Tags: git-for-windows/git
Tags
MinGit for Windows v2.47.3(2)
Changes since Git for Windows v2.47.1(2) (January 14th 2025):
This is a security fix release, addressing CVE-2024-50349,
CVE-2024-52006, CVE-2025-27613, CVE-2025-27614, CVE-2025-46334,
CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386.
New Features
* Comes with Git v2.47.3.
Bug Fixes
* CVE-2025-27613, Gitk: When a user clones an untrusted repository
and runs Gitk without additional command arguments, any writable
file can be created and truncated. The option "Support per-file
encoding" must have been enabled. The operation "Show origin of
this line" is affected as well, regardless of the option being
enabled or not.
* CVE-2025-27614, Gitk: A Git repository can be crafted in such a way
that a user who has cloned the repository can be tricked into
running any script supplied by the attacker by invoking gitk
filename, where filename has a particular structure.
* CVE-2025-46334, Git GUI (Windows only): A malicious repository can
ship versions of sh.exe or typical textconv filter programs such as
astextplain. On Windows, path lookup can find such executables in
the worktree. These programs are invoked when the user selects "Git
Bash" or "Browse Files" from the menu.
* CVE-2025-46835, Git GUI: When a user clones an untrusted repository
and is tricked into editing a file located in a maliciously named
directory in the repository, then Git GUI can create and overwrite
any writable file.
* CVE-2025-48384, Git: When reading a config value, Git strips any
trailing carriage return and line feed (CRLF). When writing a
config entry, values with a trailing CR are not quoted, causing the
CR to be lost when the config is later read. When initializing a
submodule, if the submodule path contains a trailing CR, the
altered path is read resulting in the submodule being checked out
to an incorrect location. If a symlink exists that points the
altered path to the submodule hooks directory, and the submodule
contains an executable post-checkout hook, the script may be
unintentionally executed after checkout.
* CVE-2025-48385, Git: When cloning a repository Git knows to
optionally fetch a bundle advertised by the remote server, which
allows the server-side to offload parts of the clone to a CDN. The
Git client does not perform sufficient validation of the advertised
bundles, which allows the remote side to perform protocol
injection. This protocol injection can cause the client to write
the fetched bundle to a location controlled by the adversary. The
fetched content is fully controlled by the server, which can in the
worst case lead to arbitrary code execution.
* CVE-2025-48386, Git: The wincred credential helper uses a static
buffer (target) as a unique key for storing and comparing against
internal storage. This credential helper does not properly bounds
check the available space remaining in the buffer before appending
to it with wcsncat(), leading to potential buffer overflows.
Merge branch 'disallow-ntlm-auth-by-default' This topic branch addresses the following vulnerability: - **CVE-2025-66413**: When a user clones a repository from an attacker-controlled server, Git may attempt NTLM authentication and disclose the user's NTLMv2 hash to the remote server. Since NTLM hashing is weak, the captured hash can potentially be brute-forced to recover the user's credentials. This is addressed by disabling NTLM authentication by default. (GHSA-hv9c-4jm9-jh3x) Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
MinGit for Windows v2.52.0(2)
Changes since Git for Windows v2.51.2 (October 28th 2025):
As announced in several recent release notes, git svn is no longer
supported by the Git for Windows project.
New Features
* Comes with Git v2.52.0.
* Comes with PCRE2 v10.47.
* Comes with cURL v8.17.0.
* The Git for Windows installer is now built with version 6.6.0 of
InnoSetup, giving it a more modern look.
Bug Fixes
* The command git help git-bash was broken by a change in upstream
Git v2.49.0, which has been fixed.
MinGit for Windows v2.51.2(2)
Changes since Git for Windows v2.51.1 (October 17th 2025):
New Features
* Comes with Git v2.51.2.
Bug Fixes
* The default credential helper in the portable variant of Git for
Windows (credential-helper-selector) is now high DPI aware.
Git for Windows v2.53.0(2)
Changes since Git for Windows v2.53.0 (February 2nd 2026):
This is a security fix release, addressing CVE-2025-66413.
* CVE-2025-66413, Git for Windows: When a user clones a repository
from an attacker-controlled server, Git may attempt NTLM
authentication and disclose the user's NTLMv2 hash to the remote
server. Since NTLM hashing is weak, the captured hash can
potentially be brute-forced to recover the user's credentials. This
is addressed by disabling NTLM authentication by default.
Git for Windows v2.53.0
Changes since Git for Windows v2.52.0 (November 17th 2025)
New Features
* Comes with Git v2.53.0.
* Pressing the Tab key in an empty line in Git Bash no longer causes
the session to "freeze".
* Git for Windows' installer is now built by InnoSetup v6.6.1.
* Comes with cURL v8.18.0.
* Microsoft Edit can now be specified as Git editor.
* Comes with Git Credential Manager v2.7.0, the "anniversary release"
after one release-less year, which brings native x64 and ARM64
binaries for the respective flavors of Git for Windows.
* Upgrades the memory allocator mimalloc that is used by Git for
Windows to v2.2.7.
* Comes with the MSYS2 runtime (Git for Windows flavor) based on
Cygwin v3.6.6.
* Comes with OpenSSL v3.5.5.
Bug Fixes
* The installer of Git for Windows v2.52 showed clipped text in some
setups, which was fixed.
* When calling Microsoft Store apps, their standard I/O is now set up
correctly (meaning: You can call an interactive Python interpreter
without the winpty hack mentioned in the release notes' Known
Issues).
* The astextplain tool (which is used by Git for Windows to generate
diffs of .pdf and .doc files) used to handle empty files
gracefully. This behavior is now reinstated.
Git for Windows v2.53.0-rc2
Changes since Git for Windows v2.52.0 (November 17th 2025)
New Features
* Comes with Git v2.53.0-rc2.
* Pressing the Tab key in an empty line in Git Bash no longer causes
the session to "freeze".
* Git for Windows' installer is now built by InnoSetup v6.6.1.
* Comes with cURL v8.18.0.
* Microsoft Edit can now be specified as Git editor.
* Comes with Git Credential Manager v2.7.0, the "anniversary release"
after one release-less year, which brings native x64 and ARM64
binaries for the respective flavors of Git for Windows.
* Upgrades the memory allocator mimalloc that is used by Git for
Windows to v2.2.7.
* Comes with the MSYS2 runtime (Git for Windows flavor) based on
Cygwin v3.6.6.
* Comes with OpenSSL v3.5.5.
Bug Fixes
* The installer of Git for Windows v2.52 showed clipped text in some
setups, which was fixed.
* When calling Microsoft Store apps, their standard I/O is now set up
correctly (meaning: You can call an interactive Python interpreter
without the winpty hack mentioned in the release notes' Known
Issues).
* The astextplain tool (which is used by Git for Windows to generate
diffs of .pdf and .doc files) used to handle empty files
gracefully. This behavior is now reinstated.
Git for Windows v2.53.0-rc1
Changes since Git for Windows v2.52.0 (November 17th 2025)
New Features
* Comes with Git v2.53.0-rc1.
* Pressing the Tab key in an empty line in Git Bash no longer causes
the session to "freeze".
* Git for Windows' installer is now built by InnoSetup v6.6.1.
* Comes with cURL v8.18.0.
* Microsoft Edit can now be specified as Git editor.
* Comes with Git Credential Manager v2.7.0, the "anniversary release"
after one release-less year, which brings native x64 and ARM64
binaries for the respective flavors of Git for Windows.
* Upgrades the memory allocator mimalloc that is used by Git for
Windows to v2.2.7.
* Comes with the MSYS2 runtime (Git for Windows flavor) based on
Cygwin v3.6.6.
Bug Fixes
* The installer of Git for Windows v2.52 showed clipped text in some
setups, which was fixed.
* When calling Microsoft Store apps, their standard I/O is now set up
correctly (meaning: You can call an interactive Python interpreter
without the winpty hack mentioned in the release notes' Known
Issues).
* The astextplain tool (which is used by Git for Windows to generate
diffs of .pdf and .doc files) used to handle empty files
gracefully. This behavior is now reinstated.
Git for Windows v2.53.0-rc0
Changes since Git for Windows v2.52.0 (November 17th 2025)
New Features
* Comes with Git v2.53.0-rc0.
* Pressing the Tab key in an empty line in Git Bash no longer causes
the session to "freeze".
* Git for Windows' installer is now built by InnoSetup v6.6.1.
* Comes with cURL v8.18.0.
* Microsoft Edit can now be specified as Git editor.
* Comes with Git Credential Manager v2.7.0, the "anniversary release"
after one release-less year, which brings native x64 and ARM64
binaries for the respective flavors of Git for Windows.
* Upgrades the memory allocator mimalloc that is used by Git for
Windows to v2.2.6.
* Comes with the MSYS2 runtime (Git for Windows flavor) based on
Cygwin v3.6.6.
Bug Fixes
* The installer of Git for Windows v2.52 showed clipped text in some
setups, which was fixed.
* When calling Microsoft Store apps, their standard I/O is now set up
correctly (meaning: You can call an interactive Python interpreter
without the winpty hack mentioned in the release notes' Known
Issues).
* The astextplain tool (which is used by Git for Windows to generate
diffs of .pdf and .doc files) used to handle empty files
gracefully. This behavior is now reinstated.
Git for Windows v2.52.0
Changes since Git for Windows v2.51.2 (October 28th 2025)
As announced in several recent release notes, git svn is no longer
supported by the Git for Windows project.
New Features
* Comes with Git v2.52.0.
* Comes with PCRE2 v10.47.
* Comes with cURL v8.17.0.
* The Git for Windows installer is now built with version 6.6.0 of
InnoSetup, giving it a more modern look.
Bug Fixes
* The command git help git-bash was broken by a change in upstream
Git v2.49.0, which has been fixed.
PreviousNext