Hi Junio, my apologies, I only realized _now_ that I had forgotten to update `GIT-VERSION-GEN` in v2.47.2, it still has `DEF_VER=v2.47.1` (but all other mentioned tagged versions have a correct `GIT-VERSION-GEN`). I am very sorry about that. Ciao, Johannes On Tue, 14 Jan 2025, Junio C Hamano wrote: > A maintenance release Git v2.48.1, together with releases for older > maintenance tracks (v2.40.4, v2.41.3, v2.42.4, v2.43.6, v2.44.3, > v2.45.3, v2.46.3, and v2.47.2) are now available at the usual > places. These are to address a couple of security issues. > > The tarballs are found at: > > https://www.kernel.org/pub/software/scm/git/ > > The following public repositories all have a copy of the 'v2.48.1' > tag, as well as the tags for older maintenance tracks listed above. > > url = https://git.kernel.org/pub/scm/git/git > url = https://kernel.googlesource.com/pub/scm/git/git > url = git://repo.or.cz/alt-git.git > url = https://github.com/gitster/git > > > These releases make Git refuse to accept URLs that contain control > sequences to address CVE-2024-50349 and CVE-2024-52006. > > - CVE-2024-50349: > > Printing unsanitized URLs when asking for credentials made the > user susceptible to crafted URLs (e.g. in recursive clones) that > mislead the user into typing in passwords for trusted sites that > would then be sent to untrusted sites instead. > > - CVE-2024-52006 > > Git may pass on Carriage Returns via the credential protocol to > credential helpers which use line-reading functions that > interpret said Carriage Returns as line endings, even though Git > did not intend that. > > > Huge credit goes to Dscho who led and coordinated the fixes for this > set of releases. > >
