Hi brian and Robert, On Mon, 25 Sep 2023, brian m. carlson wrote: > On 2023-09-25 at 15:37:46, Robert Smith wrote: > > > Regarding this CVE: > > > > https://curl.se/docs/CVE-2023-38039.html In the future, please consider sending security-relevant enquiries to git-security@xxxxxxxxxxxxxxxx instead of the regular Git mailing list. In this case, not much harm was done, but let's not risk anything. I say not much harm was done because that CVE would appear to be very low risk. The cURL project itself says this: When curl retrieves an HTTP response, it stores the incoming headers so that they can be accessed later via the libcurl headers API. However, curl did not have a limit on the size or quantity of headers it would accept in a response, allowing a malicious server to stream an endless series of headers to a client and eventually cause curl to run out of heap memory. So the most damage that can be done by exploiting this vulnerability is to host a Git server from which a user targeted by the attack simply cannot clone because the process will fail with an out-of-memory condition. The Git for Windows project carefully vets any security updates of any of the components distributed with Git for Windows, and if it is determined that they constitute a vulnerability that can be exploited via regular Git usage, we aim to release a new version as swiftly as possible. In this instance, it was determined that the severity is low (deviating from cURL's assessment because Git's usage of libcurl has a narrower focus than general cURL usage), and no new Git for Windows version was deemed necessary. > > Is there any plan to update Git for Windows to include the updated > > 8.3.0 Curl binaries? Ever since https://github.com/git-for-windows/git/issues/4605 was addressed, the v8.3.0 cURL binaries have been ready to go for the next Git for Windows version. > The Git project doesn't ship any binaries at all, and we don't ship > curl. Git for Windows does ship a substantial amount of other software, > including curl. You can find their issue tracker at > https://github.com/git-for-windows/git/issues, but I believe this has > already been fixed in https://github.com/git-for-windows/git/issues/4605 > and will be included in the next version. Precisely. > I'm not certain about their release policy, Git for Windows' release policy is documented at https://github.com/git-for-windows/git/security/policy. > but I seem to recall that they don't issue updates for dependent > packages until a new release would normally be done. To be certain, > you'd have to inquire with them. Git for Windows does follow "upstream" Git releases. That is, every official Git version on the latest major version release train is followed shortly thereafter with a corresponding Git for Windows version. As documented at https://github.com/git-for-windows/git/security/policy#version-number-scheme sometimes Git for Windows releases versions that do _not_ correspond to upstream Git versions. Reasons for that include security bug fixes in dependencies that affect Git usage, and bug fixes that are specific to Git for Windows which are considered important enough to deliver to Git for Windows users as quickly as possible. In this instance, I do not see any reason to risk upgrade fatigue and expect to publish the first Git for Windows version that includes cURL v8.3.0 in the wake of Git v2.43.0 (slated for November 20th, 2023, see https://gh.io/gitCal). Robert, if you still feel very strongly that you need to have a Git for Windows that includes an updated `curl.exe`, I invite you to install the latest snapshot at https://wingit.blob.core.windows.net/files/index.html. These snapshots are designed to be as robust and dependable as full Git for Windows releases, the only difference being that snapshots are released with every update to Git for Windows' `main` branch, i.e. at a much faster cadence than official Git for Windows versions. Ciao, Johannes
