Git v2.37.1, together with v2.30.5, v2.31.4, v2.32.3, v2.33.4, v2.34.4, v2.35.4, and v2.36.2 for older maintenance tracks, are now available at the usual places. These are to address CVE-2022-29187, where the fixes in v2.36.1 and below to address CVE-2022-24765 released earlier may not have been complete. The tarballs are found at: https://www.kernel.org/pub/software/scm/git/ The following public repositories all have a copy of the 'v2.37.1' tag and other tags for older maintenance tracks. url = https://git.kernel.org/pub/scm/git/git url = https://kernel.googlesource.com/pub/scm/git/git url = git://repo.or.cz/alt-git.git url = https://github.com/gitster/git ---------------------------------------------------------------- Git 2.37.1 Release Notes ======================== This release merges up the fixes that appear in v2.30.5, v2.31.4, v2.32.3, v2.33.4, v2.34.4, v2.35.4, and v2.36.2 to address the security issue CVE-2022-29187; see the release notes for these versions for details. Fixes since Git 2.37 -------------------- * Rewrite of "git add -i" in C that appeared in Git 2.25 didn't correctly record a removed file to the index, which is an old regression but has become widely known because the C version has become the default in the latest release. * Fix for CVE-2022-29187. ---------------------------------------------------------------- Git v2.30.5 Release Notes ========================= This release contains minor fix-ups for the changes that went into Git 2.30.3 and 2.30.4, addressing CVE-2022-29187. * The safety check that verifies a safe ownership of the Git worktree is now extended to also cover the ownership of the Git directory (and the `.git` file, if there is any). Carlo Marcelo Arenas Belón (1): setup: tighten ownership checks post CVE-2022-24765