Responding to the recent critical vulns in Git

[Kelly, Alan C]

Hello,

 

In light of the critical severity of CVE-2022-41903 and CVE-2022-23521, the fixes for which were backported into old Git versions such as 2.34.6, 2.35.6, etc. all the way back to 2.30.7, is there any chance of getting corresponding Git for Windows releases for any of those? I don’t know what the typical practice is for situations like this, but a vendor is telling me that Git 2.39.x is not supported by their product, so I might need a patched version of Git for Windows from an older Git release (ideally Git 2.35.6).

 

If that’s not possible, I completely understand, I just have to ask the question, so we know definitively what’s possible and what’s not.

 

Thank you for your time,

 

-Alan

[Johannes Schindelin]

Hi Alan,

As per
https://github.com/git-for-windows/git/security/policy#supported-versions:

While Git maintains several release trains (when v2.19.1 was
released, there were updates to v2.14.x-v2.18.x, too, for
example), Git for Windows follows only the latest Git release. For
example, there is no Git for Windows release corresponding to Git
v2.16.5 (which was released after v2.19.0).

So no, there are no official backports to earlier Git versions.

If you require an earlier Git version, you're not completely out of luck,
though. It just so happens that we occasionally build _MinGit_ backports,
in particular when large stakeholders indicate that they cannot easily
move off of the older release train.

So there is
https://github.com/git-for-windows/git/releases/tag/v2.35.6.windows.1

Obviously, MinGit is not a full Git for Windows. If you need a full Git
for Windows, you will have to build it yourself, from that tag, using the
documentation detailed at
https://github.com/git-for-windows/git/wiki/Making-an-installer

Ciao,
Johannes

> --
> You received this message because you are subscribed to the Google Groups "git-for-windows" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to git-for-windo...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/git-for-windows/PH1P110MB111694FB74E59014DEBA6D6AF0C89%40PH1P110MB1116.NAMP110.PROD.OUTLOOK.COM.
>

[Dirk Heinrichs]

Am Montag, dem 23.01.2023 um 19:57 +0000 schrieb 'Kelly, Alan C' via git-for-windows:

but a vendor is telling me that Git 2.39.x is not supported by their product

In many cases "not supported" doesn't mean "not working". It usually means the vendor hasn't tested it yet and doesn't give a guarantee. So you might just try yourself...

HTH...

Dirk

-- 

Dirk Heinrichs

Senior Systems Engineer, Delivery Pipeline

OpenText ™ Discovery | Recommind

Phone: +49 2226 15966 18

Email: dhei...@opentext.com

Website: www.recommind.de

Recommind GmbH, Von-Liebig-Straße 1, 53359 Rheinbach

Vertretungsberechtigte Geschäftsführer Gordon Davies, Madhu Ranganathan, Christian Waida, Registergericht Amtsgericht Bonn, Registernummer HRB 10646

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail sind nicht gestattet.