Security update for git SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:20721-1 Final 1 1 2025-09-22T09:07:57Z current 2025-09-22T09:07:57Z 2025-09-22T09:07:57Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for git This update for git fixes the following issues: - Update to 2.51.0 - UI, Workflows & Features - Userdiff patterns for the R language have been added. - Documentation for "git send-email" has been updated with a bit more credential helper and OAuth information. - "git cat-file --batch" learns to understand %(objectmode) atom to allow the caller to tell missing objects (due to repository corruption) and submodules (whose commit objects are OK to be missing) apart. - "git diff --no-index dirA dirB" can limit the comparison with pathspec at the end of the command line, just like normal "git diff". - "git subtree" (in contrib/) learned to grok GPG signing its commits. - "git whatchanged" that is longer to type than "git log --raw" which is its modern rough equivalent has outlived its usefulness more than 10 years ago. Plan to deprecate and remove it. - An interchange format for stash entries is defined, and subcommand of "git stash" to import/export has been added. - "git merge/pull" has been taught the "--compact-summary" option to use the compact-summary format, intead of diffstat, when showing the summary of the incoming changes. - "git imap-send" has been broken for a long time, which has been resurrected and then taught to talk OAuth2.0 etc. - Some error messages from "git imap-send" has been updated. - When "git daemon" sees a signal while attempting to accept() a new client, instead of retrying, it skipped it by mistake, which has been corrected. - The reftable ref backend has matured enough; Git 3.0 will make it the default format in a newly created repositories by default. - "netrc" credential helper has been improved to understand textual service names (like smtp) in addition to the numeric port numbers (like 25). - Lift the limitation to use changed-path filter in "git log" so that it can be used for a pathspec with multiple literal paths. - Clean up the way how signature on commit objects are exported to and imported from fast-import stream. - Remove unsupported, unused, and unsupportable old option from "git log". - Document recently added "git imap-send --list" with an example. - "git pull" learned to pay attention to pull.autostash configuration variable, which overrides rebase/merge.autostash. - "git for-each-ref" learns "--start-after" option to help applications that want to page its output. - "git switch" and "git restore" are declared to be no longer experimental. - "git -c alias.foo=bar foo -h baz" reported "'foo' is aliased to 'bar'" and then went on to run "git foo -h baz", which was unexpected. Tighten the rule so that alias expansion is reported only when "-h" is the sole option. - Performance, Internal Implementation, Development Support etc. - "git pack-objects" learned to find delta bases from blobs at the same path, using the --path-walk API. - CodingGuidelines update. - Add settings for Solaris 10 & 11. - Meson-based build/test framework now understands TAP output generated by our tests. - "Do not explicitly initialize to zero" rule has been clarified in the CodingGuidelines document. - A test helper "test_seq" function learned the "-f <fmt>" option, which allowed us to simplify a lot of test scripts. - A lot of stale stuff has been removed from the contrib/ hierarchy. - "git push" and "git fetch" are taught to update refs in batches to gain performance. - Some code paths in "git prune" used to ignore the passed-in repository object and used the `the_repository` singleton instance instead, which has been corrected. - Update ".clang-format" and ".editorconfig" to match our style guide a bit better. - "make coccicheck" succeeds even when spatch made suggestions, which has been updated to fail in such a case. - Code clean-up around object access API. - Define .precision to more canned parse-options type to avoid bugs coming from using a variable with a wrong type to capture the parsed values. - Flipping the default hash function to SHA-256 at Git 3.0 boundary is planned. - Declare weather-balloon we raised for "bool" type 18 months ago a success and officially allow using the type in our codebase. - GIT_TEST_INSTALLED was not honored in the recent topic related to SHA256 hashes, which has been corrected. - The pop_most_recent_commit() function can have quite expensive worst case performance characteristics, which has been optimized by using prio-queue data structure. - Move structure definition from unrelated header file to where it belongs. - To help our developers, document what C99 language features are being considered for adoption, in addition to what past experiments have already decided. - The reftable unit tests are now ported to the "clar" unit testing framework. - Redefine where the multi-pack-index sits in the object subsystem, which recently was restructured to allow multiple backends that support a single object source that belongs to one repository. A MIDX does span multiple "object sources". - Reduce implicit assumption and dependence on the_repository in the object-file subsystem. - Fixes since v2.50 Unless otherwise noted, all the changes in 2.50.X maintenance track, including security updates, are included in this release. - A memory-leak in an error code path has been plugged. - Some leftover references to documentation source files that no longer exist, due to recent ".txt" -> ".adoc" renaming, have been corrected. - "git stash -p <pathspec>" improvements. - "git send-email" incremented its internal message counter when a message was edited, which made logic that treats the first message specially misbehave, which has been corrected. - "git stash" recorded a wrong branch name when submodules are present in the current checkout, which has been corrected. - When asking to apply mailmap to both author and committer field while showing a commit object, the field that appears later was not correctly parsed and replaced, which has been corrected. - "git maintenance" lacked the care "git gc" had to avoid holding onto the repository lock for too long during packing refs, which has been remedied. - Avoid regexp_constraint and instead use comparison_constraint when listing functions to exclude from application of coccinelle rules, as spatch can be built with different regexp engine X-<. - Updating submodules from the upstream did not work well when submodule's HEAD is detached, which has been improved. - Remove unnecessary check from "git daemon" code. (merge 0c856224d2 cb/daemon-fd-check-fix later to maint). - Use of sysctl() system call to learn the total RAM size used on BSDs has been corrected. - Drop FreeBSD 4 support and declare that we support only FreeBSD 12 or later, which has memmem() supported. - A diff-filter with negative-only specification like "git log --diff-filter=d" did not trigger correctly, which has been fixed. - A failure to open the index file for writing due to conflicting access did not state what went wrong, which has been corrected. - Tempfile removal fix in the codepath to sign commits with SSH keys. - Code and test clean-up around string-list API. - "git apply -N" should start from the current index and register only new files, but it instead started from an empty index, which has been corrected. - Leakfix with a new and a bit invasive test on pack-bitmap files. - "git fetch --prune" used to be O(n^2) expensive when there are many refs, which has been corrected. - When a ref creation at refs/heads/foo/bar fails, the files backend now removes refs/heads/foo/ if the directory is otherwise not used. - "pack-objects" has been taught to avoid pointing into objects in cruft packs from midx. - "git remote" now detects remote names that overlap with each other (e.g., remote nickname "outer" and "outer/inner" are used at the same time), as it will lead to overlapping remote-tracking branches. - The gpg.program configuration variable, which names a pathname to the (custom) GPG compatible program, can now be spelled with ~tilde expansion. - Our <sane-ctype.h> header file relied on that the system-supplied <ctype.h> header is not later included, which would override our macro definitions, but "amazon linux" broke this assumption. Fix this by preemptively including <ctype.h> near the beginning of <sane-ctype.h> ourselves. (merge 9d3b33125f ps/sane-ctype-workaround later to maint). - Clean-up compat/bswap.h mess. (merge f4ac32c03a ss/compat-bswap-revamp later to maint). - Meson-based build did not handle libexecdir setting correctly, which has been corrected. (merge 056dbe8612 rj/meson-libexecdir-fix later to maint). - Document that we do not require "real" name when signing your patches off. (merge 1f0fed312a bc/contribution-under-non-real-names later to maint). - "git commit" that concludes a conflicted merge failed to notice and remove existing comment added automatically (like "# Conflicts:") when the core.commentstring is set to 'auto'. (merge 92b7c7c9f5 ac/auto-comment-char-fix later to maint). - "git rebase -i" with bogus rebase.instructionFormat configuration failed to produce the todo file after recording the state files, leading to confused "git status"; this has been corrected. (merge ade14bffd7 ow/rebase-verify-insn-fmt-before-initializing-state later to maint). - A few file descriptors left unclosed upon program completion in a few test helper programs are now closed. (merge 0f1b33815b hl/test-helper-fd-close later to maint). - Interactive prompt code did not correctly strip CRLF from the end of line on Windows. (merge 711a20827b js/prompt-crlf-fix later to maint). - The config API had a set of convenience wrapper functions that implicitly use the_repository instance; they have been removed and inlined at the calling sites. - "git add/etc -p" now honor the diff.context configuration variable, and also they learn to honor the -U<n> command-line option. (merge 2b3ae04011 lm/add-p-context later to maint). - The case where a new submodule takes a path where there used to be a completely different subproject is now dealt with a bit better than before. (merge 5ed8c5b465 kj/renamed-submodule later to maint). - The deflate codepath in "git archive --format=zip" had a longstanding bug coming from misuse of zlib API, which has been corrected. - Update to 2.50.1: * CVE-2025-27613: Fixed arbitrary writable file creation and truncation in Gitk (bsc#1245938) * CVE-2025-27614: Fixed arbitrary script execution via repo clonation in gitk (bsc#1245939) * CVE-2025-46835: Fixed untrusted repository cloning leading to arbitrary writable file creation in Git GUI (bsc#1245942) * CVE-2025-48384: Fixed CRLF transforming (bsc#1245943) * CVE-2025-48385: Fixed arbitrary code execution due to protocol injection (bsc#1245946) * CVE-2025-48386: Fixed buffer overflow in static buffer (bsc#1245947) - Update to 2.48.1: * CVE-2024-50349: Fixed password leak (bsc#1235600) * CVE-2024-52006: Fixed Carriage Returns via the credential protocol to credential helpers (bsc#1235601) - Update to 2.48.0: * Reference consistency checks: git refs verify * Reflogs can now be migrated with git refs migrate * git is free of memory leaks as covered by the test suite * Performance improvements - Update to 2.47.1: * Use after free and double freeing at the end in "git log -L... -p" had been identified and fixed. * "git maintenance start" crashed due to an uninitialized variable reference, which has been corrected. * Fail gracefully instead of crashing when attempting to write the contents of a corrupt in-core index as a tree object. * A "git fetch" from the superproject going down to a submodule used a wrong remote when the default remote names are set differently between them. * The "gitk" project tree has been synchronized again - Update to 2.47.0: * A few descriptions in "git show-ref -h" have been clarified. * A 'P' command to "git add -p" that passes the patch hunk to the pager has been added. * "git grep -W" omits blank lines that follow the found function at the end of the file, just like it omits blank lines before the next function. * The value of http.proxy can have "path" at the end for a socks proxy that listens to a unix-domain socket, but we started to discard it when we taught proxy auth code path to use the credential helpers, which has been corrected. * The code paths to compact multiple reftable files have been updated to correctly deal with multiple compaction triggering at the same time. * Support to specify ref backend for submodules has been enhanced. * "git svn" has been taught about svn:global-ignores property recent versions of Subversion has. * The default object hash and ref backend format used to be settable only with explicit command line option to "git init" and environment variables, but now they can be configured in the user's global and system wide configuration. * "git send-email" learned "--translate-aliases" option that reads addresses from the standard input and emits the result of applying aliases on them to the standard output. * 'git for-each-ref' learned a new "--format" atom to find the branch that the history leading to a given commit "%(is-base:<commit>)" is likely based on. * The command line prompt support used to be littered with bash-isms, which has been corrected to work with more shells. * Support for the RUNTIME_PREFIX feature has been added to z/OS port. * "git send-email" learned "--mailmap" option to allow rewriting the recipient addresses. * "git mergetool" learned to use VSCode as a merge backend. * "git pack-redundant" has been marked for removal in Git 3.0. * One-line messages to "die" and other helper functions will get LF added by these helper functions, but many existing messages had an unnecessary LF at the end, which have been corrected. * The "scalar clone" command learned the "--no-tags" option. * The environment GIT_ADVICE has been intentionally kept undocumented to discourage its use by interactive users. Add documentation to help tool writers. * "git apply --3way" learned to take "--ours" and other options. - Update to version 2.46.2: * Revert the "git patch-id" change that went into 2.46.1, as it seems to have got a regression reported (I haven't verified, but it is better to keep a known breakage than adding an unintended regression). * In a few corner cases "git diff --exit-code" failed to report "changes" (e.g., renamed without any content change), which has been corrected. * The interpret-trailers command failed to recognise the end of the message when the commit log ends in an incomplete line. - Update to version 2.46.1; * "git checkout --ours" (no other arguments) complained that the option is incompatible with branch switching, which is technically correct, but found confusing by some users. It now says that the user needs to give pathspec to specify what paths to checkout. * It has been documented that we avoid "VAR=VAL shell_func" and why. * "git add -p" by users with diff.suppressBlankEmpty set to true failed to parse the patch that represents an unmodified empty line with an empty line (not a line with a single space on it), which has been corrected. * "git rebase --help" referred to "offset" (the difference between the location a change was taken from and the change gets replaced) incorrectly and called it "fuzz", which has been corrected. * "git notes add -m '' --allow-empty" and friends that take prepared data to create notes should not invoke an editor, but it started doing so since Git 2.42, which has been corrected. * An expensive operation to prepare tracing was done in re-encoding code path even when the tracing was not requested, which has been corrected. * Perforce tests have been updated. * The credential helper to talk to OSX keychain sometimes sent garbage bytes after the username, which has been corrected. * A recent update broke "git ls-remote" used outside a repository, which has been corrected. * "git config --value=foo --fixed-value section.key newvalue" barfed when the existing value in the configuration file used the valueless true syntax, which has been corrected. * "git reflog expire" failed to honor annotated tags when computing reachable commits. * A flakey test and incorrect calls to strtoX() functions have been fixed. * Follow-up on 2.45.1 regression fix. * "git rev-list ... | git diff-tree -p --remerge-diff --stdin" should behave more or less like "git log -p --remerge-diff" but instead it crashed, forgetting to prepare a temporary object store needed. * The patch parser in "git patch-id" has been tightened to avoid getting confused by lines that look like a patch header in the log message. * "git bundle unbundle" outside a repository triggered a BUG() unnecessarily, which has been corrected. * The code forgot to discard unnecessary in-core commit buffer data for commits that "git log --skip=<number>" traversed but omitted from the output, which has been corrected. * "git verify-pack" and "git index-pack" started dying outside a repository, which has been corrected. * A corner case bug in "git stash" was fixed. - Change less requirement to path to allow for use with BusyBox - Update to 2.46.0 UI, Workflows & Features * The "--rfc" option of "git format-patch" learned to take an optional string value to be used in place of "RFC" to tweak the "[PATCH]" on the subject header. * The credential helper protocol, together with the HTTP layer, have been enhanced to support authentication schemes different from username & password pair, like Bearer and NTLM. * Command line completion script (in contrib/) learned to complete "git symbolic-ref" a bit better (you need to enable plumbing commands to be completed with GIT_COMPLETION_SHOW_ALL_COMMANDS). * When the user responds to a prompt given by "git add -p" with an unsupported command, list of available commands were given, which was too much if the user knew what they wanted to type but merely made a typo. Now the user gets a much shorter error message. * The color parsing code learned to handle 12-bit RGB colors, spelled as "#RGB" (in addition to "#RRGGBB" that is already supported). * The operation mode options (like "--get") the "git config" command uses have been deprecated and replaced with subcommands (like "git config get"). * "git tag" learned the "--trailer" option to futz with the trailers in the same way as "git commit" does. * A new global "--no-advice" option can be used to disable all advice messages, which is meant to be used only in scripts. * Updates to symbolic refs can now be made as a part of ref transaction. * The trailer API has been reshuffled a bit. * Terminology to call various ref-like things are getting straightened out. * The command line completion script (in contrib/) has been adjusted to the recent update to "git config" that adopted subcommand based UI. * The knobs to tweak how reftable files are written have been made available as configuration variables. * When "git push" notices that the commit at the tip of the ref on the other side it is about to overwrite does not exist locally, it used to first try fetching it if the local repository is a partial clone. The command has been taught not to do so and immediately fail instead. * The promisor.quiet configuration knob can be set to true to make lazy fetching from promisor remotes silent. * The inter/range-diff output has been moved to the end of the patch when format-patch adds it to a single patch, instead of writing it before the patch text, to be consistent with what is done for a cover letter for a multi-patch series. * A new command has been added to migrate a repository that uses the files backend for its ref storage to use the reftable backend, with limitations. * "git diff --exit-code --ext-diff" learned to take the exit status of the external diff driver into account when deciding the exit status of the overall "git diff" invocation when configured to do so. * "git update-ref --stdin" learned to handle transactional updates of symbolic-refs. * "git format-patch --interdiff" for multi-patch series learned to turn on cover letters automatically (unless told never to enable cover letter with "--no-cover-letter" and such). * The "--heads" option of "ls-remote" and "show-ref" has been been deprecated; "--branches" replaces "--heads". * For over a year, setting add.interactive.useBuiltin configuration variable did nothing but giving a "this does not do anything" warning. The warning has been removed. * The http transport can now be told to send request with authentication material without first getting a 401 response. * A handful of entries are added to the GitFAQ document. * "git var GIT_SHELL_PATH" should report the path to the shell used to spawn external commands, but it didn't do so on Windows, which has been corrected. Performance, Internal Implementation, Development Support etc. * Advertise "git contacts", a tool for newcomers to find people to ask review for their patches, a bit more in our developer documentation. * In addition to building the objects needed, try to link the objects that are used in fuzzer tests, to make sure at least they build without bitrot, in Linux CI runs. * Code to write out reftable has seen some optimization and simplification. * Tests to ensure interoperability between reftable written by jgit and our code have been added and enabled in CI. * The singleton index_state instance "the_index" has been eliminated by always instantiating "the_repository" and replacing references to "the_index" with references to its .index member. * Git-GUI has a new maintainer, Johannes Sixt. * The "test-tool" has been taught to run testsuite tests in parallel, bypassing the need to use the "prove" tool. * The "whitespace check" task that was enabled for GitHub Actions CI has been ported to GitLab CI. * The refs API lost functions that implicitly assumes to work on the primary ref_store by forcing the callers to pass a ref_store as an argument. * Code clean-up to reduce inter-function communication inside builtin/config.c done via the use of global variables. * The pack bitmap code saw some clean-up to prepare for a follow-up topic. * Preliminary code clean-up for "git send-email". * The default "creation-factor" used by "git format-patch" has been raised to make it more aggressively find matching commits. * Before discovering the repository details, We used to assume SHA-1 as the "default" hash function, which has been corrected. Hopefully this will smoke out codepaths that rely on such an unwarranted assumptions. * The project decision making policy has been documented. * The strcmp-offset tests have been rewritten using the unit test framework. * "git add -p" learned to complain when an answer with more than one letter is given to a prompt that expects a single letter answer. * The alias-expanded command lines are logged to the trace output. * A new test was added to ensure git commands that are designed to run outside repositories do work. * A few tests in reftable library have been rewritten using the unit test framework. * A pair of test helpers that essentially are unit tests on hash algorithms have been rewritten using the unit-tests framework. * A test helper that essentially is unit tests on the "decorate" logic has been rewritten using the unit-tests framework. * Many memory leaks in the sparse-checkout code paths have been plugged. * "make check-docs" noticed problems and reported to its output but failed to signal its findings with its exit status, which has been corrected. * Building with "-Werror -Wwrite-strings" is now supported. * To help developers, the build procedure now allows builders to use CFLAGS_APPEND to specify additional CFLAGS. * "oidtree" tests were rewritten to use the unit test framework. * The structure of the document that records longer-term project decisions to deprecate/remove/update various behaviour has been outlined. * The pseudo-merge reachability bitmap to help more efficient storage of the reachability bitmap in a repository with too many refs has been added. * When "git merge" sees that the index cannot be refreshed (e.g. due to another process doing the same in the background), it died but after writing MERGE_HEAD etc. files, which was useless for the purpose to recover from the failure. * The output from "git cat-file --batch-check" and "--batch-command (info)" should not be unbuffered, for which some tests have been added. * A CPP macro USE_THE_REPOSITORY_VARIABLE is introduced to help transition the codebase to rely less on the availability of the singleton the_repository instance. * "git version --build-options" reports the version information of OpenSSL and other libraries (if used) in the build. * Memory ownership rules for the in-core representation of remote.*.url configuration values have been straightened out, which resulted in a few leak fixes and code clarification. * When bundleURI interface fetches multiple bundles, Git failed to take full advantage of all bundles and ended up slurping duplicated objects, which has been corrected. * The code to deal with modified paths that are out-of-cone in a sparsely checked out working tree has been optimized. * An existing test of oidmap API has been rewritten with the unit-test framework. * The "ort" merge backend saw one bugfix for a crash that happens when inner merge gets killed, and assorted code clean-ups. * A new warning message is issued when a command has to expand a sparse index to handle working tree cruft that are outside of the sparse checkout. * The test framework learned to take the test body not as a single string but as a here-document. * "git push '' HEAD:there" used to hit a BUG(); it has been corrected to die with "fatal: bad repository ''". * What happens when http.cookieFile gets the special value "" has been clarified in the documentation. Fixes * "git rebase --signoff" used to forget that it needs to add a sign-off to the resulting commit when told to continue after a conflict stops its operation. * The procedure to build multi-pack-index got confused by the replace-refs mechanism, which has been corrected by disabling the latter. * The "-k" and "--rfc" options of "format-patch" will now error out when used together, as one tells us not to add anything to the title of the commit, and the other one tells us to add "RFC" in addition to "PATCH". * "git stash -S" did not handle binary files correctly, which has been corrected. * A scheduled "git maintenance" job is expected to work on all repositories it knows about, but it stopped at the first one that errored out. Now it keeps going. * zsh can pretend to be a normal shell pretty well except for some glitches that we tickle in some of our scripts. Work them around so that "vimdiff" and our test suite works well enough with it. * Command line completion support for zsh (in contrib/) has been updated to stop exposing internal state to end-user shell interaction. * Tests that try to corrupt in-repository files in chunked format did not work well on macOS due to its broken "mv", which has been worked around. * The maximum size of attribute files is enforced more consistently. * Unbreak CI jobs so that we do not attempt to use Python 2 that has been removed from the platform. * Git 2.43 started using the tree of HEAD as the source of attributes in a bare repository, which has severe performance implications. For now, revert the change, without ripping out a more explicit support for the attr.tree configuration variable. * The "--exit-code" option of "git diff" command learned to work with the "--ext-diff" option. * Windows CI running in GitHub Actions started complaining about the order of arguments given to calloc(); the imported regex code uses the wrong order almost consistently, which has been corrected. * Expose "name conflict" error when a ref creation fails due to D/F conflict in the ref namespace, to improve an error message given by "git fetch". (merge 9339fca23e it/refs-name-conflict later to maint). * The SubmittingPatches document now refers folks to manpages translation project. * The documentation for "git diff --name-only" has been clarified that it is about showing the names in the post-image tree. * The credential helper that talks with osx keychain learned to avoid storing back the authentication material it just got received from the keychain. (merge e1ab45b2da kn/osxkeychain-skip-idempotent-store later to maint). * The chainlint script (invoked during "make test") did nothing when it failed to detect the number of available CPUs. It now falls back to 1 CPU to avoid the problem. * Revert overly aggressive "layered defence" that went into 2.45.1 and friends, which broke "git-lfs", "git-annex", and other use cases, so that we can rebuild necessary counterparts in the open. * "git init" in an already created directory, when the user configuration has includeif.onbranch, started to fail recently, which has been corrected. * Memory leaks in "git mv" has been plugged. * The safe.directory configuration knob has been updated to optionally allow leading path matches. * An overly large ".gitignore" files are now rejected silently. * Upon expiration event, the credential subsystem forgot to clear in-core authentication material other than password (whose support was added recently), which has been corrected. * Fix for an embarrassing typo that prevented Python2 tests from running anywhere. * Varargs functions that are unannotated as printf-like or execl-like have been annotated as such. * "git am" has a safety feature to prevent it from starting a new session when there already is a session going. It reliably triggers when a mbox is given on the command line, but it has to rely on the tty-ness of the standard input. Add an explicit way to opt out of this safety with a command line option. (merge 62c71ace44 jk/am-retry later to maint). * A leak in "git imap-send" that somehow escapes LSan has been plugged. * Setting core.abbrev too early before the repository set-up (typically in "git clone") caused segfault, which as been corrected. * When the user adds to "git rebase -i" instruction to "pick" a merge commit, the error experience is not pleasant. Such an error is now caught earlier in the process that parses the todo list. * We forgot to normalize the result of getcwd() to NFC on macOS where all other paths are normalized, which has been corrected. This still does not address the case where core.precomposeUnicode configuration is not defined globally. * Earlier we stopped using the tree of HEAD as the default source of attributes in a bare repository, but failed to document it. This has been corrected. * "git update-server-info" and "git commit-graph --write" have been updated to use the tempfile API to avoid leaving cruft after failing. * An unused extern declaration for mingw has been removed to prevent it from causing build failure. * A helper function shared between two tests had a copy-paste bug, which has been corrected. * "git fetch-pack -k -k" without passing "--lock-pack" (which we never do ourselves) did not work at all, which has been corrected. * CI job to build minimum fuzzers learned to pass NO_CURL=NoThanks to the build procedure, as its build environment does not offer, or the rest of the build needs, anything cURL. (merge 4e66b5a990 jc/fuzz-sans-curl later to maint). * "git diff --no-ext-diff" when diff.external is configured ignored the "--color-moved" option. (merge 0f4b0d4cf0 rs/diff-color-moved-w-no-ext-diff-fix later to maint). * "git archive --add-virtual-file=<path>:<contents>" never paid attention to the --prefix=<prefix> option but the documentation said it would. The documentation has been corrected. (merge 72c282098d jc/archive-prefix-with-add-virtual-file later to maint). * When GIT_PAGER failed to spawn, depending on the code path taken, we failed immediately (correct) or just spew the payload to the standard output (incorrect). The code now always fail immediately when GIT_PAGER fails. (merge 78f0a5d187 rj/pager-die-upon-exec-failure later to maint). * date parser updates to be more careful about underflowing epoch based timestamp. (merge 9d69789770 db/date-underflow-fix later to maint). * The Bloom filter used for path limited history traversal was broken on systems whose "char" is unsigned; update the implementation and bump the format version to 2. (merge 9c8a9ec787 tb/path-filter-fix later to maint). * Typofix. (merge 231cf7370e as/pathspec-h-typofix later to maint). * Code clean-up. (merge 4b837f821e rs/simplify-submodule-helper-super-prefix-invocation later to maint). * "git describe --dirty --broken" forgot to refresh the index before seeing if there is any chang, ("git describe --dirty" correctly did so), which has been corrected. (merge b8ae42e292 as/describe-broken-refresh-index-fix later to maint). * Test suite has been taught not to unnecessarily rely on DNS failing a bogus external name. (merge 407cdbd271 jk/tests-without-dns later to maint). * GitWeb update to use committer date consistently in rss/atom feeds. (merge cf6ead095b am/gitweb-feed-use-committer-date later to maint). * Custom control structures we invented more recently have been taught to the clang-format file. (merge 1457dff9be rs/clang-format-updates later to maint). * Developer build procedure fix. (merge df32729866 tb/dev-build-pedantic-fix later to maint). * "git push" that pushes only deletion gave an unnecessary and harmless error message when push negotiation is configured, which has been corrected. (merge 4d8ee0317f jc/disable-push-nego-for-deletion later to maint). * Address-looking strings found on the trailer are now placed on the Cc: list after running through sanitize_address by "git send-email". (merge c852531f45 cb/send-email-sanitize-trailer-addresses later to maint). * Tests that use GIT_TEST_SANITIZE_LEAK_LOG feature got their exit status inverted, which has been corrected. (merge 8c1d6691bc rj/test-sanitize-leak-log-fix later to maint). * The http.cookieFile and http.saveCookies configuration variables have a few values that need to be avoided, which are now ignored with warning messages. (merge 4f5822076f jc/http-cookiefile later to maint). * Repacking a repository with multi-pack index started making stupid pack selections in Git 2.45, which has been corrected. (merge 8fb6d11fad ds/midx-write-repack-fix later to maint). * Fix documentation mark-up regression in 2.45. (merge 6474da0aa4 ja/doc-markup-updates-fix later to maint). * Work around asciidoctor's css that renders `monospace` material in the SYNOPSIS section of manual pages as block elements. (merge d44ce6ddd5 js/doc-markup-updates-fix later to maint). - CVE-2024-24577: Fixed arbitrary code execution due to heap corruption in git_index_add (bsc#1219660) - Update to 2.45.2: * Revert "defense in depth" fixes from 2.45.1 broke 'git lfs' and 'git annex' - remove dependency on /usr/bin/python3 using %python3_fix_shebang_path macro, [bsc#1212476] The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Micro-6.0-470 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202520721-1/ Link for SUSE-SU-2025:20721-1 https://lists.suse.com/pipermail/sle-updates/2025-September/041929.html E-Mail link for SUSE-SU-2025:20721-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1212476 SUSE Bug 1212476 https://bugzilla.suse.com/1219660 SUSE Bug 1219660 https://bugzilla.suse.com/1235600 SUSE Bug 1235600 https://bugzilla.suse.com/1235601 SUSE Bug 1235601 https://bugzilla.suse.com/1239989 SUSE Bug 1239989 https://bugzilla.suse.com/1245938 SUSE Bug 1245938 https://bugzilla.suse.com/1245939 SUSE Bug 1245939 https://bugzilla.suse.com/1245942 SUSE Bug 1245942 https://bugzilla.suse.com/1245943 SUSE Bug 1245943 https://bugzilla.suse.com/1245946 SUSE Bug 1245946 https://bugzilla.suse.com/1245947 SUSE Bug 1245947 https://www.suse.com/security/cve/CVE-2024-24577/ SUSE CVE CVE-2024-24577 page https://www.suse.com/security/cve/CVE-2024-50349/ SUSE CVE CVE-2024-50349 page https://www.suse.com/security/cve/CVE-2024-52006/ SUSE CVE CVE-2024-52006 page https://www.suse.com/security/cve/CVE-2025-27613/ SUSE CVE CVE-2025-27613 page https://www.suse.com/security/cve/CVE-2025-27614/ SUSE CVE CVE-2025-27614 page https://www.suse.com/security/cve/CVE-2025-46334/ SUSE CVE CVE-2025-46334 page https://www.suse.com/security/cve/CVE-2025-46835/ SUSE CVE CVE-2025-46835 page https://www.suse.com/security/cve/CVE-2025-48384/ SUSE CVE CVE-2025-48384 page https://www.suse.com/security/cve/CVE-2025-48385/ SUSE CVE CVE-2025-48385 page https://www.suse.com/security/cve/CVE-2025-48386/ SUSE CVE CVE-2025-48386 page SUSE Linux Micro 6.0 git-2.51.0-1.1 git-core-2.51.0-1.1 perl-Git-2.51.0-1.1 git-2.51.0-1.1 as a component of SUSE Linux Micro 6.0 git-core-2.51.0-1.1 as a component of SUSE Linux Micro 6.0 perl-Git-2.51.0-1.1 as a component of SUSE Linux Micro 6.0 libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2. CVE-2024-24577 SUSE Linux Micro 6.0:git-2.51.0-1.1 SUSE Linux Micro 6.0:git-core-2.51.0-1.1 SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520721-1/ https://www.suse.com/security/cve/CVE-2024-24577.html CVE-2024-24577 https://bugzilla.suse.com/1219660 SUSE Bug 1219660 Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt (i.e. without using any credential helper), it prints out the host name for which the user is expected to provide a username and/or a password. At this stage, any URL-encoded parts have been decoded already, and are printed verbatim. This allows attackers to craft URLs that contain ANSI escape sequences that the terminal interpret to confuse users e.g. into providing passwords for trusted Git hosting sites when in fact they are then sent to untrusted sites that are under the attacker's control. This issue has been patch via commits `7725b81` and `c903985` which are included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones. CVE-2024-50349 SUSE Linux Micro 6.0:git-2.51.0-1.1 SUSE Linux Micro 6.0:git-core-2.51.0-1.1 SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520721-1/ https://www.suse.com/security/cve/CVE-2024-50349.html CVE-2024-50349 https://bugzilla.suse.com/1235600 SUSE Bug 1235600 Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones. CVE-2024-52006 SUSE Linux Micro 6.0:git-2.51.0-1.1 SUSE Linux Micro 6.0:git-core-2.51.0-1.1 SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520721-1/ https://www.suse.com/security/cve/CVE-2024-52006.html CVE-2024-52006 https://bugzilla.suse.com/1235601 SUSE Bug 1235601 Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled before in Gitk's Preferences. This option is disabled by default. The same happens when Show origin of this line is used in the main window (regardless of whether Support per-file encoding is enabled or not). This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. CVE-2025-27613 SUSE Linux Micro 6.0:git-2.51.0-1.1 SUSE Linux Micro 6.0:git-core-2.51.0-1.1 SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520721-1/ https://www.suse.com/security/cve/CVE-2025-27613.html CVE-2025-27613 https://bugzilla.suse.com/1245938 SUSE Bug 1245938 Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50. CVE-2025-27614 SUSE Linux Micro 6.0:git-2.51.0-1.1 SUSE Linux Micro 6.0:git-core-2.51.0-1.1 SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520721-1/ https://www.suse.com/security/cve/CVE-2025-27614.html CVE-2025-27614 https://bugzilla.suse.com/1245939 SUSE Bug 1245939 Git GUI allows you to use the Git source control management tools via a GUI. A malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable always includes the current directory. The mentioned programs are invoked when the user selects Git Bash or Browse Files from the menu. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. CVE-2025-46334 SUSE Linux Micro 6.0:git-2.51.0-1.1 SUSE Linux Micro 6.0:git-core-2.51.0-1.1 SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520721-1/ https://www.suse.com/security/cve/CVE-2025-46334.html CVE-2025-46334 https://bugzilla.suse.com/1245940 SUSE Bug 1245940 Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite files for which the user has write permission. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. CVE-2025-46835 SUSE Linux Micro 6.0:git-2.51.0-1.1 SUSE Linux Micro 6.0:git-core-2.51.0-1.1 SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520721-1/ https://www.suse.com/security/cve/CVE-2025-46835.html CVE-2025-46835 https://bugzilla.suse.com/1245942 SUSE Bug 1245942 Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1. CVE-2025-48384 SUSE Linux Micro 6.0:git-2.51.0-1.1 SUSE Linux Micro 6.0:git-core-2.51.0-1.1 SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520721-1/ https://www.suse.com/security/cve/CVE-2025-48384.html CVE-2025-48384 https://bugzilla.suse.com/1245943 SUSE Bug 1245943 Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1. CVE-2025-48385 SUSE Linux Micro 6.0:git-2.51.0-1.1 SUSE Linux Micro 6.0:git-core-2.51.0-1.1 SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520721-1/ https://www.suse.com/security/cve/CVE-2025-48385.html CVE-2025-48385 https://bugzilla.suse.com/1245946 SUSE Bug 1245946 Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The wincred credential helper uses a static buffer (target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with wcsncat(), leading to potential buffer overflows. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1. CVE-2025-48386 SUSE Linux Micro 6.0:git-2.51.0-1.1 SUSE Linux Micro 6.0:git-core-2.51.0-1.1 SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1 critical To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202520721-1/ https://www.suse.com/security/cve/CVE-2025-48386.html CVE-2025-48386 https://bugzilla.suse.com/1245947 SUSE Bug 1245947