On Tue, Oct 06 2020, Junio C Hamano wrote: > An early preview release Git v2.29.0-rc0 is now available for > testing at the usual places. It is comprised of 588 non-merge > commits since v2.28.0, contributed by 76 people, 22 of which are > new faces. > [...] > Ævar Arnfjörð Bjarmason (17): > [...] > remote-mediawiki: convert to quoted run_git() invocation > remote-mediawiki: annotate unquoted uses of run_git() > remote-mediawiki: use "sh" to eliminate unquoted commands We didn't do a point release for this security fix, but I think we should still credit it in the same way we've done for security point releases, e.g. in the notes for v2.7.6 and v2.10.5. It's still an RCE, and even if we considered it minor due to the obscurity of the exposed component every little thing we can do to encourage responsible security research & reporting helps.
