts of the clone to a CDN. The
Git client does not perform sufficient validation of the advertised
bundles, which allows the remote side to perform protocol
injection. This protocol injection can cause the client to write
the fetched bundle to a location controlled by the adversary. The
fetched content is fully controlled by the server, which can in the
worst case lead to arbitrary code execution.
* CVE-2025-48386, Git: The wincred credential helper uses a static
buffer (target) as a unique key for storing and comparing against
internal storage. This credential helper does not properly bounds
check the available space remaining in the buffer before appending
to it with wcsncat(), leading to potential buffer overflows.
Git for Windows v2.50.0-rc2
Changes since Git for Windows v2.49.0 (March 17th 2025)
New Features
* Comes with Git v2.50.0-rc2.
* Comes with MinTTY v3.7.8.
* Comes with OpenSSH v10.0.P1.
* Comes with cURL v8.14.1.
* Comes with the MSYS2 runtime (Git for Windows flavor) based on
Cygwin v3.6.3.
Bug Fixes
* On Windows Server 2022, Git v2.48.1 introduced a regression where
it failed to write files on ReFS drives, which was fixed.
* Git for Windows 2.48.1 introduced a regression when fetching long
branches under core.longPaths = true, which was fixed.
* Git for Windows' installer used a non-writable file for testing
custom editors, which was fixed.
Git for Windows v2.50.0-rc1
Changes since Git for Windows v2.49.0 (March 17th 2025)
New Features
* Comes with Git v2.50.0-rc1.
* Comes with MinTTY v3.7.8.
* Comes with OpenSSH v10.0.P1.
* Comes with the MSYS2 runtime (Git for Windows flavor) based on
Cygwin v3.6.2.
* Comes with cURL v8.14.1.
Bug Fixes
* On Windows Server 2022, Git v2.48.1 introduced a regression where
it failed to write files on ReFS drives, which was fixed.
* Git for Windows 2.48.1 introduced a regression when fetching long
branches under core.longPaths = true, which was fixed.
* Git for Windows' installer used a non-writable file for testing
custom editors, which was fixed.
Git for Windows v2.50.0-rc0
Changes since Git for Windows v2.49.0 (March 17th 2025)
New Features
* Comes with Git v2.50.0-rc0.
* Comes with MinTTY v3.7.8.
* Comes with OpenSSH v10.0.P1.
* Comes with the MSYS2 runtime (Git for Windows flavor) based on
Cygwin v3.6.2.
* Comes with cURL v8.14.0.
Bug Fixes
* On Windows Server 2022, Git v2.48.1 introduced a regression where
it failed to write files on ReFS drives, which was fixed.
* Git for Windows 2.48.1 introduced a regression when fetching long
branches under core.longPaths = true, which was fixed.
* Git for Windows' installer used a non-writable file for testing
custom editors, which was fixed.
Git for Windows v2.49.0
Changes since Git for Windows v2.48.1 (February 13th 2025)
Due to persistent maintenance challenges and the community's limited
engagement and usage, git svn support in Git for Windows will be phased
out over the next few months.
Git for Windows v2.48.1 was the last version to ship with the i686
("32-bit") variant of the installer, portable Git and archive. Only
32-bit MinGit will be built for future versions, until April 2029.
New Features
* Comes with Git v2.49.0.
* Comes with OpenSSH v9.9.P2.
* Comes with PCRE2 v10.45.
* The previously-experimental --full-name-hash option has been
accepted into upstream Git as --name-hash-version=2 and is no
longer experimental.
* The git backfill command has been accepted into upstream Git; Its
--batch-size=<n> option has been renamed to --min-batch-size=<n>,
though.
Bug Fixes
* A change in upstream Git v2.48.0 broke renaming symlinks, which was
fixed.
* On a recent Insider Windows version, users experienced the message:
"Cygwin WARNING: Couldn't compute FAST_CWD pointer", which has been
fixed.
* A bug has been fixed that, when calling git add -p from VS Code's
internal terminal, after using the edit command, caused the
internal terminal got stuck and no further command was accepted.
* The syntax highlighting of the nano editor was recently disabled in
Git for Windows by mistake, which was fixed.
Git for Windows v2.49.0-rc2
Changes since Git for Windows v2.48.1 (February 13th 2025)
Due to persistent maintenance challenges and the community's limited
engagement and usage, git svn support in Git for Windows will be phased
out over the next few months.
Git for Windows v2.48.1 was the last version to ship with the i686
("32-bit") variant of the installer, portable Git and archive. Only
32-bit MinGit will be built for future versions, until April 2029.
New Features
* Comes with Git v2.49.0-rc2.
* Comes with OpenSSH v9.9.P2.
* Comes with PCRE2 v10.45.
* The previously-experimental --full-name-hash option has been
accepted into upstream Git as --name-hash-version=2 and is no
longer experimental.
* The git backfill command has been accepted into upstream Git; Its
--batch-size=<n> option has been renamed to --min-batch-size=<n>,
though.
Bug Fixes
* A change in upstream Git v2.48.0 broke renaming symlinks, which was
fixed.
* On a recent Insider Windows version, users experienced the message:
"Cygwin WARNING: Couldn't compute FAST_CWD pointer", which has been
fixed.
* A bug has been fixed that, when calling git add -p from VS Code's
internal terminal, after using the edit command, caused the
internal terminal got stuck and no further command was accepted.
* The syntax highlighting of the nano editor was recently disabled in
Git for Windows by mistake, which was fixed.
PreviousNext