Porting of 2.17.2 to Git for Windows

[StanleyGoldman]

👋 Hello.

I work on GitHub for Unity which currently deploys and utilizes "2.17.1.windows.1" for users. I wanted to get the recent submodule vulnerability into our project and I was relieved to hear that the fix was backported in 2.17.2, but I quickly realized that did not mean Git for Windows had a 2.17.2.

I wanted to know if you had plans to or if I could compel you also release a 2.17.2 of Git for Windows?

[StanleyGoldman]

Paying more attention the actual vulnerability, I'm now reading this..

P.S. Folks at Microsoft tried to follow the known exploit recipe on
Git for Windows (but not Cygwin or other Git implementations on
Windows) and found that the recipe (or its variants they can think
of) would not make their system vulnerable.  This is due to the fact
that the type of submodule path require by the known exploit recipe
cannot be created on Windows. Nonetheless, it is possible we have
missed some exploitation path and users are encouraged to upgrade.
Nonetheless, it is possible we have missed some exploitation path and
users are encouraged to upgrade.

https://public-inbox.org/git/xmqqy3bcuy3l.fsf@gitster-ct.c.googlers.com/T/#u

[StanleyGoldman]

The more I learn about the vulnerability the more I learn that it may not even be reproducible on Windows. So this may all be a non-starter. Thanks.

[dscho]

And besides, v2.19.1 is already out. We are too short-handed to do maintenance releases on old Git for WIndows release trains. As soon as a new major version is released by core Git, we switch to that new version in Git for Windows.

[StanleyGoldman]

I understand. Thanks for the reply.