Tags: git-for-windows/git
Tags
Git for Windows v2.51.0(2)
Changes since Git for Windows v2.51.0 (August 19th 2025)
New Features
* Comes with PCRE2 v10.46.
* Comes with cURL v8.16.0. This addresses a bug where fetches/pushes
could fail with failed to read data from server:
SEC_E_CONTEXT_EXPIRED (0x80090317) under certain circumstances.
Also included: a back-port of a fix for a bug where connection
failures were mistakenly reported as time-outs.
* Comes with Tig v2.6.0.
* Comes with MinTTY v3.8.1.
* Comes with OpenSSL v3.5.3.
Bug Fixes
* The auto-updater now shows Git for Windows icon in the notification
also on Windows/ARM64.
* git clone/git fetch now deals more gracefully with directory / file
conflicts when the files backend is used for ref storage, by
failing only the ones that are involved in the conflict while
allowing others. This is a regression in Git v2.51.0 that was
reported in Git for Windows and independently also to the Git
mailing list. This was fixed by merging Git's topic branch kn/
refs-files-case-insensitive.
* Support for pathspecs in diff --no-index was somewhat buggy, which
has been fixed.
* git sparse-checkout subcommand learned a new clean action to prune
otherwise unused working-tree files that are outside the areas of
interest. An earlier version of this had been integrated into
Microsoft Git already. This was fixed by merging Git's topic branch
ds/sparse-checkout-clean.
* git rebase -i failed to clean-up the commit log message when the
command commits the final one in a chain of "fixup" commands, which
has been corrected. Backported from Git's topic branch pw/
rebase-i-cleanup-fix.
* git subtree did not work correctly when splitting squashed
subtrees, which has been improved. Backported from Git's topic
branch cs/subtree-squash-split-fix.
* Some among git add -p and friends ignored color.diff and/or
color.ui configuration variables, which is an old regression, which
has been corrected. This was fixed by merging Git's topic branch jk
/add-i-color.
* A corner-case bug in git log -L... has been corrected. This was
fixed by merging Git's topic branch sg/line-log-boundary-fixes.
* A broken or malicious git fetch can say that it has the same object
for many many times, and the upload-pack serving it can exhaust
memory storing them redundantly, which has been corrected. This was
fixed by merging Git's topic branch ps/upload-pack-oom-protection.
* Fixes multiple crashes around midx write-out codepaths. This was
fixed by merging Git's topic branch ds/midx-write-fixes.
* git repack --path-walk lost objects in some corner cases, which has
been corrected. This was fixed by merging Git's topic branch ds/
path-walk-repack-fix.
* Under a race against another process that is repacking the
repository, especially a partially cloned one, git fetch may
mistakenly think some objects we do have are missing, which has
been corrected. This was fixed by merging Git's topic branch jk/
fetch-check-graph-objects-fix.
* Various options to git diff that makes comparison ignore certain
aspects of the differences (like "space changes are ignored",
"differences in lines that match these regular expressions are
ignored") did not work well with --name-only and friends. This was
fixed by merging Git's topic branch ly/
diff-name-only-with-diff-from-content.
* git diff --no-index run inside a subdirectory under control of a
Git repository operated at the top of the working tree and stripped
the prefix from the output, and oddballs like "-" (stdin) did not
work correctly because of it. Correct the set-up by undoing what
the set-up sequence did to the current working directory and
prefix. This was fixed by merging Git's topic branch jc/
diff-no-index-in-subdir.
* Various bugs about rename handling in "ort" merge strategy have
been fixed. This was fixed by merging Git's topic branch en/
ort-rename-fixes.
* git push had a code path that led to BUG() but it should have
reported a regular failure, as it is a response to a usual but
invalid end-user action to attempt pushing an object that does not
exist. This was fixed by merging Git's topic branch dl/
push-missing-object-error.
* git refs migrate to migrate the reflog entries from a refs backend
to another had a handful of bugs squashed. This was fixed by
merging Git's topic branch ps/reflog-migrate-fixes.
* During interactive rebase, using drop on a merge commit lead to an
error, which was incorrect. This was fixed by merging Git's topic
branch js/rebase-i-allow-drop-on-a-merge.
Git for Windows v2.51.0
Changes since Git for Windows v2.50.1 (July 8th 2025)
New Features
* Comes with Git v2.51.0.
* The Portable Git installers (which are self-extracting 7-Zip
archives) are now based off of 7-Zip 25.01
* Comes with cURL v8.15.0.
* Comes with the MSYS2 runtime (Git for Windows flavor) based on
Cygwin v3.6.4.
* Comes with MinTTY v3.7.9.
Git for Windows v2.51.0-rc2
Changes since Git for Windows v2.50.1 (July 8th 2025)
New Features
* Comes with Git v2.51.0-rc2.
* The Portable Git installers (which are self-extracting 7-Zip
archives) are now based off of 7-Zip 25.01
* Comes with cURL v8.15.0.
* Comes with the MSYS2 runtime (Git for Windows flavor) based on
Cygwin v3.6.4.
* Comes with MinTTY v3.7.9.
Git for Windows v2.51.0-rc1
Changes since Git for Windows v2.50.1 (July 8th 2025)
New Features
* Comes with Git v2.51.0-rc1.
* The Portable Git installers (which are self-extracting 7-Zip
archives) are now based off of 7-Zip 25.00
* Comes with cURL v8.15.0.
* Comes with the MSYS2 runtime (Git for Windows flavor) based on
Cygwin v3.6.4.
Git for Windows v2.51.0-rc0
Changes since Git for Windows v2.50.1 (July 8th 2025)
New Features
* Comes with Git v2.51.0-rc0.
* The Portable Git installers (which are self-extracting 7-Zip
archives) are now based off of 7-Zip 25.00
* Comes with cURL v8.15.0.
* Comes with the MSYS2 runtime (Git for Windows flavor) based on
Cygwin v3.6.4.
Git for Windows v2.50.1
Changes since Git for Windows v2.50.0(2) (July 1st 2025):
This is a security fix release, addressing CVE-2024-50349,
CVE-2024-52006, CVE-2025-27613, CVE-2025-27614, CVE-2025-46334,
CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386.
New Features
* Comes with Git v2.50.1.
Bug Fixes
* CVE-2025-27613, Gitk: When a user clones an untrusted repository
and runs Gitk without additional command arguments, any writable
file can be created and truncated. The option "Support per-file
encoding" must have been enabled. The operation "Show origin of
this line" is affected as well, regardless of the option being
enabled or not.
* CVE-2025-27614, Gitk: A Git repository can be crafted in such a way
that a user who has cloned the repository can be tricked into
running any script supplied by the attacker by invoking gitk
filename, where filename has a particular structure.
* CVE-2025-46334, Git GUI (Windows only): A malicious repository can
ship versions of sh.exe or typical textconv filter programs such as
astextplain. On Windows, path lookup can find such executables in
the worktree. These programs are invoked when the user selects "Git
Bash" or "Browse Files" from the menu.
* CVE-2025-46835, Git GUI: When a user clones an untrusted repository
and is tricked into editing a file located in a maliciously named
directory in the repository, then Git GUI can create and overwrite
any writable file.
* CVE-2025-48384, Git: When reading a config value, Git strips any
trailing carriage return and line feed (CRLF). When writing a
config entry, values with a trailing CR are not quoted, causing the
CR to be lost when the config is later read. When initializing a
submodule, if the submodule path contains a trailing CR, the
altered path is read resulting in the submodule being checked out
to an incorrect location. If a symlink exists that points the
altered path to the submodule hooks directory, and the submodule
contains an executable post-checkout hook, the script may be
unintentionally executed after checkout.
* CVE-2025-48385, Git: When cloning a repository Git knows to
optionally fetch a bundle advertised by the remote server, which
allows the server-side to offload parts of the clone to a CDN. The
Git client does not perform sufficient validation of the advertised
bundles, which allows the remote side to perform protocol
injection. This protocol injection can cause the client to write
the fetched bundle to a location controlled by the adversary. The
fetched content is fully controlled by the server, which can in the
worst case lead to arbitrary code execution.
* CVE-2025-48386, Git: The wincred credential helper uses a static
buffer (target) as a unique key for storing and comparing against
internal storage. This credential helper does not properly bounds
check the available space remaining in the buffer before appending
to it with wcsncat(), leading to potential buffer overflows.
Git for Windows v2.50.0(2)
Changes since Git for Windows v2.50.0 (June 16th 2025)
New Features
* Comes with Git LFS v3.7.0.
Bug Fixes
* Cloning large repositories via SSH frequently hung with Git for
Windows v2.50.0, which was fixed.
* In Git for Windows v2.50.0, operations using the POSIX emulation
layer (cloning via SSH, generating the Bash prompt) cannot be
interrupted by Ctrl+C, which has been fixed.
* Git for Windows v2.50.0 is unable to initialize Git repositories on
Windows Server 2016, which has been fixed.
Git for Windows v2.50.0
Changes since Git for Windows v2.49.0 (March 17th 2025)
New Features
* Comes with Git v2.50.0.
* Comes with MinTTY v3.7.8.
* Comes with OpenSSH v10.0.P1.
* Comes with cURL v8.14.1.
* Comes with the MSYS2 runtime (Git for Windows flavor) based on
Cygwin v3.6.3.
Bug Fixes
* On Windows Server 2022, Git v2.48.1 introduced a regression where
it failed to write files on ReFS drives, which was fixed.
* Git for Windows 2.48.1 introduced a regression when fetching long
branches under core.longPaths = true, which was fixed.
* Git for Windows' installer used a non-writable file for testing
custom editors, which was fixed.
Git for Windows v2.49.1
Changes since Git for Windows v2.49.0 (March 17th 2025):
This is a security fix release, addressing CVE-2024-50349,
CVE-2024-52006, CVE-2025-27613, CVE-2025-27614, CVE-2025-46334,
CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386.
New Features
* Comes with Git v2.49.1.
Bug Fixes
* CVE-2025-27613, Gitk: When a user clones an untrusted repository
and runs Gitk without additional command arguments, any writable
file can be created and truncated. The option "Support per-file
encoding" must have been enabled. The operation "Show origin of
this line" is affected as well, regardless of the option being
enabled or not.
* CVE-2025-27614, Gitk: A Git repository can be crafted in such a way
that a user who has cloned the repository can be tricked into
running any script supplied by the attacker by invoking gitk
filename, where filename has a particular structure.
* CVE-2025-46334, Git GUI (Windows only): A malicious repository can
ship versions of sh.exe or typical textconv filter programs such as
astextplain. On Windows, path lookup can find such executables in
the worktree. These programs are invoked when the user selects "Git
Bash" or "Browse Files" from the menu.
* CVE-2025-46835, Git GUI: When a user clones an untrusted repository
and is tricked into editing a file located in a maliciously named
directory in the repository, then Git GUI can create and overwrite
any writable file.
* CVE-2025-48384, Git: When reading a config value, Git strips any
trailing carriage return and line feed (CRLF). When writing a
config entry, values with a trailing CR are not quoted, causing the
CR to be lost when the config is later read. When initializing a
submodule, if the submodule path contains a trailing CR, the
altered path is read resulting in the submodule being checked out
to an incorrect location. If a symlink exists that points the
altered path to the submodule hooks directory, and the submodule
contains an executable post-checkout hook, the script may be
unintentionally executed after checkout.
* CVE-2025-48385, Git: When cloning a repository Git knows to
optionally fetch a bundle advertised by the remote server, which
allows the server-side to offload parts of the clone to a CDN. The
Git client does not perform sufficient validation of the advertised
bundles, which allows the remote side to perform protocol
injection. This protocol injection can cause the client to write
the fetched bundle to a location controlled by the adversary. The
fetched content is fully controlled by the server, which can in the
worst case lead to arbitrary code execution.
* CVE-2025-48386, Git: The wincred credential helper uses a static
buffer (target) as a unique key for storing and comparing against
internal storage. This credential helper does not properly bounds
check the available space remaining in the buffer before appending
to it with wcsncat(), leading to potential buffer overflows.
MinGit for Windows v2.47.3
Changes since Git for Windows v2.47.1(2) (January 14th 2025):
This is a security fix release, addressing CVE-2024-50349,
CVE-2024-52006, CVE-2025-27613, CVE-2025-27614, CVE-2025-46334,
CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386.
New Features
* Comes with Git v2.47.3.
Bug Fixes
* CVE-2025-27613, Gitk: When a user clones an untrusted repository
and runs Gitk without additional command arguments, any writable
file can be created and truncated. The option "Support per-file
encoding" must have been enabled. The operation "Show origin of
this line" is affected as well, regardless of the option being
enabled or not.
* CVE-2025-27614, Gitk: A Git repository can be crafted in such a way
that a user who has cloned the repository can be tricked into
running any script supplied by the attacker by invoking gitk
filename, where filename has a particular structure.
* CVE-2025-46334, Git GUI (Windows only): A malicious repository can
ship versions of sh.exe or typical textconv filter programs such as
astextplain. On Windows, path lookup can find such executables in
the worktree. These programs are invoked when the user selects "Git
Bash" or "Browse Files" from the menu.
* CVE-2025-46835, Git GUI: When a user clones an untrusted repository
and is tricked into editing a file located in a maliciously named
directory in the repository, then Git GUI can create and overwrite
any writable file.
* CVE-2025-48384, Git: When reading a config value, Git strips any
trailing carriage return and line feed (CRLF). When writing a
config entry, values with a trailing CR are not quoted, causing the
CR to be lost when the config is later read. When initializing a
submodule, if the submodule path contains a trailing CR, the
altered path is read resulting in the submodule being checked out
to an incorrect location. If a symlink exists that points the
altered path to the submodule hooks directory, and the submodule
contains an executable post-checkout hook, the script may be
unintentionally executed after checkout.
* CVE-2025-48385, Git: When cloning a repository Git knows to
optionally fetch a bundle advertised by the remote server, which
allows the server-side to offload parts of the clone to a CDN. The
Git client does not perform sufficient validation of the advertised
bundles, which allows the remote side to perform protocol
injection. This protocol injection can cause the client to write
the fetched bundle to a location controlled by the adversary. The
fetched content is fully controlled by the server, which can in the
worst case lead to arbitrary code execution.
* CVE-2025-48386, Git: The wincred credential helper uses a static
buffer (target) as a unique key for storing and comparing against
internal storage. This credential helper does not properly bounds
check the available space remaining in the buffer before appending
to it with wcsncat(), leading to potential buffer overflows.
PreviousNext