8000 Release Git for Windows 2.50.1 Β· git-for-windows/git Β· GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Git for Windows 2.50.1

Latest
Latest
Compare
Choose a tag to compare
@gitforwindowshelper gitforwindowshelper released this 08 Jul 17:54
v2.50.1.windows.1
This tag was signed with the committer’s verified signature.
dscho Johannes Schindelin
GPG key ID: EDD44359093056EE
Verified
Learn about vigilant mode.
4d32d83

Changes since Git for Windows v2.50.0(2) (July 1st 2025)

This is a security fix release, addressing CVE-2024-50349, CVE-2024-52006, CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386.

New Features

Bug Fixes

  • CVE-2025-27613, Gitk: When a user clones an untrusted repository and runs Gitk without additional command arguments, any writable file can be created and truncated. The option "Support per-file encoding" must have been enabled. The operation "Show origin of this line" is affected as well, regardless of the option being enabled or not.
  • CVE-2025-27614, Gitk: A Git repository can be crafted in such a way that a user who has cloned the repository can be tricked into running any script supplied by the attacker by invoking gitk filename, where filename has a particular structure.
  • CVE-2025-46334, Git GUI (Windows only): A malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. On Windows, path lookup can find such executables in the worktree. These programs are invoked when the user selects "Git Bash" or "Browse Files" from the menu.
  • CVE-2025-46835, Git GUI: When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite any writable file.
  • CVE-2025-48384, Git: When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout.
  • CVE-2025-48385, Git: When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution.
  • CVE-2025-48386, Git: The wincred credential helper uses a static buffer (target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with wcsncat(), leading to potential buffer overflows.

Note: As a courtesy, this release includes a last, unplanned, "after warranty" 32-bit installer.

Filename SHA-256
Git-2.50.1-64-bit.exe 47fe1d46dbb7111f6693b04a8bd95fc869ce2062df7b4822b52849548fb457e4
Git-2.50.1-arm64.exe 26e71db68bf5dd2ad47e13a07fb050fa0e8ab7e9802401b32bb55f2626f15f55
Git-2.50.1-32-bit.exe 5191529725d9f0c1ffe6feb23f3d72b7abe585be84e09cb2e6b353adb280d35b
PortableGit-2.50.1-64-bit.7z.exe c45a7dfa2bde34059f6dbd85f49a95d73d5aea29305f51b79595e56e4f323a3d
PortableGit-2.50.1-arm64.7z.exe fa1c1df0d8bc9ccd36105964cfd2e088b50f3db974906c926dd1a4d271e1f90b
PortableGit-2.50.1-32-bit.7z.exe 7692d9af16b08150e28dae6c63106a46995fb44e5f4c85182ac7eb1b840543c5
MinGit-2.50.1-64-bit.zip 6f672aebe9e488a246efd6875f9197dbc0d9a40100e218acc3877cba2b206c45
MinGit-2.50.1-arm64.zip 25d45da2f84c5faae01e55129498b8466ad26966f775964be761f14f24d11d75
MinGit-2.50.1-32-bit.zip d312bd9d9ff19bc85dd6dc46d3d1c10f63ab65f29a3d595b6376074025dc0809
MinGit-2.50.1-busybox-64-bit.zip 6d586bf5093baf312cd8141bb59d150416ee89a8e58240d8c1e9ae31a4be7758
MinGit-2.50.1-busybox-32-bit.zip 7d138de6edf6f001f131de55b02d97ca9e240c51a2ec61f631b0fe5e9f2b266b
Git-2.50.1-64-bit.tar.bz2 9131f40e26985205432a1aa8583b3a90b5a64f3c6cc9324b2b63f05cb3448222
Git-2.50.1-arm64.tar.bz2 1edc852521562483eebcf9fcb016ffe5936a93099088de52fcd9b082d289396c
Git-2.50.1-32-bit.tar.bz2 796d8f4fdd19c668e348d04390a3528df61cfc9864d1f276d9dc585a8a0ac82c
Assets 53
Loading
0 Join discussion
0