A maintenance release Git v2.48.1, together with releases for older
maintenance tracks (v2.40.4, v2.41.3, v2.42.4, v2.43.6, v2.44.3,
v2.45.3, v2.46.3, and v2.47.2) are now available at the usual
places. These are to address a couple of security issues.
The tarballs are found at:
https://www.kernel.org/pub/software/scm/git/
The following public repositories all have a copy of the 'v2.48.1'
tag, as well as the tags for older maintenance tracks listed above.
url = https://git.kernel.org/pub/scm/git/git
url = https://kernel.googlesource.com/pub/scm/git/git
url = git://repo.or.cz/alt-git.git
url = https://github.com/gitster/git
These releases make Git refuse to accept URLs that contain control
sequences to address CVE-2024-50349 and CVE-2024-52006.
- CVE-2024-50349:
Printing unsanitized URLs when asking for credentials made the
user susceptible to crafted URLs (e.g. in recursive clones) that
mislead the user into typing in passwords for trusted sites that
would then be sent to untrusted sites instead.
- CVE-2024-52006
Git may pass on Carriage Returns via the credential protocol to
credential helpers which use line-reading functions that
interpret said Carriage Returns as line endings, even though Git
did not intend that.
Huge credit goes to Dscho who led and coordinated the fixes for this
set of releases.
