Hi folks, I don't typically announce Cygwin releases of Git on this mailing list, but this one's for a security vulnerability, and in particular I'd like to catch the (hopefully very small number of) people who use Git on Cygwin compiling it themselves. I've just uploaded version 2.31.1-2 of Git to the Cygwin distribution server, and it will be being distributed to the Cygwin mirrors over the next few hours. This update addresses CVE-2021-29468, which would cause Git to overwrite arbitrary files with attacker-controlled contents when checking out content from a malicious repository, and in particular would allow an attacker to overwrite Git hooks to execute arbitrary code. Having discussed with the Git security list, I believe there are very few people compiling Git on Cygwin themselves, and therefore agreed to release the patched Cygwin build without yet having a patch in the main Git source code. However if you do use a version of Git on Cygwin that isn't from the official Cygwin distribution servers, I'd strongly recommend either not checking out or cloning from any untrusted repositories until you've applied at least the functional part of the patch I'll be submitting shortly. I'd like to thank RyotaK (https://github.com/Ry0taK / https://twitter.com/ryotkak) for finding and responsibly disclosing this vulnerability, and Johannes Schindelin for helping manage the response. Kind regards, Adam
