Skip to content

Git for Windows v2.44.1

Compare
Choose a tag to compare
@dscho dscho released this 14 May 17:25
· 7644 commits to main since this release
v2.44.1.windows.1

Changes since Git for Windows v2.44.0 (February 23rd 2024)

New Features

Bug Fixes

  • CVE-2024-32002: Recursive clones on case-insensitive filesystems that support
    symbolic links are susceptible to case confusion that can be exploited to
    execute just-cloned code during the clone operation.
  • CVE-2024-32004: Repositories can be configured to execute arbitrary code
    during local clones. To address this, the ownership checks introduced in
    v2.30.3 are now extended to cover cloning local repositories.
  • CVE-2024-32020: Local clones may end up hardlinking files into the target
    repository's object database when source and target repository reside on the
    same disk. If the source repository is owned by a different user, then those
    hardlinked files may be rewritten at any point in time by the untrusted user.
  • CVE-2024-32021: When cloning a local source repository that contains symlinks
    via the filesystem, Git may create hardlinks to arbitrary user-readable files
    on the same filesystem as the target repository in the objects/ directory.
  • CVE-2024-32465: It is supposed to be safe to clone untrusted repositories,
    even those unpacked from zip archives or tarballs originating from untrusted
    sources, but Git can be tricked to run arbitrary code as part of the clone.
  • Defense-in-depth: submodule: require the submodule path to contain
    directories only.
  • Defense-in-depth: clone: when symbolic links collide with directories, keep
    the latter.
  • Defense-in-depth: clone: prevent hooks from running during a clone.
  • Defense-in-depth: core.hooksPath: add some protection while cloning.
  • Defense-in-depth: fsck: warn about symlink pointing inside a gitdir.
  • Various fix-ups on HTTP tests.
  • HTTP Header redaction code has been adjusted for a newer version of cURL
    library that shows its traces differently from earlier versions.
  • Fix was added to work around a regression in libcURL 8.7.0 (which has already
    been fixed in their tip of the tree).
  • Replace macos-12 used at GitHub CI with macos-13.
  • ci(linux-asan/linux-ubsan): let's save some time
  • Tests with LSan from time to time seem to emit harmless message that makes
    our tests unnecessarily flakey; we work it around by filtering the
    uninteresting output.
  • Update GitHub Actions jobs to avoid warnings against using deprecated version
    of Node.js.
Filename SHA-256
Git-2.44.1-64-bit.exe da022749f6952f3fad684efd0687cd7150156e9b1d5aaa114f8769535e360a0f
Git-2.44.1-32-bit.exe ceb5c95889c997a0b31a864ccb74ad3264276b4f0b6fdb48d6ecb4efcc2950bc
PortableGit-2.44.1-64-bit.7z.exe 1300ebcd98e91df53f4a0af9bfd955450f7a362aa1e8f6126eb2aa437bf7e497
PortableGit-2.44.1-32-bit.7z.exe 31e3697ec151067f3bdf5665b25230ae5cc77f9e56fd3e3f7889729c3ef3b405
MinGit-2.44.1-64-bit.zip 9f8ce390ff9b9e540c6be26cd9578904fe3bbd7f7581f2376f452ba858bb36db
MinGit-2.44.1-32-bit.zip ed1019bc0d3da92dc2fe694603f80ff8c4d582d378126589db04651e5c49a763
MinGit-2.44.1-busybox-64-bit.zip 2a56b030114faeffb3096ea371ffb5c518a13d2938165704a64c6f957df51554
MinGit-2.44.1-busybox-32-bit.zip b0726058ef8c763c9439083bccb387d9fe495bbbf8e0b9269676d97abed1718c
Git-2.44.1-64-bit.tar.bz2 4da7c9b80ef6e43415544ef4f10fc892c27ba3fd81a22a5735a7c903d0c3e893
Git-2.44.1-32-bit.tar.bz2 b4e2afa28b76c9e79c8c3b63c2eb9cb3b2a0a9484c9b0629526c32f1249efbcf