git-2.47.3-1.el9_6

エラータID: AXSA:2025-10640:10

Release date: 
Tuesday, July 29, 2025 - 21:47
Subject: 
git-2.47.3-1.el9_6
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.

Security Fix(es):

* git: Git does not sanitize URLs when asking for credentials interactively (CVE-2024-50349)
* git: Newline confusion in credential helpers can lead to credential exfiltration in git (CVE-2024-52006)
* git: Git arbitrary code execution (CVE-2025-48384)
* git: Git arbitrary file writes (CVE-2025-48385)
* gitk: Git file creation flaw (CVE-2025-27613)
* gitk: git script execution flaw (CVE-2025-27614)
* git: Git GUI can create and overwrite files for which the user has write permission (CVE-2025-46835)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2024-50349
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt (i.e. without using any credential helper), it prints out the host name for which the user is expected to provide a username and/or a password. At this stage, any URL-encoded parts have been decoded already, and are printed verbatim. This allows attackers to craft URLs that contain ANSI escape sequences that the terminal interpret to confuse users e.g. into providing passwords for trusted Git hosting sites when in fact they are then sent to untrusted sites that are under the attacker's control. This issue has been patch via commits `7725b81` and `c903985` which are included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.
CVE-2024-52006
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.
CVE-2025-27613
Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled before in Gitk's Preferences. This option is disabled by default. The same happens when Show origin of this line is used in the main window (regardless of whether Support per-file encoding is enabled or not). This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
CVE-2025-27614
Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.
CVE-2025-46835
Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite files for which the user has write permission. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
CVE-2025-48384
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
CVE-2025-48385
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.

Solution: 

Update packages.

CVEs: 
CVE-2024-50349
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt (i.e. without using any credential helper), it prints out the host name for which the user is expected to provide a username and/or a password. At this stage, any URL-encoded parts have been decoded already, and are printed verbatim. This allows attackers to craft URLs that contain ANSI escape sequences that the terminal interpret to confuse users e.g. into providing passwords for trusted Git hosting sites when in fact they are then sent to untrusted sites that are under the attacker's control. This issue has been patch via commits `7725b81` and `c903985` which are included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.
CVE-2024-52006
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones.
CVE-2025-27613
Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled before in Gitk's Preferences. This option is disabled by default. The same happens when Show origin of this line is used in the main window (regardless of whether Support per-file encoding is enabled or not). This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
CVE-2025-27614
Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.
CVE-2025-46835
Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite files for which the user has write permission. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1.
CVE-2025-48384
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
CVE-2025-48385
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
Additional Info: 

N/A

Download: 

SRPMS
  1. git-2.47.3-1.el9_6.src.rpm
    MD5: 571bdfca7808ebc4fe67aead2563d162
    SHA-256: cf89a751f75f19833ad412b7b549e13c7a2c1738f6b8653cd9326ea891b63572
    Size: 7.35 MB

Asianux Server 9 for x86_64
  1. git-2.47.3-1.el9_6.x86_64.rpm
    MD5: 179bc35b98768dfdca5463d1d0187d11
    SHA-256: 8eb2d0a4fde375335b85782d5c0747aa54f596985f1f974a588f855960154bb6
    Size: 54.11 kB
  2. git-all-2.47.3-1.el9_6.noarch.rpm
    MD5: 4b49ca8453ba1d7474eec498f2c556be
    SHA-256: 7d602453c91bbfdfcf4078cdaf0ef14e46c88e6bc5db001790f44da26dd57d45
    Size: 7.23 kB
  3. git-core-2.47.3-1.el9_6.x86_64.rpm
    MD5: 085464785d8ed092897a89c53c16b179
    SHA-256: 11163583d68609adcb6676aaeabb448c27b4183a82f328f8cb6a4303d895f4ab
    Size: 4.68 MB
  4. git-core-doc-2.47.3-1.el9_6.noarch.rpm
    MD5: 775088e65022a9ddade249e3e4bf7037
    SHA-256: 4f0c649eac35b0ca25ca93c448a0830b69720d7b8e093b819bf32c4e89f10dda
    Size: 3.05 MB
  5. git-credential-libsecret-2.47.3-1.el9_6.x86_64.rpm
    MD5: 1df9097b23922efe3788d31bd0f6ad33
    SHA-256: 749419c4dd277c63d81a634de3bceb08b2e7c7e013e492e99d2a0144436848d0
    Size: 14.31 kB
  6. git-daemon-2.47.3-1.el9_6.x86_64.rpm
    MD5: 9a6916e3f96ba71f4200440b6aaa7a6f
    SHA-256: 0574e1ee60de56fbc37cdb588d8446b85660c554dd1d07ac0cd57b0e18f0e29e
    Size: 384.73 kB
  7. git-email-2.47.3-1.el9_6.noarch.rpm
    MD5: 76925203e8be19d02868008a487692a1
    SHA-256: 9e47d0da982042bc0aa4e502be06241cfd5dc3c16ee4ece7c2f67e89c8ea3666
    Size: 54.34 kB
  8. git-gui-2.47.3-1.el9_6.noarch.rpm
    MD5: 9b2a3d78be52bbdfe1e8a8bb07e722f5
    SHA-256: 06c2807705de4934ccb2007f8c606440683522005eed4bb5018844da2dffc5d2
    Size: 257.63 kB
  9. git-instaweb-2.47.3-1.el9_6.noarch.rpm
    MD5: d00a88bd9d1975479afa3f887a820106
    SHA-256: a2ce87bac2484f07f1dec42194b664971e82225c36332d03f6c7c9ea30458ef6
    Size: 24.61 kB
  10. gitk-2.47.3-1.el9_6.noarch.rpm
    MD5: 68218ebcb8a88a84afe0d1d143414053
    SHA-256: 5d38627faaa545a5d7b4b501ff252c733b4caa930c448ccb15ffcd51fb94fa0c
    Size: 162.26 kB
  11. git-subtree-2.47.3-1.el9_6.x86_64.rpm
    MD5: 03c728a6bbb222b484ab5e45cf299c67
    SHA-256: 2117cd26b5520de07a9a72ccea63c61a128a242da6908043c4847c57256c01f8
    Size: 33.90 kB
  12. git-svn-2.47.3-1.el9_6.noarch.rpm
    MD5: b6fbc48f3dcab3003ed5d6ba66ab06cc
    SHA-256: 44853f9c7b6492a27cd29db402d07229a470c1878329ff3c384da47e095554ae
    Size: 68.95 kB
  13. gitweb-2.47.3-1.el9_6.noarch.rpm
    MD5: 12d890623fc7b69972a5f3e7a7d16ae8
    SHA-256: eb68be51974ff58527ad1f658c9fe615134d5cdeb52ff03e32c862eb591c3b30
    Size: 147.25 kB
  14. perl-Git-2.47.3-1.el9_6.noarch.rpm
    MD5: 68b17d25d92beb37a3dca3532a250edb
    SHA-256: 86893cd311afc67861a6cc2699ee1be262b0276584c1de4c546c2d89d1dbf1a0
    Size: 36.77 kB
  15. perl-Git-SVN-2.47.3-1.el9_6.noarch.rpm
    MD5: 85715a397d9fd983502c388eabdea097
    SHA-256: 4b9cf3f68b5ca487422da5fc0d20531db893e53ebf383308f25d8f26ba3694ae
    Size: 51.40 kB