[New git version] v2.48.1

[github-actions]

https://github.com/git/git/releases/tag/v2.48.1

[bricss]

Cannot wait to shot 💉 it down straight into my twister 🪢 pair 🙄

[steinybot]

I'm interested in this to avoid https://nvd.nist.gov/vuln/detail/CVE-2024-52006. I know that is marked as low but given the prevalence of other high vulnerabilities found in the Clone2Leak research, I suspect that there could be other vulnerabilities which this could prevent.

[jeremyd2019]

Wasn't that fix backported into 2.47.1.2?

[steinybot]

Wasn't that fix backported into 2.47.1.2?

No I don't think so. It was backported to 2.47.2.

[rimrul]

Wasn't that fix backported into 2.47.1.2?

No I don't think so. It was backported to 2.47.2.

The linked release notes mention that CVE number under "Bug Fixes".

[dscho]

Indeed, CVE-2024-52006 was addressed in v2.47.1(2), along with four other CVEs.

Technically, it is not even correct to say that the fix was backported from v2.47.2 because Git for Windows v2.47.1(2) was built (and distributed to stakeholders well in advance of the public release) waaay before Git v2.47.2 was tagged.

[bricss]

@dscho any ETA 🗓️ when new 🆕 release may drop? 🙄

[dscho]

@bricss nope, still busy with other things.

[dscho]

I actually have the PR branch ready, but needed to do some clean-up first (which I hope to merge tomorrow). My best bet is that Git for Windows v2.48.1 will be released this coming Monday or Tuesday.

[dscho]

I actually have the PR branch ready,

And just as a side note: since there are no functional changes between the current main and that PR branch, the current snapshot is basically as good as v2.48.1 will be.

[bricss]

@dscho FYI ℹ️

Due to a range of bad regressions in the curl 8.12.0 release, we are working on getting a patch release out. curl 8.12.1 ships on February 13 and contains a set of bugfixes.

curl/curl#16259

[dscho]

@bricss wow, thank you so much for paying attention and giving me a heads-up!