Multiple Git vulnerabilities in 2.24 and older
Learn more about the security vulnerabilities in Git 2.24 and older.
Today, the Git project released a series of security patches to address multiple security vulnerabilities in versions 2.24 and older.
These updates are highly recommended for all Git users, but they’re especially critical if you use Git on Windows[1]. If you clone untrusted repositories, there is no workaround that avoids the risk of any vulnerabilities disclosed in this post, except for updating.
If you use Git on another operating system, this update is still highly recommended. However, if you can’t update immediately, here are some things you can do to reduce your risk:
- Avoid running
git clone --recurse-submodules
andgit submodule update
with untrusted repositories. - Avoid running
git fast-import
on untrusted input streams. It’s still safe to use remote helpers that usegit fast-import
on the backend (such asgit-remote-hg
,git-p4
). - Avoid cloning untrusted repositories into NTFS mounts on any platform.
The new releases contain partial support for rejecting pushes that exploit these vulnerabilities, but some cases remain uncovered. It’s important to update, and not rely on hosting providers to block all exploits.
If you use GitHub Enterprise Server, these fixes will be included in the next patch release for all supported versions.
[1]: CVEs CVE-2019-1350, CVE-2019-1351, CVE-2019-1352, CVE-2019-1353, and, CVE-2019-1354 are Windows-specific vulnerabilities that can lead to remote code execution when cloning an untrusted repository. They’re patched only in today’s security releases. CVE-2019-1352 can affect non-Windows users, but only if you mount an NTFS volume.
Tags:
Written by
Related posts
What the EU’s new software legislation means for developers
The EU Cyber Resilience Act will introduce new cybersecurity requirements for software released in the EU. Learn what it means for your open source projects and what GitHub is doing to ensure the law will be a net win for open source maintainers.
Game Off 2024 theme announcement
GitHub’s annual month-long game jam, where creativity knows no limits! Throughout November, dive into your favorite game engines, libraries, and programming languages to bring your wildest game ideas to life. Whether you’re a seasoned dev or just getting started, it’s all about having fun and making something awesome!
Highlights from Git 2.47
Git 2.47 is here, with features like incremental multi-pack indexes and more. Check out our coverage of some of the highlights here.