suse-su-2025:20721-1
Vulnerability from csaf_suse
Published
2025-09-22 09:07
Modified
2025-09-22 09:07
Summary
Security update for git
Notes
Title of the patch
Security update for git
Description of the patch
This update for git fixes the following issues:
- Update to 2.51.0
- UI, Workflows & Features
- Userdiff patterns for the R language have been added.
- Documentation for "git send-email" has been updated with a
bit more credential helper and OAuth information.
- "git cat-file --batch" learns to understand %(objectmode)
atom to allow the caller to tell missing objects (due to
repository corruption) and submodules (whose commit objects
are OK to be missing) apart.
- "git diff --no-index dirA dirB" can limit the comparison with
pathspec at the end of the command line, just like normal
"git diff".
- "git subtree" (in contrib/) learned to grok GPG signing its
commits.
- "git whatchanged" that is longer to type than "git log --raw"
which is its modern rough equivalent has outlived its
usefulness more than 10 years ago. Plan to deprecate and
remove it.
- An interchange format for stash entries is defined, and
subcommand of "git stash" to import/export has been added.
- "git merge/pull" has been taught the "--compact-summary"
option to use the compact-summary format, intead of diffstat,
when showing the summary of the incoming changes.
- "git imap-send" has been broken for a long time, which has
been resurrected and then taught to talk OAuth2.0 etc.
- Some error messages from "git imap-send" has been updated.
- When "git daemon" sees a signal while attempting to accept()
a new client, instead of retrying, it skipped it by mistake,
which has been corrected.
- The reftable ref backend has matured enough; Git 3.0 will
make it the default format in a newly created repositories by
default.
- "netrc" credential helper has been improved to understand
textual service names (like smtp) in addition to the numeric
port numbers (like 25).
- Lift the limitation to use changed-path filter in "git log"
so that it can be used for a pathspec with multiple literal
paths.
- Clean up the way how signature on commit objects are exported
to and imported from fast-import stream.
- Remove unsupported, unused, and unsupportable old option from
"git log".
- Document recently added "git imap-send --list" with an
example.
- "git pull" learned to pay attention to pull.autostash
configuration variable, which overrides
rebase/merge.autostash.
- "git for-each-ref" learns "--start-after" option to help
applications that want to page its output.
- "git switch" and "git restore" are declared to be no longer
experimental.
- "git -c alias.foo=bar foo -h baz" reported "'foo' is aliased
to 'bar'" and then went on to run "git foo -h baz", which was
unexpected. Tighten the rule so that alias expansion is
reported only when "-h" is the sole option.
- Performance, Internal Implementation, Development Support etc.
- "git pack-objects" learned to find delta bases from blobs at
the same path, using the --path-walk API.
- CodingGuidelines update.
- Add settings for Solaris 10 & 11.
- Meson-based build/test framework now understands TAP output
generated by our tests.
- "Do not explicitly initialize to zero" rule has been
clarified in the CodingGuidelines document.
- A test helper "test_seq" function learned the "-f <fmt>"
option, which allowed us to simplify a lot of test scripts.
- A lot of stale stuff has been removed from the contrib/
hierarchy.
- "git push" and "git fetch" are taught to update refs in
batches to gain performance.
- Some code paths in "git prune" used to ignore the passed-in
repository object and used the `the_repository` singleton
instance instead, which has been corrected.
- Update ".clang-format" and ".editorconfig" to match our style
guide a bit better.
- "make coccicheck" succeeds even when spatch made suggestions,
which has been updated to fail in such a case.
- Code clean-up around object access API.
- Define .precision to more canned parse-options type to avoid
bugs coming from using a variable with a wrong type to
capture the parsed values.
- Flipping the default hash function to SHA-256 at Git 3.0
boundary is planned.
- Declare weather-balloon we raised for "bool" type 18 months
ago a success and officially allow using the type in our
codebase.
- GIT_TEST_INSTALLED was not honored in the recent topic
related to SHA256 hashes, which has been corrected.
- The pop_most_recent_commit() function can have quite
expensive worst case performance characteristics, which has
been optimized by using prio-queue data structure.
- Move structure definition from unrelated header file to where
it belongs.
- To help our developers, document what C99 language features
are being considered for adoption, in addition to what past
experiments have already decided.
- The reftable unit tests are now ported to the "clar" unit
testing framework.
- Redefine where the multi-pack-index sits in the object
subsystem, which recently was restructured to allow multiple
backends that support a single object source that belongs to
one repository. A MIDX does span multiple "object sources".
- Reduce implicit assumption and dependence on the_repository
in the object-file subsystem.
- Fixes since v2.50 Unless otherwise noted, all the changes in
2.50.X maintenance track, including security updates, are
included in this release.
- A memory-leak in an error code path has been plugged.
- Some leftover references to documentation source files that
no longer exist, due to recent ".txt" -> ".adoc" renaming,
have been corrected.
- "git stash -p <pathspec>" improvements.
- "git send-email" incremented its internal message counter
when a message was edited, which made logic that treats the
first message specially misbehave, which has been corrected.
- "git stash" recorded a wrong branch name when submodules are
present in the current checkout, which has been corrected.
- When asking to apply mailmap to both author and committer
field while showing a commit object, the field that appears
later was not correctly parsed and replaced, which has been
corrected.
- "git maintenance" lacked the care "git gc" had to avoid
holding onto the repository lock for too long during packing
refs, which has been remedied.
- Avoid regexp_constraint and instead use comparison_constraint
when listing functions to exclude from application of
coccinelle rules, as spatch can be built with different
regexp engine X-<.
- Updating submodules from the upstream did not work well when
submodule's HEAD is detached, which has been improved.
- Remove unnecessary check from "git daemon" code. (merge
0c856224d2 cb/daemon-fd-check-fix later to maint).
- Use of sysctl() system call to learn the total RAM size used
on BSDs has been corrected.
- Drop FreeBSD 4 support and declare that we support only
FreeBSD 12 or later, which has memmem() supported.
- A diff-filter with negative-only specification like "git log
--diff-filter=d" did not trigger correctly, which has been
fixed.
- A failure to open the index file for writing due to
conflicting access did not state what went wrong, which has
been corrected.
- Tempfile removal fix in the codepath to sign commits with SSH
keys.
- Code and test clean-up around string-list API.
- "git apply -N" should start from the current index and
register only new files, but it instead started from an empty
index, which has been corrected.
- Leakfix with a new and a bit invasive test on pack-bitmap
files.
- "git fetch --prune" used to be O(n^2) expensive when there
are many refs, which has been corrected.
- When a ref creation at refs/heads/foo/bar fails, the files
backend now removes refs/heads/foo/ if the directory is
otherwise not used.
- "pack-objects" has been taught to avoid pointing into objects
in cruft packs from midx.
- "git remote" now detects remote names that overlap with each
other (e.g., remote nickname "outer" and "outer/inner" are
used at the same time), as it will lead to overlapping
remote-tracking branches.
- The gpg.program configuration variable, which names a
pathname to the (custom) GPG compatible program, can now be
spelled with ~tilde expansion.
- Our <sane-ctype.h> header file relied on that the
system-supplied <ctype.h> header is not later included, which
would override our macro definitions, but "amazon linux"
broke this assumption. Fix this by preemptively including
<ctype.h> near the beginning of <sane-ctype.h> ourselves.
(merge 9d3b33125f ps/sane-ctype-workaround later to maint).
- Clean-up compat/bswap.h mess. (merge f4ac32c03a
ss/compat-bswap-revamp later to maint).
- Meson-based build did not handle libexecdir setting
correctly, which has been corrected. (merge 056dbe8612
rj/meson-libexecdir-fix later to maint).
- Document that we do not require "real" name when signing your
patches off. (merge 1f0fed312a
bc/contribution-under-non-real-names later to maint).
- "git commit" that concludes a conflicted merge failed to
notice and remove existing comment added automatically (like
"# Conflicts:") when the core.commentstring is set to 'auto'.
(merge 92b7c7c9f5 ac/auto-comment-char-fix later to maint).
- "git rebase -i" with bogus rebase.instructionFormat
configuration failed to produce the todo file after recording
the state files, leading to confused "git status"; this has
been corrected. (merge ade14bffd7
ow/rebase-verify-insn-fmt-before-initializing-state later to
maint).
- A few file descriptors left unclosed upon program completion
in a few test helper programs are now closed. (merge
0f1b33815b hl/test-helper-fd-close later to maint).
- Interactive prompt code did not correctly strip CRLF from the
end of line on Windows. (merge 711a20827b js/prompt-crlf-fix
later to maint).
- The config API had a set of convenience wrapper functions
that implicitly use the_repository instance; they have been
removed and inlined at the calling sites.
- "git add/etc -p" now honor the diff.context configuration
variable, and also they learn to honor the -U<n> command-line
option. (merge 2b3ae04011 lm/add-p-context later to maint).
- The case where a new submodule takes a path where there used
to be a completely different subproject is now dealt with a
bit better than before. (merge 5ed8c5b465
kj/renamed-submodule later to maint).
- The deflate codepath in "git archive --format=zip" had a
longstanding bug coming from misuse of zlib API, which has
been corrected.
- Update to 2.50.1:
* CVE-2025-27613: Fixed arbitrary writable file creation and
truncation in Gitk (bsc#1245938)
* CVE-2025-27614: Fixed arbitrary script execution via repo
clonation in gitk (bsc#1245939)
* CVE-2025-46835: Fixed untrusted repository cloning leading
to arbitrary writable file creation in Git GUI (bsc#1245942)
* CVE-2025-48384: Fixed CRLF transforming (bsc#1245943)
* CVE-2025-48385: Fixed arbitrary code execution due to protocol
injection (bsc#1245946)
* CVE-2025-48386: Fixed buffer overflow in static buffer (bsc#1245947)
- Update to 2.48.1:
* CVE-2024-50349: Fixed password leak (bsc#1235600)
* CVE-2024-52006: Fixed Carriage Returns via the credential
protocol to credential helpers (bsc#1235601)
- Update to 2.48.0:
* Reference consistency checks: git refs verify
* Reflogs can now be migrated with git refs migrate
* git is free of memory leaks as covered by the test suite
* Performance improvements
- Update to 2.47.1:
* Use after free and double freeing at the end in
"git log -L... -p" had been identified and fixed.
* "git maintenance start" crashed due to an uninitialized
variable reference, which has been corrected.
* Fail gracefully instead of crashing when attempting to write
the contents of a corrupt in-core index as a tree object.
* A "git fetch" from the superproject going down to a submodule
used a wrong remote when the default remote names are set
differently between them.
* The "gitk" project tree has been synchronized again
- Update to 2.47.0:
* A few descriptions in "git show-ref -h" have been clarified.
* A 'P' command to "git add -p" that passes the patch hunk to the
pager has been added.
* "git grep -W" omits blank lines that follow the found function at
the end of the file, just like it omits blank lines before the next
function.
* The value of http.proxy can have "path" at the end for a socks
proxy that listens to a unix-domain socket, but we started to
discard it when we taught proxy auth code path to use the
credential helpers, which has been corrected.
* The code paths to compact multiple reftable files have been updated
to correctly deal with multiple compaction triggering at the same
time.
* Support to specify ref backend for submodules has been enhanced.
* "git svn" has been taught about svn:global-ignores property
recent versions of Subversion has.
* The default object hash and ref backend format used to be settable
only with explicit command line option to "git init" and
environment variables, but now they can be configured in the user's
global and system wide configuration.
* "git send-email" learned "--translate-aliases" option that reads
addresses from the standard input and emits the result of applying
aliases on them to the standard output.
* 'git for-each-ref' learned a new "--format" atom to find the branch
that the history leading to a given commit "%(is-base:<commit>)" is
likely based on.
* The command line prompt support used to be littered with bash-isms,
which has been corrected to work with more shells.
* Support for the RUNTIME_PREFIX feature has been added to z/OS port.
* "git send-email" learned "--mailmap" option to allow rewriting the
recipient addresses.
* "git mergetool" learned to use VSCode as a merge backend.
* "git pack-redundant" has been marked for removal in Git 3.0.
* One-line messages to "die" and other helper functions will get LF
added by these helper functions, but many existing messages had an
unnecessary LF at the end, which have been corrected.
* The "scalar clone" command learned the "--no-tags" option.
* The environment GIT_ADVICE has been intentionally kept undocumented
to discourage its use by interactive users. Add documentation to
help tool writers.
* "git apply --3way" learned to take "--ours" and other options.
- Update to version 2.46.2:
* Revert the "git patch-id" change that went into 2.46.1,
as it seems to have got a regression reported (I haven't verified,
but it is better to keep a known breakage than adding an unintended
regression).
* In a few corner cases "git diff --exit-code" failed to report
"changes" (e.g., renamed without any content change), which has
been corrected.
* The interpret-trailers command failed to recognise the end of the
message when the commit log ends in an incomplete line.
- Update to version 2.46.1;
* "git checkout --ours" (no other arguments) complained that the
option is incompatible with branch switching, which is technically
correct, but found confusing by some users. It now says that the
user needs to give pathspec to specify what paths to checkout.
* It has been documented that we avoid "VAR=VAL shell_func" and why.
* "git add -p" by users with diff.suppressBlankEmpty set to true
failed to parse the patch that represents an unmodified empty line
with an empty line (not a line with a single space on it), which
has been corrected.
* "git rebase --help" referred to "offset" (the difference between
the location a change was taken from and the change gets replaced)
incorrectly and called it "fuzz", which has been corrected.
* "git notes add -m '' --allow-empty" and friends that take prepared
data to create notes should not invoke an editor, but it started
doing so since Git 2.42, which has been corrected.
* An expensive operation to prepare tracing was done in re-encoding
code path even when the tracing was not requested, which has been
corrected.
* Perforce tests have been updated.
* The credential helper to talk to OSX keychain sometimes sent
garbage bytes after the username, which has been corrected.
* A recent update broke "git ls-remote" used outside a repository,
which has been corrected.
* "git config --value=foo --fixed-value section.key newvalue" barfed
when the existing value in the configuration file used the
valueless true syntax, which has been corrected.
* "git reflog expire" failed to honor annotated tags when computing
reachable commits.
* A flakey test and incorrect calls to strtoX() functions have been
fixed.
* Follow-up on 2.45.1 regression fix.
* "git rev-list ... | git diff-tree -p --remerge-diff --stdin" should
behave more or less like "git log -p --remerge-diff" but instead it
crashed, forgetting to prepare a temporary object store needed.
* The patch parser in "git patch-id" has been tightened to avoid
getting confused by lines that look like a patch header in the log
message.
* "git bundle unbundle" outside a repository triggered a BUG()
unnecessarily, which has been corrected.
* The code forgot to discard unnecessary in-core commit buffer data
for commits that "git log --skip=<number>" traversed but omitted
from the output, which has been corrected.
* "git verify-pack" and "git index-pack" started dying outside a
repository, which has been corrected.
* A corner case bug in "git stash" was fixed.
- Change less requirement to path to allow for use with BusyBox
- Update to 2.46.0
UI, Workflows & Features
* The "--rfc" option of "git format-patch" learned to take an
optional string value to be used in place of "RFC" to tweak the
"[PATCH]" on the subject header.
* The credential helper protocol, together with the HTTP layer, have
been enhanced to support authentication schemes different from
username & password pair, like Bearer and NTLM.
* Command line completion script (in contrib/) learned to complete
"git symbolic-ref" a bit better (you need to enable plumbing
commands to be completed with GIT_COMPLETION_SHOW_ALL_COMMANDS).
* When the user responds to a prompt given by "git add -p" with an
unsupported command, list of available commands were given, which
was too much if the user knew what they wanted to type but merely
made a typo. Now the user gets a much shorter error message.
* The color parsing code learned to handle 12-bit RGB colors, spelled
as "#RGB" (in addition to "#RRGGBB" that is already supported).
* The operation mode options (like "--get") the "git config" command
uses have been deprecated and replaced with subcommands (like "git
config get").
* "git tag" learned the "--trailer" option to futz with the trailers
in the same way as "git commit" does.
* A new global "--no-advice" option can be used to disable all advice
messages, which is meant to be used only in scripts.
* Updates to symbolic refs can now be made as a part of ref
transaction.
* The trailer API has been reshuffled a bit.
* Terminology to call various ref-like things are getting
straightened out.
* The command line completion script (in contrib/) has been adjusted
to the recent update to "git config" that adopted subcommand based
UI.
* The knobs to tweak how reftable files are written have been made
available as configuration variables.
* When "git push" notices that the commit at the tip of the ref on
the other side it is about to overwrite does not exist locally, it
used to first try fetching it if the local repository is a partial
clone. The command has been taught not to do so and immediately
fail instead.
* The promisor.quiet configuration knob can be set to true to make
lazy fetching from promisor remotes silent.
* The inter/range-diff output has been moved to the end of the patch
when format-patch adds it to a single patch, instead of writing it
before the patch text, to be consistent with what is done for a
cover letter for a multi-patch series.
* A new command has been added to migrate a repository that uses the
files backend for its ref storage to use the reftable backend, with
limitations.
* "git diff --exit-code --ext-diff" learned to take the exit status
of the external diff driver into account when deciding the exit
status of the overall "git diff" invocation when configured to do
so.
* "git update-ref --stdin" learned to handle transactional updates of
symbolic-refs.
* "git format-patch --interdiff" for multi-patch series learned to
turn on cover letters automatically (unless told never to enable
cover letter with "--no-cover-letter" and such).
* The "--heads" option of "ls-remote" and "show-ref" has been been
deprecated; "--branches" replaces "--heads".
* For over a year, setting add.interactive.useBuiltin configuration
variable did nothing but giving a "this does not do anything"
warning. The warning has been removed.
* The http transport can now be told to send request with
authentication material without first getting a 401 response.
* A handful of entries are added to the GitFAQ document.
* "git var GIT_SHELL_PATH" should report the path to the shell used
to spawn external commands, but it didn't do so on Windows, which
has been corrected.
Performance, Internal Implementation, Development Support etc.
* Advertise "git contacts", a tool for newcomers to find people to
ask review for their patches, a bit more in our developer
documentation.
* In addition to building the objects needed, try to link the objects
that are used in fuzzer tests, to make sure at least they build
without bitrot, in Linux CI runs.
* Code to write out reftable has seen some optimization and
simplification.
* Tests to ensure interoperability between reftable written by jgit
and our code have been added and enabled in CI.
* The singleton index_state instance "the_index" has been eliminated
by always instantiating "the_repository" and replacing references
to "the_index" with references to its .index member.
* Git-GUI has a new maintainer, Johannes Sixt.
* The "test-tool" has been taught to run testsuite tests in parallel,
bypassing the need to use the "prove" tool.
* The "whitespace check" task that was enabled for GitHub Actions CI
has been ported to GitLab CI.
* The refs API lost functions that implicitly assumes to work on the
primary ref_store by forcing the callers to pass a ref_store as an
argument.
* Code clean-up to reduce inter-function communication inside
builtin/config.c done via the use of global variables.
* The pack bitmap code saw some clean-up to prepare for a follow-up topic.
* Preliminary code clean-up for "git send-email".
* The default "creation-factor" used by "git format-patch" has been
raised to make it more aggressively find matching commits.
* Before discovering the repository details, We used to assume SHA-1
as the "default" hash function, which has been corrected. Hopefully
this will smoke out codepaths that rely on such an unwarranted
assumptions.
* The project decision making policy has been documented.
* The strcmp-offset tests have been rewritten using the unit test
framework.
* "git add -p" learned to complain when an answer with more than one
letter is given to a prompt that expects a single letter answer.
* The alias-expanded command lines are logged to the trace output.
* A new test was added to ensure git commands that are designed to
run outside repositories do work.
* A few tests in reftable library have been rewritten using the
unit test framework.
* A pair of test helpers that essentially are unit tests on hash
algorithms have been rewritten using the unit-tests framework.
* A test helper that essentially is unit tests on the "decorate"
logic has been rewritten using the unit-tests framework.
* Many memory leaks in the sparse-checkout code paths have been
plugged.
* "make check-docs" noticed problems and reported to its output but
failed to signal its findings with its exit status, which has been
corrected.
* Building with "-Werror -Wwrite-strings" is now supported.
* To help developers, the build procedure now allows builders to use
CFLAGS_APPEND to specify additional CFLAGS.
* "oidtree" tests were rewritten to use the unit test framework.
* The structure of the document that records longer-term project
decisions to deprecate/remove/update various behaviour has been
outlined.
* The pseudo-merge reachability bitmap to help more efficient storage
of the reachability bitmap in a repository with too many refs has
been added.
* When "git merge" sees that the index cannot be refreshed (e.g. due
to another process doing the same in the background), it died but
after writing MERGE_HEAD etc. files, which was useless for the
purpose to recover from the failure.
* The output from "git cat-file --batch-check" and "--batch-command
(info)" should not be unbuffered, for which some tests have been
added.
* A CPP macro USE_THE_REPOSITORY_VARIABLE is introduced to help
transition the codebase to rely less on the availability of the
singleton the_repository instance.
* "git version --build-options" reports the version information of
OpenSSL and other libraries (if used) in the build.
* Memory ownership rules for the in-core representation of
remote.*.url configuration values have been straightened out, which
resulted in a few leak fixes and code clarification.
* When bundleURI interface fetches multiple bundles, Git failed to
take full advantage of all bundles and ended up slurping duplicated
objects, which has been corrected.
* The code to deal with modified paths that are out-of-cone in a
sparsely checked out working tree has been optimized.
* An existing test of oidmap API has been rewritten with the
unit-test framework.
* The "ort" merge backend saw one bugfix for a crash that happens
when inner merge gets killed, and assorted code clean-ups.
* A new warning message is issued when a command has to expand a
sparse index to handle working tree cruft that are outside of the
sparse checkout.
* The test framework learned to take the test body not as a single
string but as a here-document.
* "git push '' HEAD:there" used to hit a BUG(); it has been corrected
to die with "fatal: bad repository ''".
* What happens when http.cookieFile gets the special value "" has
been clarified in the documentation.
Fixes
* "git rebase --signoff" used to forget that it needs to add a
sign-off to the resulting commit when told to continue after a
conflict stops its operation.
* The procedure to build multi-pack-index got confused by the
replace-refs mechanism, which has been corrected by disabling the
latter.
* The "-k" and "--rfc" options of "format-patch" will now error out
when used together, as one tells us not to add anything to the
title of the commit, and the other one tells us to add "RFC" in
addition to "PATCH".
* "git stash -S" did not handle binary files correctly, which has
been corrected.
* A scheduled "git maintenance" job is expected to work on all
repositories it knows about, but it stopped at the first one that
errored out. Now it keeps going.
* zsh can pretend to be a normal shell pretty well except for some
glitches that we tickle in some of our scripts. Work them around
so that "vimdiff" and our test suite works well enough with it.
* Command line completion support for zsh (in contrib/) has been
updated to stop exposing internal state to end-user shell
interaction.
* Tests that try to corrupt in-repository files in chunked format did
not work well on macOS due to its broken "mv", which has been
worked around.
* The maximum size of attribute files is enforced more consistently.
* Unbreak CI jobs so that we do not attempt to use Python 2 that has
been removed from the platform.
* Git 2.43 started using the tree of HEAD as the source of attributes
in a bare repository, which has severe performance implications.
For now, revert the change, without ripping out a more explicit
support for the attr.tree configuration variable.
* The "--exit-code" option of "git diff" command learned to work with
the "--ext-diff" option.
* Windows CI running in GitHub Actions started complaining about the
order of arguments given to calloc(); the imported regex code uses
the wrong order almost consistently, which has been corrected.
* Expose "name conflict" error when a ref creation fails due to D/F
conflict in the ref namespace, to improve an error message given by
"git fetch".
(merge 9339fca23e it/refs-name-conflict later to maint).
* The SubmittingPatches document now refers folks to manpages
translation project.
* The documentation for "git diff --name-only" has been clarified
that it is about showing the names in the post-image tree.
* The credential helper that talks with osx keychain learned to avoid
storing back the authentication material it just got received from
the keychain.
(merge e1ab45b2da kn/osxkeychain-skip-idempotent-store later to maint).
* The chainlint script (invoked during "make test") did nothing when
it failed to detect the number of available CPUs. It now falls
back to 1 CPU to avoid the problem.
* Revert overly aggressive "layered defence" that went into 2.45.1
and friends, which broke "git-lfs", "git-annex", and other use
cases, so that we can rebuild necessary counterparts in the open.
* "git init" in an already created directory, when the user
configuration has includeif.onbranch, started to fail recently,
which has been corrected.
* Memory leaks in "git mv" has been plugged.
* The safe.directory configuration knob has been updated to
optionally allow leading path matches.
* An overly large ".gitignore" files are now rejected silently.
* Upon expiration event, the credential subsystem forgot to clear
in-core authentication material other than password (whose support
was added recently), which has been corrected.
* Fix for an embarrassing typo that prevented Python2 tests from running
anywhere.
* Varargs functions that are unannotated as printf-like or execl-like
have been annotated as such.
* "git am" has a safety feature to prevent it from starting a new
session when there already is a session going. It reliably
triggers when a mbox is given on the command line, but it has to
rely on the tty-ness of the standard input. Add an explicit way to
opt out of this safety with a command line option.
(merge 62c71ace44 jk/am-retry later to maint).
* A leak in "git imap-send" that somehow escapes LSan has been
plugged.
* Setting core.abbrev too early before the repository set-up
(typically in "git clone") caused segfault, which as been
corrected.
* When the user adds to "git rebase -i" instruction to "pick" a merge
commit, the error experience is not pleasant. Such an error is now
caught earlier in the process that parses the todo list.
* We forgot to normalize the result of getcwd() to NFC on macOS where
all other paths are normalized, which has been corrected. This still
does not address the case where core.precomposeUnicode configuration
is not defined globally.
* Earlier we stopped using the tree of HEAD as the default source of
attributes in a bare repository, but failed to document it. This
has been corrected.
* "git update-server-info" and "git commit-graph --write" have been
updated to use the tempfile API to avoid leaving cruft after
failing.
* An unused extern declaration for mingw has been removed to prevent
it from causing build failure.
* A helper function shared between two tests had a copy-paste bug,
which has been corrected.
* "git fetch-pack -k -k" without passing "--lock-pack" (which we
never do ourselves) did not work at all, which has been corrected.
* CI job to build minimum fuzzers learned to pass NO_CURL=NoThanks to
the build procedure, as its build environment does not offer, or
the rest of the build needs, anything cURL.
(merge 4e66b5a990 jc/fuzz-sans-curl later to maint).
* "git diff --no-ext-diff" when diff.external is configured ignored
the "--color-moved" option.
(merge 0f4b0d4cf0 rs/diff-color-moved-w-no-ext-diff-fix later to maint).
* "git archive --add-virtual-file=<path>:<contents>" never paid
attention to the --prefix=<prefix> option but the documentation
said it would. The documentation has been corrected.
(merge 72c282098d jc/archive-prefix-with-add-virtual-file later to maint).
* When GIT_PAGER failed to spawn, depending on the code path taken,
we failed immediately (correct) or just spew the payload to the
standard output (incorrect). The code now always fail immediately
when GIT_PAGER fails.
(merge 78f0a5d187 rj/pager-die-upon-exec-failure later to maint).
* date parser updates to be more careful about underflowing epoch
based timestamp.
(merge 9d69789770 db/date-underflow-fix later to maint).
* The Bloom filter used for path limited history traversal was broken
on systems whose "char" is unsigned; update the implementation and
bump the format version to 2.
(merge 9c8a9ec787 tb/path-filter-fix later to maint).
* Typofix.
(merge 231cf7370e as/pathspec-h-typofix later to maint).
* Code clean-up.
(merge 4b837f821e rs/simplify-submodule-helper-super-prefix-invocation later to maint).
* "git describe --dirty --broken" forgot to refresh the index before
seeing if there is any chang, ("git describe --dirty" correctly did
so), which has been corrected.
(merge b8ae42e292 as/describe-broken-refresh-index-fix later to maint).
* Test suite has been taught not to unnecessarily rely on DNS failing
a bogus external name.
(merge 407cdbd271 jk/tests-without-dns later to maint).
* GitWeb update to use committer date consistently in rss/atom feeds.
(merge cf6ead095b am/gitweb-feed-use-committer-date later to maint).
* Custom control structures we invented more recently have been
taught to the clang-format file.
(merge 1457dff9be rs/clang-format-updates later to maint).
* Developer build procedure fix.
(merge df32729866 tb/dev-build-pedantic-fix later to maint).
* "git push" that pushes only deletion gave an unnecessary and
harmless error message when push negotiation is configured, which
has been corrected.
(merge 4d8ee0317f jc/disable-push-nego-for-deletion later to maint).
* Address-looking strings found on the trailer are now placed on the
Cc: list after running through sanitize_address by "git send-email".
(merge c852531f45 cb/send-email-sanitize-trailer-addresses later to maint).
* Tests that use GIT_TEST_SANITIZE_LEAK_LOG feature got their exit
status inverted, which has been corrected.
(merge 8c1d6691bc rj/test-sanitize-leak-log-fix later to maint).
* The http.cookieFile and http.saveCookies configuration variables
have a few values that need to be avoided, which are now ignored
with warning messages.
(merge 4f5822076f jc/http-cookiefile later to maint).
* Repacking a repository with multi-pack index started making stupid
pack selections in Git 2.45, which has been corrected.
(merge 8fb6d11fad ds/midx-write-repack-fix later to maint).
* Fix documentation mark-up regression in 2.45.
(merge 6474da0aa4 ja/doc-markup-updates-fix later to maint).
* Work around asciidoctor's css that renders `monospace` material
in the SYNOPSIS section of manual pages as block elements.
(merge d44ce6ddd5 js/doc-markup-updates-fix later to maint).
- CVE-2024-24577: Fixed arbitrary code execution due to heap corruption
in git_index_add (bsc#1219660)
- Update to 2.45.2:
* Revert "defense in depth" fixes from 2.45.1 broke 'git lfs' and
'git annex'
- remove dependency on /usr/bin/python3 using
%python3_fix_shebang_path macro, [bsc#1212476]
Patchnames
SUSE-SLE-Micro-6.0-470
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for git",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for git fixes the following issues:\n\n- Update to 2.51.0\n \n - UI, Workflows \u0026 Features\n - Userdiff patterns for the R language have been added.\n - Documentation for \"git send-email\" has been updated with a\n bit more credential helper and OAuth information.\n - \"git cat-file --batch\" learns to understand %(objectmode)\n atom to allow the caller to tell missing objects (due to\n repository corruption) and submodules (whose commit objects\n are OK to be missing) apart.\n - \"git diff --no-index dirA dirB\" can limit the comparison with\n pathspec at the end of the command line, just like normal\n \"git diff\".\n - \"git subtree\" (in contrib/) learned to grok GPG signing its\n commits.\n - \"git whatchanged\" that is longer to type than \"git log --raw\"\n which is its modern rough equivalent has outlived its\n usefulness more than 10 years ago. Plan to deprecate and\n remove it.\n - An interchange format for stash entries is defined, and\n subcommand of \"git stash\" to import/export has been added.\n - \"git merge/pull\" has been taught the \"--compact-summary\"\n option to use the compact-summary format, intead of diffstat,\n when showing the summary of the incoming changes.\n - \"git imap-send\" has been broken for a long time, which has\n been resurrected and then taught to talk OAuth2.0 etc.\n - Some error messages from \"git imap-send\" has been updated.\n - When \"git daemon\" sees a signal while attempting to accept()\n a new client, instead of retrying, it skipped it by mistake,\n which has been corrected.\n - The reftable ref backend has matured enough; Git 3.0 will\n make it the default format in a newly created repositories by\n default.\n - \"netrc\" credential helper has been improved to understand\n textual service names (like smtp) in addition to the numeric\n port numbers (like 25).\n - Lift the limitation to use changed-path filter in \"git log\"\n so that it can be used for a pathspec with multiple literal\n paths.\n - Clean up the way how signature on commit objects are exported\n to and imported from fast-import stream.\n - Remove unsupported, unused, and unsupportable old option from\n \"git log\".\n - Document recently added \"git imap-send --list\" with an\n example.\n - \"git pull\" learned to pay attention to pull.autostash\n configuration variable, which overrides\n rebase/merge.autostash.\n - \"git for-each-ref\" learns \"--start-after\" option to help\n applications that want to page its output.\n - \"git switch\" and \"git restore\" are declared to be no longer\n experimental.\n - \"git -c alias.foo=bar foo -h baz\" reported \"\u0027foo\u0027 is aliased\n to \u0027bar\u0027\" and then went on to run \"git foo -h baz\", which was\n unexpected. Tighten the rule so that alias expansion is\n reported only when \"-h\" is the sole option.\n - Performance, Internal Implementation, Development Support etc.\n - \"git pack-objects\" learned to find delta bases from blobs at\n the same path, using the --path-walk API.\n - CodingGuidelines update.\n - Add settings for Solaris 10 \u0026 11.\n - Meson-based build/test framework now understands TAP output\n generated by our tests.\n - \"Do not explicitly initialize to zero\" rule has been\n clarified in the CodingGuidelines document.\n - A test helper \"test_seq\" function learned the \"-f \u003cfmt\u003e\"\n option, which allowed us to simplify a lot of test scripts.\n - A lot of stale stuff has been removed from the contrib/\n hierarchy.\n - \"git push\" and \"git fetch\" are taught to update refs in\n batches to gain performance.\n - Some code paths in \"git prune\" used to ignore the passed-in\n repository object and used the `the_repository` singleton\n instance instead, which has been corrected.\n - Update \".clang-format\" and \".editorconfig\" to match our style\n guide a bit better.\n - \"make coccicheck\" succeeds even when spatch made suggestions,\n which has been updated to fail in such a case.\n - Code clean-up around object access API.\n - Define .precision to more canned parse-options type to avoid\n bugs coming from using a variable with a wrong type to\n capture the parsed values.\n - Flipping the default hash function to SHA-256 at Git 3.0\n boundary is planned.\n - Declare weather-balloon we raised for \"bool\" type 18 months\n ago a success and officially allow using the type in our\n codebase.\n - GIT_TEST_INSTALLED was not honored in the recent topic\n related to SHA256 hashes, which has been corrected.\n - The pop_most_recent_commit() function can have quite\n expensive worst case performance characteristics, which has\n been optimized by using prio-queue data structure.\n - Move structure definition from unrelated header file to where\n it belongs.\n - To help our developers, document what C99 language features\n are being considered for adoption, in addition to what past\n experiments have already decided.\n - The reftable unit tests are now ported to the \"clar\" unit\n testing framework.\n - Redefine where the multi-pack-index sits in the object\n subsystem, which recently was restructured to allow multiple\n backends that support a single object source that belongs to\n one repository. A MIDX does span multiple \"object sources\".\n - Reduce implicit assumption and dependence on the_repository\n in the object-file subsystem.\n\n - Fixes since v2.50 Unless otherwise noted, all the changes in\n 2.50.X maintenance track, including security updates, are\n included in this release.\n - A memory-leak in an error code path has been plugged.\n - Some leftover references to documentation source files that\n no longer exist, due to recent \".txt\" -\u003e \".adoc\" renaming,\n have been corrected.\n - \"git stash -p \u003cpathspec\u003e\" improvements. \n - \"git send-email\" incremented its internal message counter\n when a message was edited, which made logic that treats the\n first message specially misbehave, which has been corrected.\n - \"git stash\" recorded a wrong branch name when submodules are\n present in the current checkout, which has been corrected.\n - When asking to apply mailmap to both author and committer\n field while showing a commit object, the field that appears\n later was not correctly parsed and replaced, which has been\n corrected.\n - \"git maintenance\" lacked the care \"git gc\" had to avoid\n holding onto the repository lock for too long during packing\n refs, which has been remedied.\n - Avoid regexp_constraint and instead use comparison_constraint\n when listing functions to exclude from application of\n coccinelle rules, as spatch can be built with different\n regexp engine X-\u003c.\n - Updating submodules from the upstream did not work well when\n submodule\u0027s HEAD is detached, which has been improved. \n - Remove unnecessary check from \"git daemon\" code. (merge\n 0c856224d2 cb/daemon-fd-check-fix later to maint).\n - Use of sysctl() system call to learn the total RAM size used\n on BSDs has been corrected.\n - Drop FreeBSD 4 support and declare that we support only\n FreeBSD 12 or later, which has memmem() supported.\n - A diff-filter with negative-only specification like \"git log\n --diff-filter=d\" did not trigger correctly, which has been\n fixed.\n - A failure to open the index file for writing due to\n conflicting access did not state what went wrong, which has\n been corrected.\n - Tempfile removal fix in the codepath to sign commits with SSH\n keys.\n - Code and test clean-up around string-list API.\n - \"git apply -N\" should start from the current index and\n register only new files, but it instead started from an empty\n index, which has been corrected.\n - Leakfix with a new and a bit invasive test on pack-bitmap\n files.\n - \"git fetch --prune\" used to be O(n^2) expensive when there\n are many refs, which has been corrected.\n - When a ref creation at refs/heads/foo/bar fails, the files\n backend now removes refs/heads/foo/ if the directory is\n otherwise not used.\n - \"pack-objects\" has been taught to avoid pointing into objects\n in cruft packs from midx.\n - \"git remote\" now detects remote names that overlap with each\n other (e.g., remote nickname \"outer\" and \"outer/inner\" are\n used at the same time), as it will lead to overlapping\n remote-tracking branches.\n - The gpg.program configuration variable, which names a\n pathname to the (custom) GPG compatible program, can now be\n spelled with ~tilde expansion.\n - Our \u003csane-ctype.h\u003e header file relied on that the\n system-supplied \u003cctype.h\u003e header is not later included, which\n would override our macro definitions, but \"amazon linux\"\n broke this assumption. Fix this by preemptively including\n \u003cctype.h\u003e near the beginning of \u003csane-ctype.h\u003e ourselves.\n (merge 9d3b33125f ps/sane-ctype-workaround later to maint).\n - Clean-up compat/bswap.h mess. (merge f4ac32c03a\n ss/compat-bswap-revamp later to maint).\n - Meson-based build did not handle libexecdir setting\n correctly, which has been corrected. (merge 056dbe8612\n rj/meson-libexecdir-fix later to maint).\n - Document that we do not require \"real\" name when signing your\n patches off. (merge 1f0fed312a\n bc/contribution-under-non-real-names later to maint).\n - \"git commit\" that concludes a conflicted merge failed to\n notice and remove existing comment added automatically (like\n \"# Conflicts:\") when the core.commentstring is set to \u0027auto\u0027.\n (merge 92b7c7c9f5 ac/auto-comment-char-fix later to maint).\n - \"git rebase -i\" with bogus rebase.instructionFormat\n configuration failed to produce the todo file after recording\n the state files, leading to confused \"git status\"; this has\n been corrected. (merge ade14bffd7\n ow/rebase-verify-insn-fmt-before-initializing-state later to\n maint).\n - A few file descriptors left unclosed upon program completion\n in a few test helper programs are now closed. (merge\n 0f1b33815b hl/test-helper-fd-close later to maint).\n - Interactive prompt code did not correctly strip CRLF from the\n end of line on Windows. (merge 711a20827b js/prompt-crlf-fix\n later to maint).\n - The config API had a set of convenience wrapper functions\n that implicitly use the_repository instance; they have been\n removed and inlined at the calling sites.\n - \"git add/etc -p\" now honor the diff.context configuration\n variable, and also they learn to honor the -U\u003cn\u003e command-line\n option. (merge 2b3ae04011 lm/add-p-context later to maint).\n - The case where a new submodule takes a path where there used\n to be a completely different subproject is now dealt with a\n bit better than before. (merge 5ed8c5b465\n kj/renamed-submodule later to maint).\n - The deflate codepath in \"git archive --format=zip\" had a\n longstanding bug coming from misuse of zlib API, which has\n been corrected.\n\n\n- Update to 2.50.1:\n \n * CVE-2025-27613: Fixed arbitrary writable file creation and \n truncation in Gitk (bsc#1245938)\n * CVE-2025-27614: Fixed arbitrary script execution via repo \n clonation in gitk (bsc#1245939)\n * CVE-2025-46835: Fixed untrusted repository cloning leading \n to arbitrary writable file creation in Git GUI (bsc#1245942)\n * CVE-2025-48384: Fixed CRLF transforming (bsc#1245943)\n * CVE-2025-48385: Fixed arbitrary code execution due to protocol \n injection (bsc#1245946)\n * CVE-2025-48386: Fixed buffer overflow in static buffer (bsc#1245947)\n\n- Update to 2.48.1:\n \n * CVE-2024-50349: Fixed password leak (bsc#1235600)\n * CVE-2024-52006: Fixed Carriage Returns via the credential \n protocol to credential helpers (bsc#1235601)\n\n- Update to 2.48.0:\n\n * Reference consistency checks: git refs verify\n * Reflogs can now be migrated with git refs migrate\n * git is free of memory leaks as covered by the test suite\n * Performance improvements\n\n- Update to 2.47.1:\n\n * Use after free and double freeing at the end in\n \"git log -L... -p\" had been identified and fixed.\n * \"git maintenance start\" crashed due to an uninitialized\n variable reference, which has been corrected.\n * Fail gracefully instead of crashing when attempting to write\n the contents of a corrupt in-core index as a tree object.\n * A \"git fetch\" from the superproject going down to a submodule\n used a wrong remote when the default remote names are set\n differently between them.\n * The \"gitk\" project tree has been synchronized again\n\n- Update to 2.47.0:\n \n * A few descriptions in \"git show-ref -h\" have been clarified.\n * A \u0027P\u0027 command to \"git add -p\" that passes the patch hunk to the\n pager has been added.\n * \"git grep -W\" omits blank lines that follow the found function at\n the end of the file, just like it omits blank lines before the next\n function.\n * The value of http.proxy can have \"path\" at the end for a socks\n proxy that listens to a unix-domain socket, but we started to\n discard it when we taught proxy auth code path to use the\n credential helpers, which has been corrected.\n * The code paths to compact multiple reftable files have been updated\n to correctly deal with multiple compaction triggering at the same\n time.\n * Support to specify ref backend for submodules has been enhanced.\n * \"git svn\" has been taught about svn:global-ignores property\n recent versions of Subversion has.\n * The default object hash and ref backend format used to be settable\n only with explicit command line option to \"git init\" and\n environment variables, but now they can be configured in the user\u0027s\n global and system wide configuration.\n * \"git send-email\" learned \"--translate-aliases\" option that reads\n addresses from the standard input and emits the result of applying\n aliases on them to the standard output.\n * \u0027git for-each-ref\u0027 learned a new \"--format\" atom to find the branch\n that the history leading to a given commit \"%(is-base:\u003ccommit\u003e)\" is\n likely based on.\n * The command line prompt support used to be littered with bash-isms,\n which has been corrected to work with more shells.\n * Support for the RUNTIME_PREFIX feature has been added to z/OS port.\n * \"git send-email\" learned \"--mailmap\" option to allow rewriting the\n recipient addresses.\n * \"git mergetool\" learned to use VSCode as a merge backend.\n * \"git pack-redundant\" has been marked for removal in Git 3.0.\n * One-line messages to \"die\" and other helper functions will get LF\n added by these helper functions, but many existing messages had an\n unnecessary LF at the end, which have been corrected.\n * The \"scalar clone\" command learned the \"--no-tags\" option.\n * The environment GIT_ADVICE has been intentionally kept undocumented\n to discourage its use by interactive users. Add documentation to\n help tool writers.\n * \"git apply --3way\" learned to take \"--ours\" and other options.\n\n- Update to version 2.46.2:\n \n * Revert the \"git patch-id\" change that went into 2.46.1,\n as it seems to have got a regression reported (I haven\u0027t verified,\n but it is better to keep a known breakage than adding an unintended\n regression).\n * In a few corner cases \"git diff --exit-code\" failed to report\n \"changes\" (e.g., renamed without any content change), which has\n been corrected.\n * The interpret-trailers command failed to recognise the end of the\n message when the commit log ends in an incomplete line.\n\n- Update to version 2.46.1;\n \n * \"git checkout --ours\" (no other arguments) complained that the\n option is incompatible with branch switching, which is technically\n correct, but found confusing by some users. It now says that the\n user needs to give pathspec to specify what paths to checkout.\n * It has been documented that we avoid \"VAR=VAL shell_func\" and why.\n * \"git add -p\" by users with diff.suppressBlankEmpty set to true\n failed to parse the patch that represents an unmodified empty line\n with an empty line (not a line with a single space on it), which\n has been corrected.\n * \"git rebase --help\" referred to \"offset\" (the difference between\n the location a change was taken from and the change gets replaced)\n incorrectly and called it \"fuzz\", which has been corrected.\n * \"git notes add -m \u0027\u0027 --allow-empty\" and friends that take prepared\n data to create notes should not invoke an editor, but it started\n doing so since Git 2.42, which has been corrected.\n * An expensive operation to prepare tracing was done in re-encoding\n code path even when the tracing was not requested, which has been\n corrected.\n * Perforce tests have been updated.\n * The credential helper to talk to OSX keychain sometimes sent\n garbage bytes after the username, which has been corrected.\n * A recent update broke \"git ls-remote\" used outside a repository,\n which has been corrected.\n * \"git config --value=foo --fixed-value section.key newvalue\" barfed\n when the existing value in the configuration file used the\n valueless true syntax, which has been corrected.\n * \"git reflog expire\" failed to honor annotated tags when computing\n reachable commits.\n * A flakey test and incorrect calls to strtoX() functions have been\n fixed.\n * Follow-up on 2.45.1 regression fix.\n * \"git rev-list ... | git diff-tree -p --remerge-diff --stdin\" should\n behave more or less like \"git log -p --remerge-diff\" but instead it\n crashed, forgetting to prepare a temporary object store needed.\n * The patch parser in \"git patch-id\" has been tightened to avoid\n getting confused by lines that look like a patch header in the log\n message.\n * \"git bundle unbundle\" outside a repository triggered a BUG()\n unnecessarily, which has been corrected.\n * The code forgot to discard unnecessary in-core commit buffer data\n for commits that \"git log --skip=\u003cnumber\u003e\" traversed but omitted\n from the output, which has been corrected.\n * \"git verify-pack\" and \"git index-pack\" started dying outside a\n repository, which has been corrected.\n * A corner case bug in \"git stash\" was fixed.\n\n- Change less requirement to path to allow for use with BusyBox\n\n- Update to 2.46.0\n \n UI, Workflows \u0026 Features\n * The \"--rfc\" option of \"git format-patch\" learned to take an\n optional string value to be used in place of \"RFC\" to tweak the\n \"[PATCH]\" on the subject header.\n * The credential helper protocol, together with the HTTP layer, have\n been enhanced to support authentication schemes different from\n username \u0026 password pair, like Bearer and NTLM.\n * Command line completion script (in contrib/) learned to complete\n \"git symbolic-ref\" a bit better (you need to enable plumbing\n commands to be completed with GIT_COMPLETION_SHOW_ALL_COMMANDS).\n * When the user responds to a prompt given by \"git add -p\" with an\n unsupported command, list of available commands were given, which\n was too much if the user knew what they wanted to type but merely\n made a typo. Now the user gets a much shorter error message.\n * The color parsing code learned to handle 12-bit RGB colors, spelled\n as \"#RGB\" (in addition to \"#RRGGBB\" that is already supported).\n * The operation mode options (like \"--get\") the \"git config\" command\n uses have been deprecated and replaced with subcommands (like \"git\n config get\").\n * \"git tag\" learned the \"--trailer\" option to futz with the trailers\n in the same way as \"git commit\" does.\n * A new global \"--no-advice\" option can be used to disable all advice\n messages, which is meant to be used only in scripts.\n * Updates to symbolic refs can now be made as a part of ref\n transaction.\n * The trailer API has been reshuffled a bit.\n * Terminology to call various ref-like things are getting\n straightened out.\n * The command line completion script (in contrib/) has been adjusted\n to the recent update to \"git config\" that adopted subcommand based\n UI.\n * The knobs to tweak how reftable files are written have been made\n available as configuration variables.\n * When \"git push\" notices that the commit at the tip of the ref on\n the other side it is about to overwrite does not exist locally, it\n used to first try fetching it if the local repository is a partial\n clone. The command has been taught not to do so and immediately\n fail instead.\n * The promisor.quiet configuration knob can be set to true to make\n lazy fetching from promisor remotes silent.\n * The inter/range-diff output has been moved to the end of the patch\n when format-patch adds it to a single patch, instead of writing it\n before the patch text, to be consistent with what is done for a\n cover letter for a multi-patch series.\n * A new command has been added to migrate a repository that uses the\n files backend for its ref storage to use the reftable backend, with\n limitations.\n * \"git diff --exit-code --ext-diff\" learned to take the exit status\n of the external diff driver into account when deciding the exit\n status of the overall \"git diff\" invocation when configured to do\n so.\n * \"git update-ref --stdin\" learned to handle transactional updates of\n symbolic-refs.\n * \"git format-patch --interdiff\" for multi-patch series learned to\n turn on cover letters automatically (unless told never to enable\n cover letter with \"--no-cover-letter\" and such).\n * The \"--heads\" option of \"ls-remote\" and \"show-ref\" has been been\n deprecated; \"--branches\" replaces \"--heads\".\n * For over a year, setting add.interactive.useBuiltin configuration\n variable did nothing but giving a \"this does not do anything\"\n warning. The warning has been removed.\n * The http transport can now be told to send request with\n authentication material without first getting a 401 response.\n * A handful of entries are added to the GitFAQ document.\n * \"git var GIT_SHELL_PATH\" should report the path to the shell used\n to spawn external commands, but it didn\u0027t do so on Windows, which\n has been corrected.\n Performance, Internal Implementation, Development Support etc.\n * Advertise \"git contacts\", a tool for newcomers to find people to\n ask review for their patches, a bit more in our developer\n documentation.\n * In addition to building the objects needed, try to link the objects\n that are used in fuzzer tests, to make sure at least they build\n without bitrot, in Linux CI runs.\n * Code to write out reftable has seen some optimization and\n simplification.\n * Tests to ensure interoperability between reftable written by jgit\n and our code have been added and enabled in CI.\n * The singleton index_state instance \"the_index\" has been eliminated\n by always instantiating \"the_repository\" and replacing references\n to \"the_index\" with references to its .index member.\n * Git-GUI has a new maintainer, Johannes Sixt.\n * The \"test-tool\" has been taught to run testsuite tests in parallel,\n bypassing the need to use the \"prove\" tool.\n * The \"whitespace check\" task that was enabled for GitHub Actions CI\n has been ported to GitLab CI.\n * The refs API lost functions that implicitly assumes to work on the\n primary ref_store by forcing the callers to pass a ref_store as an\n argument.\n * Code clean-up to reduce inter-function communication inside\n builtin/config.c done via the use of global variables.\n * The pack bitmap code saw some clean-up to prepare for a follow-up topic.\n * Preliminary code clean-up for \"git send-email\".\n * The default \"creation-factor\" used by \"git format-patch\" has been\n raised to make it more aggressively find matching commits.\n * Before discovering the repository details, We used to assume SHA-1\n as the \"default\" hash function, which has been corrected. Hopefully\n this will smoke out codepaths that rely on such an unwarranted\n assumptions.\n * The project decision making policy has been documented.\n * The strcmp-offset tests have been rewritten using the unit test\n framework.\n * \"git add -p\" learned to complain when an answer with more than one\n letter is given to a prompt that expects a single letter answer.\n * The alias-expanded command lines are logged to the trace output.\n * A new test was added to ensure git commands that are designed to\n run outside repositories do work.\n * A few tests in reftable library have been rewritten using the\n unit test framework.\n * A pair of test helpers that essentially are unit tests on hash\n algorithms have been rewritten using the unit-tests framework.\n * A test helper that essentially is unit tests on the \"decorate\"\n logic has been rewritten using the unit-tests framework.\n * Many memory leaks in the sparse-checkout code paths have been\n plugged.\n * \"make check-docs\" noticed problems and reported to its output but\n failed to signal its findings with its exit status, which has been\n corrected.\n * Building with \"-Werror -Wwrite-strings\" is now supported.\n * To help developers, the build procedure now allows builders to use\n CFLAGS_APPEND to specify additional CFLAGS.\n * \"oidtree\" tests were rewritten to use the unit test framework.\n * The structure of the document that records longer-term project\n decisions to deprecate/remove/update various behaviour has been\n outlined.\n * The pseudo-merge reachability bitmap to help more efficient storage\n of the reachability bitmap in a repository with too many refs has\n been added.\n * When \"git merge\" sees that the index cannot be refreshed (e.g. due\n to another process doing the same in the background), it died but\n after writing MERGE_HEAD etc. files, which was useless for the\n purpose to recover from the failure.\n * The output from \"git cat-file --batch-check\" and \"--batch-command\n (info)\" should not be unbuffered, for which some tests have been\n added.\n * A CPP macro USE_THE_REPOSITORY_VARIABLE is introduced to help\n transition the codebase to rely less on the availability of the\n singleton the_repository instance.\n * \"git version --build-options\" reports the version information of\n OpenSSL and other libraries (if used) in the build.\n * Memory ownership rules for the in-core representation of\n remote.*.url configuration values have been straightened out, which\n resulted in a few leak fixes and code clarification.\n * When bundleURI interface fetches multiple bundles, Git failed to\n take full advantage of all bundles and ended up slurping duplicated\n objects, which has been corrected.\n * The code to deal with modified paths that are out-of-cone in a\n sparsely checked out working tree has been optimized.\n * An existing test of oidmap API has been rewritten with the\n unit-test framework.\n * The \"ort\" merge backend saw one bugfix for a crash that happens\n when inner merge gets killed, and assorted code clean-ups.\n * A new warning message is issued when a command has to expand a\n sparse index to handle working tree cruft that are outside of the\n sparse checkout.\n * The test framework learned to take the test body not as a single\n string but as a here-document.\n * \"git push \u0027\u0027 HEAD:there\" used to hit a BUG(); it has been corrected\n to die with \"fatal: bad repository \u0027\u0027\".\n * What happens when http.cookieFile gets the special value \"\" has\n been clarified in the documentation.\n Fixes\n * \"git rebase --signoff\" used to forget that it needs to add a\n sign-off to the resulting commit when told to continue after a\n conflict stops its operation.\n * The procedure to build multi-pack-index got confused by the\n replace-refs mechanism, which has been corrected by disabling the\n latter.\n * The \"-k\" and \"--rfc\" options of \"format-patch\" will now error out\n when used together, as one tells us not to add anything to the\n title of the commit, and the other one tells us to add \"RFC\" in\n addition to \"PATCH\".\n * \"git stash -S\" did not handle binary files correctly, which has\n been corrected.\n * A scheduled \"git maintenance\" job is expected to work on all\n repositories it knows about, but it stopped at the first one that\n errored out. Now it keeps going.\n * zsh can pretend to be a normal shell pretty well except for some\n glitches that we tickle in some of our scripts. Work them around\n so that \"vimdiff\" and our test suite works well enough with it.\n * Command line completion support for zsh (in contrib/) has been\n updated to stop exposing internal state to end-user shell\n interaction.\n * Tests that try to corrupt in-repository files in chunked format did\n not work well on macOS due to its broken \"mv\", which has been\n worked around.\n * The maximum size of attribute files is enforced more consistently.\n * Unbreak CI jobs so that we do not attempt to use Python 2 that has\n been removed from the platform.\n * Git 2.43 started using the tree of HEAD as the source of attributes\n in a bare repository, which has severe performance implications.\n For now, revert the change, without ripping out a more explicit\n support for the attr.tree configuration variable.\n * The \"--exit-code\" option of \"git diff\" command learned to work with\n the \"--ext-diff\" option.\n * Windows CI running in GitHub Actions started complaining about the\n order of arguments given to calloc(); the imported regex code uses\n the wrong order almost consistently, which has been corrected.\n * Expose \"name conflict\" error when a ref creation fails due to D/F\n conflict in the ref namespace, to improve an error message given by\n \"git fetch\".\n (merge 9339fca23e it/refs-name-conflict later to maint).\n * The SubmittingPatches document now refers folks to manpages\n translation project.\n * The documentation for \"git diff --name-only\" has been clarified\n that it is about showing the names in the post-image tree.\n * The credential helper that talks with osx keychain learned to avoid\n storing back the authentication material it just got received from\n the keychain.\n (merge e1ab45b2da kn/osxkeychain-skip-idempotent-store later to maint).\n * The chainlint script (invoked during \"make test\") did nothing when\n it failed to detect the number of available CPUs. It now falls\n back to 1 CPU to avoid the problem.\n * Revert overly aggressive \"layered defence\" that went into 2.45.1\n and friends, which broke \"git-lfs\", \"git-annex\", and other use\n cases, so that we can rebuild necessary counterparts in the open.\n * \"git init\" in an already created directory, when the user\n configuration has includeif.onbranch, started to fail recently,\n which has been corrected.\n * Memory leaks in \"git mv\" has been plugged.\n * The safe.directory configuration knob has been updated to\n optionally allow leading path matches.\n * An overly large \".gitignore\" files are now rejected silently.\n * Upon expiration event, the credential subsystem forgot to clear\n in-core authentication material other than password (whose support\n was added recently), which has been corrected.\n * Fix for an embarrassing typo that prevented Python2 tests from running\n anywhere.\n * Varargs functions that are unannotated as printf-like or execl-like\n have been annotated as such.\n * \"git am\" has a safety feature to prevent it from starting a new\n session when there already is a session going. It reliably\n triggers when a mbox is given on the command line, but it has to\n rely on the tty-ness of the standard input. Add an explicit way to\n opt out of this safety with a command line option.\n (merge 62c71ace44 jk/am-retry later to maint).\n * A leak in \"git imap-send\" that somehow escapes LSan has been\n plugged.\n * Setting core.abbrev too early before the repository set-up\n (typically in \"git clone\") caused segfault, which as been\n corrected.\n * When the user adds to \"git rebase -i\" instruction to \"pick\" a merge\n commit, the error experience is not pleasant. Such an error is now\n caught earlier in the process that parses the todo list.\n * We forgot to normalize the result of getcwd() to NFC on macOS where\n all other paths are normalized, which has been corrected. This still\n does not address the case where core.precomposeUnicode configuration\n is not defined globally.\n * Earlier we stopped using the tree of HEAD as the default source of\n attributes in a bare repository, but failed to document it. This\n has been corrected.\n * \"git update-server-info\" and \"git commit-graph --write\" have been\n updated to use the tempfile API to avoid leaving cruft after\n failing.\n * An unused extern declaration for mingw has been removed to prevent\n it from causing build failure.\n * A helper function shared between two tests had a copy-paste bug,\n which has been corrected.\n * \"git fetch-pack -k -k\" without passing \"--lock-pack\" (which we\n never do ourselves) did not work at all, which has been corrected.\n * CI job to build minimum fuzzers learned to pass NO_CURL=NoThanks to\n the build procedure, as its build environment does not offer, or\n the rest of the build needs, anything cURL.\n (merge 4e66b5a990 jc/fuzz-sans-curl later to maint).\n * \"git diff --no-ext-diff\" when diff.external is configured ignored\n the \"--color-moved\" option.\n (merge 0f4b0d4cf0 rs/diff-color-moved-w-no-ext-diff-fix later to maint).\n * \"git archive --add-virtual-file=\u003cpath\u003e:\u003ccontents\u003e\" never paid\n attention to the --prefix=\u003cprefix\u003e option but the documentation\n said it would. The documentation has been corrected.\n (merge 72c282098d jc/archive-prefix-with-add-virtual-file later to maint).\n * When GIT_PAGER failed to spawn, depending on the code path taken,\n we failed immediately (correct) or just spew the payload to the\n standard output (incorrect). The code now always fail immediately\n when GIT_PAGER fails.\n (merge 78f0a5d187 rj/pager-die-upon-exec-failure later to maint).\n * date parser updates to be more careful about underflowing epoch\n based timestamp.\n (merge 9d69789770 db/date-underflow-fix later to maint).\n * The Bloom filter used for path limited history traversal was broken\n on systems whose \"char\" is unsigned; update the implementation and\n bump the format version to 2.\n (merge 9c8a9ec787 tb/path-filter-fix later to maint).\n * Typofix.\n (merge 231cf7370e as/pathspec-h-typofix later to maint).\n * Code clean-up.\n (merge 4b837f821e rs/simplify-submodule-helper-super-prefix-invocation later to maint).\n * \"git describe --dirty --broken\" forgot to refresh the index before\n seeing if there is any chang, (\"git describe --dirty\" correctly did\n so), which has been corrected.\n (merge b8ae42e292 as/describe-broken-refresh-index-fix later to maint).\n * Test suite has been taught not to unnecessarily rely on DNS failing\n a bogus external name.\n (merge 407cdbd271 jk/tests-without-dns later to maint).\n * GitWeb update to use committer date consistently in rss/atom feeds.\n (merge cf6ead095b am/gitweb-feed-use-committer-date later to maint).\n * Custom control structures we invented more recently have been\n taught to the clang-format file.\n (merge 1457dff9be rs/clang-format-updates later to maint).\n * Developer build procedure fix.\n (merge df32729866 tb/dev-build-pedantic-fix later to maint).\n * \"git push\" that pushes only deletion gave an unnecessary and\n harmless error message when push negotiation is configured, which\n has been corrected.\n (merge 4d8ee0317f jc/disable-push-nego-for-deletion later to maint).\n * Address-looking strings found on the trailer are now placed on the\n Cc: list after running through sanitize_address by \"git send-email\".\n (merge c852531f45 cb/send-email-sanitize-trailer-addresses later to maint).\n * Tests that use GIT_TEST_SANITIZE_LEAK_LOG feature got their exit\n status inverted, which has been corrected.\n (merge 8c1d6691bc rj/test-sanitize-leak-log-fix later to maint).\n * The http.cookieFile and http.saveCookies configuration variables\n have a few values that need to be avoided, which are now ignored\n with warning messages.\n (merge 4f5822076f jc/http-cookiefile later to maint).\n * Repacking a repository with multi-pack index started making stupid\n pack selections in Git 2.45, which has been corrected.\n (merge 8fb6d11fad ds/midx-write-repack-fix later to maint).\n * Fix documentation mark-up regression in 2.45.\n (merge 6474da0aa4 ja/doc-markup-updates-fix later to maint).\n * Work around asciidoctor\u0027s css that renders `monospace` material\n in the SYNOPSIS section of manual pages as block elements.\n (merge d44ce6ddd5 js/doc-markup-updates-fix later to maint).\n\n- CVE-2024-24577: Fixed arbitrary code execution due to heap corruption\n in git_index_add (bsc#1219660)\n\n- Update to 2.45.2:\n \n * Revert \"defense in depth\" fixes from 2.45.1 broke \u0027git lfs\u0027 and\n \u0027git annex\u0027\n\n- remove dependency on /usr/bin/python3 using\n %python3_fix_shebang_path macro, [bsc#1212476]\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Micro-6.0-470",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_20721-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2025:20721-1",
"url": "https://www.suse.com/support/update/announcement/2025/suse-su-202520721-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2025:20721-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2025-September/041929.html"
},
{
"category": "self",
"summary": "SUSE Bug 1212476",
"url": "https://bugzilla.suse.com/1212476"
},
{
"category": "self",
"summary": "SUSE Bug 1219660",
"url": "https://bugzilla.suse.com/1219660"
},
{
"category": "self",
"summary": "SUSE Bug 1235600",
"url": "https://bugzilla.suse.com/1235600"
},
{
"category": "self",
"summary": "SUSE Bug 1235601",
"url": "https://bugzilla.suse.com/1235601"
},
{
"category": "self",
"summary": "SUSE Bug 1239989",
"url": "https://bugzilla.suse.com/1239989"
},
{
"category": "self",
"summary": "SUSE Bug 1245938",
"url": "https://bugzilla.suse.com/1245938"
},
{
"category": "self",
"summary": "SUSE Bug 1245939",
"url": "https://bugzilla.suse.com/1245939"
},
{
"category": "self",
"summary": "SUSE Bug 1245942",
"url": "https://bugzilla.suse.com/1245942"
},
{
"category": "self",
"summary": "SUSE Bug 1245943",
"url": "https://bugzilla.suse.com/1245943"
},
{
"category": "self",
"summary": "SUSE Bug 1245946",
"url": "https://bugzilla.suse.com/1245946"
},
{
"category": "self",
"summary": "SUSE Bug 1245947",
"url": "https://bugzilla.suse.com/1245947"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-24577 page",
"url": "https://www.suse.com/security/cve/CVE-2024-24577/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-50349 page",
"url": "https://www.suse.com/security/cve/CVE-2024-50349/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-52006 page",
"url": "https://www.suse.com/security/cve/CVE-2024-52006/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-27613 page",
"url": "https://www.suse.com/security/cve/CVE-2025-27613/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-27614 page",
"url": "https://www.suse.com/security/cve/CVE-2025-27614/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-46334 page",
"url": "https://www.suse.com/security/cve/CVE-2025-46334/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-46835 page",
"url": "https://www.suse.com/security/cve/CVE-2025-46835/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-48384 page",
"url": "https://www.suse.com/security/cve/CVE-2025-48384/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-48385 page",
"url": "https://www.suse.com/security/cve/CVE-2025-48385/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-48386 page",
"url": "https://www.suse.com/security/cve/CVE-2025-48386/"
}
],
"title": "Security update for git",
"tracking": {
"current_release_date": "2025-09-22T09:07:57Z",
"generator": {
"date": "2025-09-22T09:07:57Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2025:20721-1",
"initial_release_date": "2025-09-22T09:07:57Z",
"revision_history": [
{
"date": "2025-09-22T09:07:57Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "git-2.51.0-1.1.aarch64",
"product": {
"name": "git-2.51.0-1.1.aarch64",
"product_id": "git-2.51.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "git-core-2.51.0-1.1.aarch64",
"product": {
"name": "git-core-2.51.0-1.1.aarch64",
"product_id": "git-core-2.51.0-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "perl-Git-2.51.0-1.1.aarch64",
"product": {
"name": "perl-Git-2.51.0-1.1.aarch64",
"product_id": "perl-Git-2.51.0-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "git-2.51.0-1.1.s390x",
"product": {
"name": "git-2.51.0-1.1.s390x",
"product_id": "git-2.51.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "git-core-2.51.0-1.1.s390x",
"product": {
"name": "git-core-2.51.0-1.1.s390x",
"product_id": "git-core-2.51.0-1.1.s390x"
}
},
{
"category": "product_version",
"name": "perl-Git-2.51.0-1.1.s390x",
"product": {
"name": "perl-Git-2.51.0-1.1.s390x",
"product_id": "perl-Git-2.51.0-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "git-2.51.0-1.1.x86_64",
"product": {
"name": "git-2.51.0-1.1.x86_64",
"product_id": "git-2.51.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "git-core-2.51.0-1.1.x86_64",
"product": {
"name": "git-core-2.51.0-1.1.x86_64",
"product_id": "git-core-2.51.0-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "perl-Git-2.51.0-1.1.x86_64",
"product": {
"name": "perl-Git-2.51.0-1.1.x86_64",
"product_id": "perl-Git-2.51.0-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Micro 6.0",
"product": {
"name": "SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sl-micro:6.0"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "git-2.51.0-1.1.aarch64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64"
},
"product_reference": "git-2.51.0-1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-2.51.0-1.1.s390x as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x"
},
"product_reference": "git-2.51.0-1.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-2.51.0-1.1.x86_64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64"
},
"product_reference": "git-2.51.0-1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-core-2.51.0-1.1.aarch64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64"
},
"product_reference": "git-core-2.51.0-1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-core-2.51.0-1.1.s390x as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x"
},
"product_reference": "git-core-2.51.0-1.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "git-core-2.51.0-1.1.x86_64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64"
},
"product_reference": "git-core-2.51.0-1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-Git-2.51.0-1.1.aarch64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64"
},
"product_reference": "perl-Git-2.51.0-1.1.aarch64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-Git-2.51.0-1.1.s390x as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x"
},
"product_reference": "perl-Git-2.51.0-1.1.s390x",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "perl-Git-2.51.0-1.1.x86_64 as component of SUSE Linux Micro 6.0",
"product_id": "SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
},
"product_reference": "perl-Git-2.51.0-1.1.x86_64",
"relates_to_product_reference": "SUSE Linux Micro 6.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-24577",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-24577"
}
],
"notes": [
{
"category": "general",
"text": "libgit2 is a portable C implementation of the Git core methods provided as a linkable library with a solid API, allowing to build Git functionality into your application. Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. There is an issue in the `has_dir_name` function in `src/libgit2/index.c`, which frees an entry that should not be freed. The freed entry is later used and overwritten with potentially bad actor-controlled data leading to controlled heap corruption. Depending on the application that uses libgit2, this could lead to arbitrary code execution. This issue has been patched in version 1.6.5 and 1.7.2.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-24577",
"url": "https://www.suse.com/security/cve/CVE-2024-24577"
},
{
"category": "external",
"summary": "SUSE Bug 1219660 for CVE-2024-24577",
"url": "https://bugzilla.suse.com/1219660"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-22T09:07:57Z",
"details": "important"
}
],
"title": "CVE-2024-24577"
},
{
"cve": "CVE-2024-50349",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-50349"
}
],
"notes": [
{
"category": "general",
"text": "Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt (i.e. without using any credential helper), it prints out the host name for which the user is expected to provide a username and/or a password. At this stage, any URL-encoded parts have been decoded already, and are printed verbatim. This allows attackers to craft URLs that contain ANSI escape sequences that the terminal interpret to confuse users e.g. into providing passwords for trusted Git hosting sites when in fact they are then sent to untrusted sites that are under the attacker\u0027s control. This issue has been patch via commits `7725b81` and `c903985` which are included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-50349",
"url": "https://www.suse.com/security/cve/CVE-2024-50349"
},
{
"category": "external",
"summary": "SUSE Bug 1235600 for CVE-2024-50349",
"url": "https://bugzilla.suse.com/1235600"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-22T09:07:57Z",
"details": "moderate"
}
],
"title": "CVE-2024-50349"
},
{
"cve": "CVE-2024-52006",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-52006"
}
],
"notes": [
{
"category": "general",
"text": "Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-52006",
"url": "https://www.suse.com/security/cve/CVE-2024-52006"
},
{
"category": "external",
"summary": "SUSE Bug 1235601 for CVE-2024-52006",
"url": "https://bugzilla.suse.com/1235601"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-22T09:07:57Z",
"details": "moderate"
}
],
"title": "CVE-2024-52006"
},
{
"cve": "CVE-2025-27613",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-27613"
}
],
"notes": [
{
"category": "general",
"text": "Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled before in Gitk\u0027s Preferences. This option is disabled by default. The same happens when Show origin of this line is used in the main window (regardless of whether Support per-file encoding is enabled or not). This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-27613",
"url": "https://www.suse.com/security/cve/CVE-2025-27613"
},
{
"category": "external",
"summary": "SUSE Bug 1245938 for CVE-2025-27613",
"url": "https://bugzilla.suse.com/1245938"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-22T09:07:57Z",
"details": "moderate"
}
],
"title": "CVE-2025-27613"
},
{
"cve": "CVE-2025-27614",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-27614"
}
],
"notes": [
{
"category": "general",
"text": "Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-27614",
"url": "https://www.suse.com/security/cve/CVE-2025-27614"
},
{
"category": "external",
"summary": "SUSE Bug 1245939 for CVE-2025-27614",
"url": "https://bugzilla.suse.com/1245939"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-22T09:07:57Z",
"details": "important"
}
],
"title": "CVE-2025-27614"
},
{
"cve": "CVE-2025-46334",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-46334"
}
],
"notes": [
{
"category": "general",
"text": "Git GUI allows you to use the Git source control management tools via a GUI. A malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable always includes the current directory. The mentioned programs are invoked when the user selects Git Bash or Browse Files from the menu. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-46334",
"url": "https://www.suse.com/security/cve/CVE-2025-46334"
},
{
"category": "external",
"summary": "SUSE Bug 1245940 for CVE-2025-46334",
"url": "https://bugzilla.suse.com/1245940"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-22T09:07:57Z",
"details": "important"
}
],
"title": "CVE-2025-46334"
},
{
"cve": "CVE-2025-46835",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-46835"
}
],
"notes": [
{
"category": "general",
"text": "Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite files for which the user has write permission. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-46835",
"url": "https://www.suse.com/security/cve/CVE-2025-46835"
},
{
"category": "external",
"summary": "SUSE Bug 1245942 for CVE-2025-46835",
"url": "https://bugzilla.suse.com/1245942"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-22T09:07:57Z",
"details": "moderate"
}
],
"title": "CVE-2025-46835"
},
{
"cve": "CVE-2025-48384",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-48384"
}
],
"notes": [
{
"category": "general",
"text": "Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-48384",
"url": "https://www.suse.com/security/cve/CVE-2025-48384"
},
{
"category": "external",
"summary": "SUSE Bug 1245943 for CVE-2025-48384",
"url": "https://bugzilla.suse.com/1245943"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-22T09:07:57Z",
"details": "important"
}
],
"title": "CVE-2025-48384"
},
{
"cve": "CVE-2025-48385",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-48385"
}
],
"notes": [
{
"category": "general",
"text": "Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-48385",
"url": "https://www.suse.com/security/cve/CVE-2025-48385"
},
{
"category": "external",
"summary": "SUSE Bug 1245946 for CVE-2025-48385",
"url": "https://bugzilla.suse.com/1245946"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-22T09:07:57Z",
"details": "important"
}
],
"title": "CVE-2025-48385"
},
{
"cve": "CVE-2025-48386",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-48386"
}
],
"notes": [
{
"category": "general",
"text": "Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The wincred credential helper uses a static buffer (target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with wcsncat(), leading to potential buffer overflows. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-48386",
"url": "https://www.suse.com/security/cve/CVE-2025-48386"
},
{
"category": "external",
"summary": "SUSE Bug 1245947 for CVE-2025-48386",
"url": "https://bugzilla.suse.com/1245947"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Micro 6.0:git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:git-core-2.51.0-1.1.x86_64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.aarch64",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.s390x",
"SUSE Linux Micro 6.0:perl-Git-2.51.0-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-09-22T09:07:57Z",
"details": "moderate"
}
],
"title": "CVE-2025-48386"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…