Git: GIT installation and security vulnerabilities

Created on 11 Dec 2019  路  4Comments  路  Source: git-for-windows/git

We are in process of installing Git-2.24.0.2-64-bit.exe on our windows-10 machine and our security team has alerted us that by this GIT installation we will introduce below security vulnerabilities introduced into RB network that might cause data leak or other security breach.

Could you please let us know why so many security vulnerabilities are there for Git-2.24.0.2-64-bit.exe and also suggest how to eliminate these or any alternatives available.

Setup

  • Which version of Git for Windows are you using? Is it 32-bit or 64-bit?
    64-bit
$ git --version --build-options
Git-2.24.0.2-64-bit.exe
** insert your machine's response here **
picture dlk-pavan

Most helpful comment

A new Git version was released yesterday, which fixes a lot of security issues.
See https://github.com/git-for-windows/git/releases/tag/v2.24.1.windows.2

picture siprbaum on 11 Dec 2019
👍2

All 4 comments

A new Git version was released yesterday, which fixes a lot of security issues.
See https://github.com/git-for-windows/git/releases/tag/v2.24.1.windows.2

siprbaum picture siprbaum on 11 Dec 2019
👍2

git-22402-64-bitexe-2019-12-09-093118.pdf
git-22402-64-bitexe-2019-12-09-093118.pdf

Please provide this information in plain text, or pasted as Markdown.

dscho picture dscho on 11 Dec 2019

@dscho You aren't missing anything... those reports appear to be effectively useless. A donut graph showing the number of "vulnerabilities" detected, a listing of components contained within the installer (git, gzip, openssh, etc.), and the following list of findings:

  Asymmetric keys: 2328
  AWS keys: 0
  Custom pattern matches: 0
  Emails: 3249
  HTTP authentication: 0
  Image metadata: 0
  IP addresses: 535
  JSON web tokens: 0
  MAC addresses: 56
  OAuth tokens: 0
  Passwords: 0
  Shell history: 0
  URLs: 6538

Noteably missing is anything indicating specific problems, much less which individual component(s) are affected.

landstander668 picture landstander668 on 11 Dec 2019
👍1

In short, the report not only targets the wrong version, not only deleted large parts of the bug reporting template without replacement, but it is also missing pretty much all the important information?

In addition to that, there is no reaction from @dlk-pavan despite raising a rather alarming report that tied up _three_ contributors.

Then there is really nothing we can do here, and I will close it.

dscho picture dscho on 12 Dec 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

drewnoakes picture drewnoakes  路  5Comments
0x7cc picture 0x7cc  路  4Comments
JoshSchreuder picture JoshSchreuder  路  4Comments
t-b picture t-b  路  4Comments
dscho picture dscho  路  3Comments