aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation/RelNotes
diff options
context:
space:
mode:
Diffstat (limited to 'Documentation/RelNotes')
-rw-r--r--Documentation/RelNotes/2.43.7.adoc73
-rw-r--r--Documentation/RelNotes/2.44.4.adoc7
-rw-r--r--Documentation/RelNotes/2.45.4.adoc7
-rw-r--r--Documentation/RelNotes/2.46.4.adoc7
-rw-r--r--Documentation/RelNotes/2.47.3.adoc8
-rw-r--r--Documentation/RelNotes/2.48.2.adoc8
-rw-r--r--Documentation/RelNotes/2.49.1.adoc12
-rw-r--r--Documentation/RelNotes/2.50.1.adoc8
-rw-r--r--Documentation/RelNotes/2.51.0.adoc145
9 files changed, 275 insertions, 0 deletions
diff --git a/Documentation/RelNotes/2.43.7.adoc b/Documentation/RelNotes/2.43.7.adoc
new file mode 100644
index 0000000000..95702a036e
--- /dev/null
+++ b/Documentation/RelNotes/2.43.7.adoc
@@ -0,0 +1,73 @@
+Git v2.43.7 Release Notes
+=========================
+
+This release includes fixes for CVE-2025-27613, CVE-2025-27614,
+CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and
+CVE-2025-48386.
+
+Fixes since v2.43.6
+-------------------
+
+ * CVE-2025-27613, Gitk:
+
+ When a user clones an untrusted repository and runs Gitk without
+ additional command arguments, any writable file can be created and
+ truncated. The option "Support per-file encoding" must have been
+ enabled. The operation "Show origin of this line" is affected as
+ well, regardless of the option being enabled or not.
+
+ * CVE-2025-27614, Gitk:
+
+ A Git repository can be crafted in such a way that a user who has
+ cloned the repository can be tricked into running any script
+ supplied by the attacker by invoking `gitk filename`, where
+ `filename` has a particular structure.
+
+ * CVE-2025-46334, Git GUI (Windows only):
+
+ A malicious repository can ship versions of sh.exe or typical
+ textconv filter programs such as astextplain. On Windows, path
+ lookup can find such executables in the worktree. These programs
+ are invoked when the user selects "Git Bash" or "Browse Files" from
+ the menu.
+
+ * CVE-2025-46835, Git GUI:
+
+ When a user clones an untrusted repository and is tricked into
+ editing a file located in a maliciously named directory in the
+ repository, then Git GUI can create and overwrite any writable
+ file.
+
+ * CVE-2025-48384, Git:
+
+ When reading a config value, Git strips any trailing carriage
+ return and line feed (CRLF). When writing a config entry, values
+ with a trailing CR are not quoted, causing the CR to be lost when
+ the config is later read. When initializing a submodule, if the
+ submodule path contains a trailing CR, the altered path is read
+ resulting in the submodule being checked out to an incorrect
+ location. If a symlink exists that points the altered path to the
+ submodule hooks directory, and the submodule contains an executable
+ post-checkout hook, the script may be unintentionally executed
+ after checkout.
+
+ * CVE-2025-48385, Git:
+
+ When cloning a repository Git knows to optionally fetch a bundle
+ advertised by the remote server, which allows the server-side to
+ offload parts of the clone to a CDN. The Git client does not
+ perform sufficient validation of the advertised bundles, which
+ allows the remote side to perform protocol injection.
+
+ This protocol injection can cause the client to write the fetched
+ bundle to a location controlled by the adversary. The fetched
+ content is fully controlled by the server, which can in the worst
+ case lead to arbitrary code execution.
+
+ * CVE-2025-48386, Git:
+
+ The wincred credential helper uses a static buffer (`target`) as a
+ unique key for storing and comparing against internal storage. This
+ credential helper does not properly bounds check the available
+ space remaining in the buffer before appending to it with
+ `wcsncat()`, leading to potential buffer overflows.
diff --git a/Documentation/RelNotes/2.44.4.adoc b/Documentation/RelNotes/2.44.4.adoc
new file mode 100644
index 0000000000..8db4d5b537
--- /dev/null
+++ b/Documentation/RelNotes/2.44.4.adoc
@@ -0,0 +1,7 @@
+Git v2.44.4 Release Notes
+=========================
+
+This release merges up the fixes that appears in v2.43.7 to address
+the following CVEs: CVE-2025-27613, CVE-2025-27614, CVE-2025-46334,
+CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386.
+See the release notes for v2.43.7 for details.
diff --git a/Documentation/RelNotes/2.45.4.adoc b/Documentation/RelNotes/2.45.4.adoc
new file mode 100644
index 0000000000..5b50d8daf0
--- /dev/null
+++ b/Documentation/RelNotes/2.45.4.adoc
@@ -0,0 +1,7 @@
+Git v2.45.4 Release Notes
+=========================
+
+This release merges up the fixes that appears in v2.43.7, and v2.44.4
+to address the following CVEs: CVE-2025-27613, CVE-2025-27614,
+CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and
+CVE-2025-48386. See the release notes for v2.43.7 for details.
diff --git a/Documentation/RelNotes/2.46.4.adoc b/Documentation/RelNotes/2.46.4.adoc
new file mode 100644
index 0000000000..622f4c752f
--- /dev/null
+++ b/Documentation/RelNotes/2.46.4.adoc
@@ -0,0 +1,7 @@
+Git v2.46.4 Release Notes
+=========================
+
+This release merges up the fixes that appears in v2.43.7, v2.44.4, and
+v2.45.4 to address the following CVEs: CVE-2025-27613, CVE-2025-27614,
+CVE-2025-46334, CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and
+CVE-2025-48386. See the release notes for v2.43.7 for details.
diff --git a/Documentation/RelNotes/2.47.3.adoc b/Documentation/RelNotes/2.47.3.adoc
new file mode 100644
index 0000000000..bc2a2b833b
--- /dev/null
+++ b/Documentation/RelNotes/2.47.3.adoc
@@ -0,0 +1,8 @@
+Git v2.47.3 Release Notes
+=========================
+
+This release merges up the fixes that appears in v2.43.7, v2.44.4,
+v2.45.4, and v2.46.4 to address the following CVEs: CVE-2025-27613,
+CVE-2025-27614, CVE-2025-46334, CVE-2025-46835, CVE-2025-48384,
+CVE-2025-48385, and CVE-2025-48386. See the release notes for v2.43.7
+for details.
diff --git a/Documentation/RelNotes/2.48.2.adoc b/Documentation/RelNotes/2.48.2.adoc
new file mode 100644
index 0000000000..f3f2f90c2b
--- /dev/null
+++ b/Documentation/RelNotes/2.48.2.adoc
@@ -0,0 +1,8 @@
+Git v2.48.2 Release Notes
+=========================
+
+This release merges up the fixes that appears in v2.43.7, v2.44.4,
+v2.45.4, v2.46.4, and v2.47.3 to address the following CVEs:
+CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835,
+CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386. See the release
+notes for v2.43.7 for details.
diff --git a/Documentation/RelNotes/2.49.1.adoc b/Documentation/RelNotes/2.49.1.adoc
new file mode 100644
index 0000000000..c619e8b495
--- /dev/null
+++ b/Documentation/RelNotes/2.49.1.adoc
@@ -0,0 +1,12 @@
+Git v2.49.1 Release Notes
+=========================
+
+This release merges up the fixes that appear in v2.43.7, v2.44.4,
+v2.45.4, v2.46.4, v2.47.3, and v2.48.2 to address the following CVEs:
+CVE-2025-27613, CVE-2025-27614, CVE-2025-46334, CVE-2025-46835,
+CVE-2025-48384, CVE-2025-48385, and CVE-2025-48386. See the release
+notes for v2.43.7 for details.
+
+It also contains some updates to various CI bits to work around
+and/or to adjust to the deprecation of use of Ubuntu 20.04 GitHub
+Actions CI, updates to to Fedora base image.
diff --git a/Documentation/RelNotes/2.50.1.adoc b/Documentation/RelNotes/2.50.1.adoc
new file mode 100644
index 0000000000..aa4a71adbc
--- /dev/null
+++ b/Documentation/RelNotes/2.50.1.adoc
@@ -0,0 +1,8 @@
+Git v2.50.1 Release Notes
+=========================
+
+This release merges up the fixes that appear in v2.43.7, v2.44.4,
+v2.45.4, v2.46.4, v2.47.3, v2.48.2, and v2.49.1 to address the
+following CVEs: CVE-2025-27613, CVE-2025-27614, CVE-2025-46334,
+CVE-2025-46835, CVE-2025-48384, CVE-2025-48385, and
+CVE-2025-48386. See the release notes for v2.43.7 for details.
diff --git a/Documentation/RelNotes/2.51.0.adoc b/Documentation/RelNotes/2.51.0.adoc
index 4f2a34b47d..8ff921809a 100644
--- a/Documentation/RelNotes/2.51.0.adoc
+++ b/Documentation/RelNotes/2.51.0.adoc
@@ -18,6 +18,35 @@ UI, Workflows & Features
pathspec at the end of the command line, just like normal "git
diff".
+ * "git subtree" (in contrib/) learned to grok GPG signing its commits.
+
+ * "git whatchanged" that is longer to type than "git log --raw"
+ which is its modern rough equivalent has outlived its usefulness
+ more than 10 years ago. Plan to deprecate and remove it.
+
+ * An interchange format for stash entries is defined, and subcommand
+ of "git stash" to import/export has been added.
+
+ * "git merge/pull" has been taught the "--compact-summary" option to
+ use the compact-summary format, intead of diffstat, when showing
+ the summary of the incoming changes.
+
+ * "git imap-send" has been broken for a long time, which has been
+ resurrected and then taught to talk OAuth2.0 etc.
+
+ * Some error messages from "git imap-send" has been updated.
+
+ * When "git daemon" sees a signal while attempting to accept() a new
+ client, instead of retrying, it skipped it by mistake, which has
+ been corrected.
+
+ * The reftable ref backend has matured enough; Git 3.0 will make it
+ the default format in a newly created repositories by default.
+
+ * "netrc" credential helper has been improved to understand textual
+ service names (like smtp) in addition to the numeric port numbers
+ (like 25).
+
Performance, Internal Implementation, Development Support etc.
--------------------------------------------------------------
@@ -32,10 +61,40 @@ Performance, Internal Implementation, Development Support etc.
* Meson-based build/test framework now understands TAP output
generated by our tests.
+ * "Do not explicitly initialize to zero" rule has been clarified in
+ the CodingGuidelines document.
+
+ * A test helper "test_seq" function learned the "-f <fmt>" option,
+ which allowed us to simplify a lot of test scripts.
+
+ * A lot of stale stuff has been removed from the contrib/ hierarchy.
+
+ * "git push" and "git fetch" are taught to update refs in batches to
+ gain performance.
+
+ * Some code paths in the "git prune" used to ignore passed in
+ repository object and used the_repository singleton instance
+ instead, which has been corrected.
+
+ * Update ".clang-format" and ".editorconfig" to match our style guide
+ a bit better.
+
+ * "make coccicheck" succeeds even when spatch made suggestions, which
+ has been updated to fail in such a case.
+
+ * Code clean-up around object access API.
+
+ * Define .precision to more canned parse-options type to avoid bugs
+ coming from using a variable with a wrong type to capture the
+ parsed values.
+
Fixes since v2.50
-----------------
+Unless otherwise noted, all the changes in 2.50.X maintenance track,
+including security updates, are included in this release.
+
* A memory-leak in an error code path has been plugged.
(merge 7082da85cb ly/commit-graph-graph-write-leakfix later to maint).
@@ -47,6 +106,78 @@ Fixes since v2.50
corrected.
(merge 3717a5775a jw/doc-txt-to-adoc-refs later to maint).
+ * "git stash -p <pathspec>" improvements.
+ (merge 468817bab2 pw/stash-p-pathspec-fixes later to maint).
+
+ * "git send-email" incremented its internal message counter when a
+ message was edited, which made logic that treats the first message
+ specially misbehave, which has been corrected.
+ (merge 2cc27b3501 ag/send-email-edit-threading-fix later to maint).
+
+ * "git stash" recorded a wrong branch name when submodules are
+ present in the current checkout, which has been corrected.
+ (merge ffb36c64f2 kj/stash-onbranch-submodule-fix later to maint).
+
+ * When asking to apply mailmap to both author and committer field
+ while showing a commit object, the field that appears later was not
+ correctly parsed and replaced, which has been corrected.
+ (merge abf94a283f sa/multi-mailmap-fix later to maint).
+
+ * "git maintenance" lacked the care "git gc" had to avoid holding
+ onto the repository lock for too long during packing refs, which
+ has been remedied.
+ (merge 1b5074e614 ps/maintenance-ref-lock later to maint).
+
+ * Avoid regexp_constraint and instead use comparison_constraint when
+ listing functions to exclude from application of coccinelle rules,
+ as spatch can be built with different regexp engine X-<.
+ (merge f2ad545813 jc/cocci-avoid-regexp-constraint later to maint).
+
+ * Updating submodules from the upstream did not work well when
+ submodule's HEAD is detached, which has been improved.
+ (merge ca62f524c1 jk/submodule-remote-lookup-cleanup later to maint).
+
+ * Remove unnecessary check from "git daemon" code.
+ (merge 0c856224d2 cb/daemon-fd-check-fix later to maint).
+
+ * Use of sysctl() system call to learn the total RAM size used on
+ BSDs has been corrected.
+ (merge 781c1cf571 cb/total-ram-bsd-fix later to maint).
+
+ * Drop FreeBSD 4 support and declare that we support only FreeBSD 12
+ or later, which has memmem() supported.
+ (merge 0392f976a7 bs/config-mak-freebsd later to maint).
+
+ * A diff-filter with negative-only specification like "git log
+ --diff-filter=d" did not trigger correctly, which has been fixed.
+ (merge 375ac087c5 jk/all-negative-diff-filter-fix later to maint).
+
+ * A failure to open the index file for writing due to conflicting
+ access did not state what went wrong, which has been corrected.
+ (merge 9455397a5c hy/read-cache-lock-error-fix later to maint).
+
+ * Tempfile removal fix in the codepath to sign commits with SSH keys.
+ (merge 4498127b04 re/ssh-sign-buffer-fix later to maint).
+
+ * Code and test clean-up around string-list API.
+ (merge 6e5b26c3ff sj/string-list later to maint).
+
+ * "git apply -N" should start from the current index and register
+ only new files, but it instead started from an empty index, which
+ has been corrected.
+ (merge 2b49d97fcb rp/apply-intent-to-add-fix later to maint).
+
+ * Leakfix with a new and a bit invasive test on pack-bitmap files.
+ (merge bfd5522e98 ly/load-bitmap-leakfix later to maint).
+
+ * "git fetch --prune" used to be O(n^2) expensive when there are many
+ refs, which has been corrected.
+ (merge 87d8d8c5d0 ph/fetch-prune-optim later to maint).
+
+ * When a ref creation at refs/heads/foo/bar fails, the files backend
+ now removes refs/heads/foo/ if the directory is otherwise not used.
+ (merge a3a7f20516 ps/refs-files-remove-empty-parent later to maint).
+
* Other code cleanup, docfix, build fix, etc.
(merge b257adb571 lo/my-first-ow-doc-update later to maint).
(merge 8b34b6a220 ly/sequencer-update-squash-is-fixup-only later to maint).
@@ -56,3 +187,17 @@ Fixes since v2.50
(merge bfc9f9cc64 ly/submodule-update-failure-leakfix later to maint).
(merge 65dff89c6b ma/doc-diff-cc-headers later to maint).
(merge efb61591ee jm/bundle-uri-debug-output-to-fp later to maint).
+ (merge a3d278bb64 ly/prepare-show-merge-leakfix later to maint).
+ (merge 1fde1c5daf ac/preload-index-wo-the-repository later to maint).
+ (merge 855cfc65ae rm/t2400-modernize later to maint).
+ (merge 2939494284 ly/run-builtin-use-passed-in-repo later to maint).
+ (merge ff73f375bb jg/mailinfo-leakfix later to maint).
+ (merge 996f14c02b jj/doc-branch-markup-fix later to maint).
+ (merge 1e77de1864 cb/ci-freebsd-update-to-14.3 later to maint).
+ (merge b0e9d25865 jk/fix-leak-send-pack later to maint).
+ (merge f3a9558c8c bs/remote-helpers-doc-markup-fix later to maint).
+ (merge c4e9775c60 kh/doc-config-subcommands later to maint).
+ (merge de404249ab ps/perlless-test-fixes later to maint).
+ (merge 953049eed8 ts/merge-orig-head-doc-fix later to maint).
+ (merge 0c83bbc704 rj/freebsd-sysinfo-build-fix later to maint).
+ (merge ad7780b38f ps/doc-pack-refs-auto-with-files-backend-fix later to maint).
generated by cgit 1.2.3-korg (git 2.43.0) at 2025-12-05 15:53:16 +0000