Changes since Git for Windows v2.44.0 (February 23rd 2024)
New Features
- Comes with Git v2.44.1.
Bug Fixes
- CVE-2024-32002: Recursive clones on case-insensitive filesystems that support
symbolic links are susceptible to case confusion that can be exploited to
execute just-cloned code during the clone operation. - CVE-2024-32004: Repositories can be configured to execute arbitrary code
during local clones. To address this, the ownership checks introduced in
v2.30.3 are now extended to cover cloning local repositories. - CVE-2024-32020: Local clones may end up hardlinking files into the target
repository's object database when source and target repository reside on the
same disk. If the source repository is owned by a different user, then those
hardlinked files may be rewritten at any point in time by the untrusted user. - CVE-2024-32021: When cloning a local source repository that contains symlinks
via the filesystem, Git may create hardlinks to arbitrary user-readable files
on the same filesystem as the target repository in the objects/ directory. - CVE-2024-32465: It is supposed to be safe to clone untrusted repositories,
even those unpacked from zip archives or tarballs originating from untrusted
sources, but Git can be tricked to run arbitrary code as part of the clone. - Defense-in-depth: submodule: require the submodule path to contain
directories only. - Defense-in-depth: clone: when symbolic links collide with directories, keep
the latter. - Defense-in-depth: clone: prevent hooks from running during a clone.
- Defense-in-depth: core.hooksPath: add some protection while cloning.
- Defense-in-depth: fsck: warn about symlink pointing inside a gitdir.
- Various fix-ups on HTTP tests.
- HTTP Header redaction code has been adjusted for a newer version of cURL
library that shows its traces differently from earlier versions. - Fix was added to work around a regression in libcURL 8.7.0 (which has already
been fixed in their tip of the tree). - Replace macos-12 used at GitHub CI with macos-13.
- ci(linux-asan/linux-ubsan): let's save some time
- Tests with LSan from time to time seem to emit harmless message that makes
our tests unnecessarily flakey; we work it around by filtering the
uninteresting output. - Update GitHub Actions jobs to avoid warnings against using deprecated version
of Node.js.
| Filename | SHA-256 |
|---|---|
| Git-2.44.1-64-bit.exe | da022749f6952f3fad684efd0687cd7150156e9b1d5aaa114f8769535e360a0f |
| Git-2.44.1-32-bit.exe | ceb5c95889c997a0b31a864ccb74ad3264276b4f0b6fdb48d6ecb4efcc2950bc |
| PortableGit-2.44.1-64-bit.7z.exe | 1300ebcd98e91df53f4a0af9bfd955450f7a362aa1e8f6126eb2aa437bf7e497 |
| PortableGit-2.44.1-32-bit.7z.exe | 31e3697ec151067f3bdf5665b25230ae5cc77f9e56fd3e3f7889729c3ef3b405 |
| MinGit-2.44.1-64-bit.zip | 9f8ce390ff9b9e540c6be26cd9578904fe3bbd7f7581f2376f452ba858bb36db |
| MinGit-2.44.1-32-bit.zip | ed1019bc0d3da92dc2fe694603f80ff8c4d582d378126589db04651e5c49a763 |
| MinGit-2.44.1-busybox-64-bit.zip | 2a56b030114faeffb3096ea371ffb5c518a13d2938165704a64c6f957df51554 |
| MinGit-2.44.1-busybox-32-bit.zip | b0726058ef8c763c9439083bccb387d9fe495bbbf8e0b9269676d97abed1718c |
| Git-2.44.1-64-bit.tar.bz2 | 4da7c9b80ef6e43415544ef4f10fc892c27ba3fd81a22a5735a7c903d0c3e893 |
| Git-2.44.1-32-bit.tar.bz2 | b4e2afa28b76c9e79c8c3b63c2eb9cb3b2a0a9484c9b0629526c32f1249efbcf |