Hi folks, Version 2.31.1-2 of Git has been uploaded and should be coming soon to a mirror near you.
This update addresses CVE-2021-29468, which would cause Git to overwrite arbitrary files with attacker-controlled contents when checking out content from a malicious repository, and in particular would allow an attacker to overwrite Git hooks to execute arbitrary code. This vulnerability is present on all Cygwin Git versions prior to v2.31.1-2. Until you have that release, the best mitigation is to not clone or check out from any untrusted Git repositories. There is a small amount of additional information in the GitHub Security Advisory at https://github.com/me-and/Cygwin-Git/security/advisories/GHSA-rmp3-wq55-f557 If you compile Git on Cygwin yourself, there is currently no upstream patch that addresses the vulnerability. Until there is, I would recommend applying the preliminary patch at https://github.com/me-and/Cygwin-Git/blob/main/check-backslash-safety.patch I'd like to thank RyotaK (https://github.com/Ry0taK / https://twitter.com/ryotkak) for finding and responsibly disclosing this vulnerability, and Johannes Schindelin for helping manage the response. Kind regards, Adam