git-for-windows/git v2.40.1.windows.1

Git for Windows 2.40.1

on GitHub

Changes since Git for Windows v2.40.0 (March 14th 2023)

This is a security release, addressing CVE-2023-29012, CVE-2023-29011, CVE-2023-29007, CVE-2023-25815 and CVE-2023-25652.

As announced previously, Git for Windows will drop support for Windows 7 and for Windows 8 in one of the next versions, following Cygwin's and MSYS2's lead (Git for Windows relies on MSYS2 for components such as Bash and Perl).

Also following the footsteps of the MSYS2 and Cygwin projects on which Git for Windows depends, the 32-bit variant of Git for Windows is nearing its end of support.

New Features

• Comes with Git v2.40.1.

Bug Fixes

• Addresses CVE-2023-29012, a vulnerability where starting Git CMD would execute doskey.exe in the current directory, if it exists.
• Addresses CVE-2023-29011, a vulnerability where the SOCKS5 proxy called connect.exe is susceptible to picking up an untrusted configuration on multi-user machines.
• Addresses CVE-2023-29007, a vulnerability where git submodule deinit can inadvertently introduce malicious changes into the Git config file.
• Addresses CVE-2023-25815, a vulnerability where Git can unexpectedly show crafted "localized" messages written by another user on a multi-user machine.
• Addresses CVE-2023-25652, a vulnerability where git apply --reject could follow symbolic links to write files outside the worktree.