Git for Windows v2.40.0-rc2.windows.1

Changes since Git for Windows v2.39.2 (February 14th 2023)

As announced previously, Git for Windows will drop support for Windows 7 and for Windows 8 in one of the next versions, following Cygwin's and MSYS2's lead (Git for Windows relies on MSYS2 for components such as Bash and Perl).

Also following the footsteps of the MSYS2 and Cygwin projects on which Git for Windows depends, the 32-bit variant of Git for Windows is nearing its end of support.

New Features

• Comes with Git v2.40.0-rc2.
• In the olden Git days, there were "dashed" Git commands (e.g. git-commit instead of git commit). These haven't been supported for interactive use in a really, really long time. But they still worked in Git aliases and hooks ("scripts"). Since Git v1.5.4 (released on February 2nd, 2008), it was discouraged/deprecated to use dashed Git commands even in scripts. As of this version, Git for Windows no longer supports these dashed commands.
• Comes with tig v2.5.8.
• Comes with Bash v5.2 patchlevel 15.
• Comes with OpenSSL v1.1.1t.
• Comes with GNU TLS v3.8.0.
• Comes with cURL v7.88.1.
• Comes with libfido2 v1.13.0.
• Comes with Git Credential Manager v2.0.935.

Bug Fixes

• Some commands mishandled absolute paths near the drive root (e.g. scalar unregister C:/foo), which has been fixed.
• When trying to call Cygwin (or for that matter, MSYS2) programs from Git Bash, users would frequently be greeted with cryptic error messages about a "cygheap" or even just an even more puzzling exit code 127. Many of these calls now succeed, allowing basic interactions. While it is still not possible for, say, Cygwin's vim.exe to interact with the Git Bash's terminal window, it is now possible for Cygwin's zstd.exe in conjuction with Git for Windows' tar.exe to handle .tar.zst archives.

Filename	SHA-256
Git-2.40.0-rc2-64-bit.exe	a9854cbbb47c826f5d0aec45d96c113dcf88c94ce70a9bf0749a2b04f1fb6b09
Git-2.40.0-rc2-32-bit.exe	2a4b040f7aa20d9ec996159dfc7cb566e783d4fc6722c3916b0fd61e869e8f60
PortableGit-2.40.0-rc2-64-bit.7z.exe	0c40e61a96ddd624b8125e3b542b8a26b6d86ff2204f8645d43782190e2f74ae
PortableGit-2.40.0-rc2-32-bit.7z.exe	d771f24ffc9f4d960986a132bef2045af406ffc4abf78d54e3f8ac56c19668ff
MinGit-2.40.0-rc2-64-bit.zip	de257f4ac5872a5864eca7476201a00f5b827a329933f7a7339bc67026d0bd5c
MinGit-2.40.0-rc2-32-bit.zip	fc02caeb1502a27575ff1bbd8dcae49a76793944be451e639821b4c8bd25f954
MinGit-2.40.0-rc2-busybox-64-bit.zip	9cb55ff1fbb03ce81acf69408db00a103b32c54009fd4b9515d70b50bb56cc51
MinGit-2.40.0-rc2-busybox-32-bit.zip	af2fb84fc9f0104f02bb310a44a448da9b0a85b42cd0daba67e1641d0a85bba0
Git-2.40.0-rc2-64-bit.tar.bz2	ee3f3a9a79eb862eeedcc06a35c2ca5e4f0903a476d0ae2d0c55add4b20065be
Git-2.40.0-rc2-32-bit.tar.bz2	ddd8d7654b394cc7cc2ff825f73ab086bb3e43bea38ec5996e9ab4a7405ae58a

Git for Windows v2.40.0-rc1.windows.1

Changes since Git for Windows v2.39.2 (February 14th 2023)

As announced previously, Git for Windows will drop support for Windows 7 and for Windows 8 in one of the next versions, following Cygwin's and MSYS2's lead (Git for Windows relies on MSYS2 for components such as Bash and Perl).

Also following the footsteps of the MSYS2 and Cygwin projects on which Git for Windows depends, the 32-bit variant of Git for Windows is nearing its end of support.

New Features

• Comes with Git v2.40.0-rc1.
• In the olden Git days, there were "dashed" Git commands (e.g. git-commit instead of git commit). These haven't been supported for interactive use in a really, really long time. But they still worked in Git aliases and hooks ("scripts"). Since Git v1.5.4 (released on February 2nd, 2008), it was discouraged/deprecated to use dashed Git commands even in scripts. As of this version, Git for Windows no longer supports these dashed commands.
• Comes with tig v2.5.8.
• Comes with Bash v5.2 patchlevel 15.
• Comes with OpenSSL v1.1.1t.
• Comes with GNU TLS v3.8.0.
• Comes with cURL v7.88.1.
• Comes with libfido2 v1.13.0.
• Comes with Git Credential Manager v2.0.935.

Bug Fixes

• Some commands mishandled absolute paths near the drive root (e.g. scalar unregister C:/foo), which has been fixed.
• When trying to call Cygwin (or for that matter, MSYS2) programs from Git Bash, users would frequently be greeted with cryptic error messages about a "cygheap" or even just an even more puzzling exit code 127. Many of these calls now succeed, allowing basic interactions. While it is still not possible for, say, Cygwin's vim.exe to interact with the Git Bash's terminal window, it is now possible for Cygwin's zstd.exe in conjuction with Git for Windows' tar.exe to handle .tar.zst archives.

Filename	SHA-256
Git-2.40.0-rc1-64-bit.exe	69dfa0bfbec9e5836561968421adb60133ce3aaba6acc01ddb45e2e042a59d5f
Git-2.40.0-rc1-32-bit.exe	6cd10560bdf090d920e4a15c23070b469a5a9e35b277a0a6e6fd69e8e7be9efe
PortableGit-2.40.0-rc1-64-bit.7z.exe	37233d2e767c43b0d3b65bb3fb2151dd600fdf5d61db83db048bd5f6d1d6aade
PortableGit-2.40.0-rc1-32-bit.7z.exe	fb40cfff8e435843b0fff724c03a89cac973cf5f1844b322a75718ee23d01a65
MinGit-2.40.0-rc1-64-bit.zip	96977c7cca2278878f155c7f50ba1b3e46102442606beab8a15d5aa813dbe762
MinGit-2.40.0-rc1-32-bit.zip	3ab0bee7839a1e2228c09b31229ea1da74971e76207973c1ee6151037d723207
MinGit-2.40.0-rc1-busybox-64-bit.zip	0f2c7622658ceda02012e0c038a762fd46135a60cef4f823b7b0ae2fc66cb58c
MinGit-2.40.0-rc1-busybox-32-bit.zip	f98139fff494e405a125702dd6c4a3127246ecafce4db7dc85325dc0a668d8f8
Git-2.40.0-rc1-64-bit.tar.bz2	d22ab790bf89228e25fbd661076cd40a1ac59109f9ab7d2eb9d25eaf883a3ab5
Git-2.40.0-rc1-32-bit.tar.bz2	6117a414bc1e24f3b0b995c695cbb795eb431ed40648474eef77dc83ba374eeb

Git for Windows 2.40.0-rc0

Changes since Git for Windows v2.39.2 (February 14th 2023)

New Features

• Comes with Git v2.40.0-rc0.

Filename	SHA-256
Git-2.40.0-rc0-64-bit.exe	79fbddbb371a35dcd9b9ff1c2e5e6cae02ee70850b61c177a77c55e3aebfb142
Git-2.40.0-rc0-32-bit.exe	74856e12f4e9c4812dc7399d107f6a6cc08e808d101d8855de47312a9fec58fa
PortableGit-2.40.0-rc0-64-bit.7z.exe	c15f18be2418ac4c7958c3c78323163735e4c841a0077ed027f439b1e6e994de
PortableGit-2.40.0-rc0-32-bit.7z.exe	ef37a588ceef15f72281f7fee255273005b75b73febb798860ca0639f1e72411
MinGit-2.40.0-rc0-64-bit.zip	1a746ae0fff8e44f6dc05f0062c031d4d84ca4d7d4425cc061eaa83c199ff236
MinGit-2.40.0-rc0-32-bit.zip	bb8eafa4488ddfcc12d7586824030d890da8ed8e008eb8d9628c834c762b750c
MinGit-2.40.0-rc0-busybox-64-bit.zip	1226f4af12e834422d5edcde5d35ba71f05dc24ab7e2e99d09d2107d596f6239
MinGit-2.40.0-rc0-busybox-32-bit.zip	0f98017a8d2178f198e37883175385fa7f307f9ba2a9a1c60f52603f776d033c
Git-2.40.0-rc0-64-bit.tar.bz2	41083788a8a3b207deddb777143e4a9f56f777050cf775c59da87735a0fb1f26
Git-2.40.0-rc0-32-bit.tar.bz2	637256ea38e2402b77e719c700b61c93ec61574abc9d0acf603b0fe0caaeb389

Git for Windows 2.39.2

Changes since Git for Windows v2.39.1 (January 17th 2023)

This is a security release, addressing CVE-2023-22490, CVE-2023-22743, CVE-2023-23618 and CVE-2023-23946.

New Features

• Comes with Git v2.39.2.

Bug Fixes

• Addresses CVE-2023-22743, a vulnerability rated "high" making the Git for Windows' installer susceptible to DLL side-loading attacks.
• Addresses CVE-2023-23618, a vulnerability rated "high" where gitk would inadvertently execute programs placed in the worktree.
• Addresses CVE-2023-22490, a moderate vulnerability allowing for data exfiltration in local clones.
• Addresses CVE-2023-23946, a moderate vulnerability that would allow crafted patches to trick git apply into writing into files outside the current directory.

Filename	SHA-256
Git-2.39.2-64-bit.exe	d7608fbd854b3689102ff48b03c8cc77b35138f9f7350d134306da0ba5751464
Git-2.39.2-32-bit.exe	addf55b0a57f38a7950b3ad37ce5c76752202e6818d9f8995b477496b71fb757
PortableGit-2.39.2-64-bit.7z.exe	20e3959d4e310a79b5cf4138797aa247d473d1f7b077a6c433cbfc4ddc5486f1
PortableGit-2.39.2-32-bit.7z.exe	84ea6be01df896f6d50192ba4cda85c38ab995154f7aa9d3849492a15f21b500
MinGit-2.39.2-64-bit.zip	a53b90a42d9a5e3ac992f525b5805c4dbb8a013b09a32edfdcf9a551fd8cfe2d
MinGit-2.39.2-32-bit.zip	f2027f51f8b12e5bd3c94782edddcfe277e26a3fc7c014707a72b04714f3b90f
MinGit-2.39.2-busybox-64-bit.zip	ee36c33719ad2f4b23f00e40469045ac4d3ad30e4321fe6d2adbcf3176b747b2
MinGit-2.39.2-busybox-32-bit.zip	c6c0b7fd055a968bb89bff1af6d8cad846f996664ef2aa1b5fdbab6b77c77679
Git-2.39.2-64-bit.tar.bz2	14012aba35914970ace948a11b8749847f0e180d4e47eaa72dd091d56dbc7586
Git-2.39.2-32-bit.tar.bz2	fc0a304f933a7690e45187261ae9132d6586a62a79f540234ce836c000df3f56

MinGit v2.35.7.windows.1

MinGit for Windows v2.35.7

Changes since Git for Windows v2.35.6 (January 17 2023):

Bug Fixes

* CVE-2023-22490:

  Using a specially-crafted repository, Git can be tricked into using
  its local clone optimization even when using a non-local transport.
  Though Git will abort local clones whose source $GIT_DIR/objects
  directory contains symbolic links (c.f., CVE-2022-39253), the objects
  directory itself may still be a symbolic link.

  These two may be combined to include arbitrary files based on known
  paths on the victim's filesystem within the malicious repository's
  working copy, allowing for data exfiltration in a similar manner as
  CVE-2022-39253.

* CVE-2023-23946:

  By feeding a crafted input to "git apply", a path outside the
  working tree can be overwritten as the user who is running "git
  apply".

* A mismatched type in `attr.c::read_attr_from_index()` which could
  cause Git to errantly reject attributes on Windows and 32-bit Linux
  has been corrected.

Git for Windows 2.39.1

Changes since Git for Windows v2.39.0(2) (December 21st 2022)

This is a security release, addressing CVE-2022-41903, CVE-2022-23521 and CVE-2022-41953.

New Features

• Comes with Git v2.39.1.

Bug Fixes

• Addresses CVE-2022-23521, a critical vulnerability in the .gitattributes parsing that potentially allows malicious code to be executed while cloning.
• Addresses CVE-2022-41953, a vulnerability that makes Git GUI's Clone function susceptible to Remote Code Execution attacks.
• Addresses CVE-2022-41903, a vulnerability that may allow heap overflows and code to be executed inadvertently during a git archive invocation.
• A regression introduced in Git for Windows v2.39.0(2) that prevented cloning from Bitbucket was fixed.

Filename	SHA-256
Git-2.39.1-64-bit.exe	82d088233144054d14d8cc890870544f1ac6ac73aebade87c4d96c97b55d8508
Git-2.39.1-32-bit.exe	b9ac2863b42eb60ee6cbb0663378bb119cb976a52985d4bbe92ad00b073ffed2
PortableGit-2.39.1-64-bit.7z.exe	b898306a44084b5fa13b9a52e06408d97234389d07ae41d9409bdf58cad3d227
PortableGit-2.39.1-32-bit.7z.exe	2cb1a83f30f0c2948c97d3dc683c8b058c808f89b51bfb813de67253d17caa15
MinGit-2.39.1-64-bit.zip	000649846ec6e28e8f76d4a0d02f02b3dd1ba19914385f7dead1c5cde25b3bad
MinGit-2.39.1-32-bit.zip	e36dc71d97359f584d25efbdabb4122fb71514bcba5a99df1b82a83cee9472e3
MinGit-2.39.1-busybox-64-bit.zip	c2b54edf2f5b3c7a7bb65640d49f8d7a953145b989125c8749e673d03e2a80f1
MinGit-2.39.1-busybox-32-bit.zip	4a28a9bd4e49d260ae3c35bf9a2cdb91f12d4a4cf081f21b3df278e76f401262
Git-2.39.1-64-bit.tar.bz2	2a33c6fef5ed9d2794013fe965066b80c24b556168aca28c0252c1e11859f4ad
Git-2.39.1-32-bit.tar.bz2	fdbbd5bcbe00f8981df11cdff87f74440b1a64f40898740559f68e4565555a44

MinGit v2.35.6.windows.1

MinGit for Windows v2.35.6

Changes since Git for Windows v2.35.5 (October 13 2022):

Bug Fixes

* CVE-2022-41903:

   git log has the ability to display commits using an arbitrary
   format with its --format specifiers. This functionality is also
   exposed to git archive via the export-subst gitattribute.

   When processing the padding operators (e.g., %<(, %<|(, %>(,
   %>>(, or %><( ), an integer overflow can occur in
   pretty.c::format_and_pad_commit() where a size_t is improperly
   stored as an int, and then added as an offset to a subsequent
   memcpy() call.

   This overflow can be triggered directly by a user running a
   command which invokes the commit formatting machinery (e.g., git
   log --format=...). It may also be triggered indirectly through
   git archive via the export-subst mechanism, which expands format
   specifiers inside of files within the repository during a git
   archive.

   This integer overflow can result in arbitrary heap writes, which
   may result in remote code execution.

* CVE-2022-23521:

   gitattributes are a mechanism to allow defining attributes for
   paths. These attributes can be defined by adding a `.gitattributes`
   file to the repository, which contains a set of file patterns and
   the attributes that should be set for paths matching this pattern.

   When parsing gitattributes, multiple integer overflows can occur
   when there is a huge number of path patterns, a huge number of
   attributes for a single pattern, or when the declared attribute
   names are huge.

   These overflows can be triggered via a crafted `.gitattributes` file
   that may be part of the commit history. Git silently splits lines
   longer than 2KB when parsing gitattributes from a file, but not when
   parsing them from the index. Consequentially, the failure mode
   depends on whether the file exists in the working tree, the index or
   both.

   This integer overflow can result in arbitrary heap reads and writes,
   which may result in remote code execution.

Git for Windows 2.39.0(2)

Changes since Git for Windows v2.39.0 (December 12th 2022)

New Features

• Comes with PCRE2 v10.42.
• Comes with Git Credential Manager v2.0.886.
• Comes with MinTTY v3.6.3.
• Comes with cURL v7.87.0.

Bug Fixes

• The installer is expected to stop GPG agents automatically, but there was a bug that prevented that from working, which has been fixed.
• A regression that caused no_proxy to be ignored was fixed by upgrading libcurl.
• The Git Credential Manager version shipped with Git for Windows v2.39.0 could not always find its UI helper which was fixed by upgrading to a fixed version.
• A bug in MinTTY caused it to throw a Critical Error when the printer spool service was not started, which was fixed by upgrading MinTTY.

Filename	SHA-256
Git-2.39.0.2-64-bit.exe	8cf0ee3efaabe8a9b9b6b6889ae0ed369d9f1c85696ad637e715959921ed71c3
Git-2.39.0.2-32-bit.exe	eb5a8bd17995117a3bcdb0b9fcec74141ae6b1a74fe960fd0c9192a2b1d9c903
PortableGit-2.39.0.2-64-bit.7z.exe	0a58c7b062a29bc44fb573c9afc5323011d01237dd94c74e6c833929cfe25436
PortableGit-2.39.0.2-32-bit.7z.exe	042de3e9f87e529ee53ed31385bc76b39a9794c32c18ea7c62e3e6445dd8484d
MinGit-2.39.0.2-64-bit.zip	771e7bef1b672e3f63b18b8c4a62d626c8f47c41390a745f313758c0b6ae4d63
MinGit-2.39.0.2-32-bit.zip	a5ac14121bb0fe879355f58db15aae41205046b7cd1832df40d1e784aa8e1c70
MinGit-2.39.0.2-busybox-64-bit.zip	4337be32536f6840da4ef67ef93996a3808b774c4f61e3a2a585f5d968d1b1d3
MinGit-2.39.0.2-busybox-32-bit.zip	f68c4c5dce5cda8743d8a134174d1cbf0e0af725791bbc3c4062f3fdf93094b2
Git-2.39.0.2-64-bit.tar.bz2	1e81e8b0026cfa71050f81abf10669733a7b66b44c68e5a9448ace15cf521030
Git-2.39.0.2-32-bit.tar.bz2	bf5e3281378e8ed23f6bff3f3e1ef7d84932050c2f590f75e4f19d419b7387ec

Git for Windows 2.39.0

Changes since Git for Windows v2.38.1 (October 18th 2022)

New Features

• Comes with Git v2.39.0.
• Comes with OpenSSL v1.1.1s.
• Comes with cURL v7.86.0.
• The Portable Git edition (which comes as a self-extracting 7-Zip archive) now uses the latest 7-Zip version to self-extract.
• Comes with OpenSSH v9.1p1.
• It is now possible to generate and use SSH keys protected by security keys (AKA FIDO devices) via Windows Hello, e.g. via ssh-keygen.exe -t ecdsa-sk.
• Portable Git no longer configures color.diff, color.status and color.branch individually, but configures color.ui instead, which makes it easier to override the default.
• Comes with GNU TLS v3.7.8.
• Comes with Git Credential Manager Core v2.0.877.
• Comes with MinTTY v3.6.2.
• Comes with Bash v5.2 patchlevel 12.
• Comes with Git LFS v3.3.0.
• Comes with PCRE2 v10.41.

Bug Fixes

• The Git executables (e.g. git.exe itself) used to have incomplete version information recorded in their resources, which has been fixed.
• A regression introduced in Git for Windows v2.38.0 that prevented git.exe from running in Windows Nano Server containers was fixed.

Filename	SHA-256
Git-2.39.0-64-bit.exe	2eaba567e17784654be77ba997329742d87845c6f15e33c9620f9a331c69a976
Git-2.39.0-32-bit.exe	5b01ddb342a07e74e723fe93bc84c275a19236e853c406b4496478e64a7f8add
PortableGit-2.39.0-64-bit.7z.exe	8ca31e8474048b48b813ebdf95f288d58f253717d071d11785cc23f37dc6a396
PortableGit-2.39.0-32-bit.7z.exe	b8332fc12bcb1343d57c785d7ec140e2fd89f9d7f70309a00e79f9822c2cc855
MinGit-2.39.0-64-bit.zip	ae6863d7b7641ecf73f61edadbc7d1ff8259d08eccb4b9f006bb443d90910c25
MinGit-2.39.0-32-bit.zip	ad20467cf6a4c215b2c71f9bee192fb8ea1696fa3dda8e35e89544cdabdc1c7a
MinGit-2.39.0-busybox-64-bit.zip	a5d177bceeddfecc97c2340f0c8bc97d55ba113c4cd5b6b7d58e513dccb3d74f
MinGit-2.39.0-busybox-32-bit.zip	cb8371cbba56562f7af1d54281afb24bfa23395a57a0868398f644a79c2fea2a
Git-2.39.0-64-bit.tar.bz2	ed78c21d89281d91fb1282043c3b618350e8ff721947ad01678356126b0447f3
Git-2.39.0-32-bit.tar.bz2	09126077d63b3e3e19c90599f86c037eb57edddf255e75acc31720428d03d78b

Git for Windows 2.39.0-rc2

Changes since Git for Windows v2.38.1 (October 18th 2022)

New Features

• Comes with Git v2.39.0-rc2.
• Comes with OpenSSL v1.1.1s.
• Comes with cURL v7.86.0.
• The Portable Git edition (which comes as a self-extracting 7-Zip archive) now uses the latest 7-Zip version to self-extract.
• Comes with OpenSSH v9.1p1.
• It is now possible to generate and use SSH keys protected by security keys (AKA FIDO devices) via Windows Hello, e.g. via ssh-keygen.exe -t ecdsa-sk.
• Portable Git no longer configures color.diff, color.status and color.branch individually, but configures color.ui instead, which makes it easier to override the default.
• Comes with GNU TLS v3.7.8.
• Comes with Git Credential Manager Core v2.0.877.
• Comes with MinTTY v3.6.2.
• Comes with Bash v5.2 patchlevel 12.
• Comes with Git LFS v3.3.0.

Bug Fixes

• The Git executables (e.g. git.exe itself) used to have incomplete version information recorded in their resources, which has been fixed.
• A regression introduced in Git for Windows v2.38.0 that prevented git.exe from running in Windows Nano Server containers was fixed.

Filename	SHA-256
Git-2.39.0-rc2-64-bit.exe	00845a71bc814d2ace4a83f25ee042e04e1e742813460ee64b99028c801aaac2
Git-2.39.0-rc2-32-bit.exe	214c9e69e1ca6b0a299b4028f0053a735f07cdc27504a187d720048de33f5715
PortableGit-2.39.0-rc2-64-bit.7z.exe	62557cbfb57e40da55dc96596d985dc409ee8f665fa265856982b92320773d27
PortableGit-2.39.0-rc2-32-bit.7z.exe	ba968b714dab78d63ad0fa66c1ab38980d46a591c2752e987f47523c136de90a
MinGit-2.39.0-rc2-64-bit.zip	c05bd4694da21047083b0858a09453f6cf1c871933ec2c303bf352eb0b0391fb
MinGit-2.39.0-rc2-32-bit.zip	6d55bf2e405f7005477af028d670ee5fe79e22d5e1b7ab282ef5c030b3c9625c
MinGit-2.39.0-rc2-busybox-64-bit.zip	c7617169686d04f6622a545019b000f318151a774e769e900595a1db21b4ba6d
MinGit-2.39.0-rc2-busybox-32-bit.zip	9b1593b76b759f41631e43f775ac40ce902eba24247cadd02a0fdd1a265e063a
Git-2.39.0-rc2-64-bit.tar.bz2	cf8d13e34810f6e90403098783c47c8c3213a3a6cbc35578d5e63f731b29e1a6
Git-2.39.0-rc2-32-bit.tar.bz2	2e1e4100e80c62bcf7086140ea30e07f107328e2378545302620c27896f87be8