Register | Log in

git-lfs

Git Large File Support

Choose email to subscribe with

general

source: git-lfs (main)
version: 3.6.1-1
maintainer: Debian Go Packaging Team (DMD)
uploaders: Stephen Gelman [DMD]
arch: all any
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.13.2-1
o-o-sec: 2.13.2-1+deb11u1
oldstable: 3.3.0-1+deb12u1
old-sec: 3.3.0-1+deb12u1
stable: 3.6.1-1
testing: 3.6.1-1
unstable: 3.6.1-1

versioned links

2.13.2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.13.2-1+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.3.0-1+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.6.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

git-lfs (3 bugs: 0, 2, 1, 0)
golang-github-git-lfs-git-lfs-dev

action needed

A new upstream version is available: 3.7.1 high

A new upstream version 3.7.1 is available, you should consider packaging it.

Created: 2025-06-30 Last update: 2025-10-21 14:00

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2025-26625: Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. The git lfs checkout and git lfs pull commands do not check for symbolic links before writing to files in the working tree, allowing an attacker to craft a repository containing symbolic or hard links that cause Git LFS to write to arbitrary file system locations accessible to the user running these commands. As well, when the git lfs checkout and git lfs pull commands are run in a bare repository, they could write to files visible outside the repository. The vulnerability is fixed in version 3.7.1. As a workaround, support for symlinks in Git may be disabled by setting the core.symlinks configuration option to false, after which further clones and fetches will not create symbolic links. However, any symbolic or hard links in existing repositories will still provide the opportunity for Git LFS to write to their targets.

Created: 2025-10-17 Last update: 2025-10-18 09:30

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2025-26625: Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. The git lfs checkout and git lfs pull commands do not check for symbolic links before writing to files in the working tree, allowing an attacker to craft a repository containing symbolic or hard links that cause Git LFS to write to arbitrary file system locations accessible to the user running these commands. As well, when the git lfs checkout and git lfs pull commands are run in a bare repository, they could write to files visible outside the repository. The vulnerability is fixed in version 3.7.1. As a workaround, support for symlinks in Git may be disabled by setting the core.symlinks configuration option to false, after which further clones and fetches will not create symbolic links. However, any symbolic or hard links in existing repositories will still provide the opportunity for Git LFS to write to their targets.

Created: 2025-10-17 Last update: 2025-10-18 09:30

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2025-26625: Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. The git lfs checkout and git lfs pull commands do not check for symbolic links before writing to files in the working tree, allowing an attacker to craft a repository containing symbolic or hard links that cause Git LFS to write to arbitrary file system locations accessible to the user running these commands. As well, when the git lfs checkout and git lfs pull commands are run in a bare repository, they could write to files visible outside the repository. The vulnerability is fixed in version 3.7.1. As a workaround, support for symlinks in Git may be disabled by setting the core.symlinks configuration option to false, after which further clones and fetches will not create symbolic links. However, any symbolic or hard links in existing repositories will still provide the opportunity for Git LFS to write to their targets.

Created: 2025-10-17 Last update: 2025-10-18 09:30

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2025-26625: Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. The git lfs checkout and git lfs pull commands do not check for symbolic links before writing to files in the working tree, allowing an attacker to craft a repository containing symbolic or hard links that cause Git LFS to write to arbitrary file system locations accessible to the user running these commands. As well, when the git lfs checkout and git lfs pull commands are run in a bare repository, they could write to files visible outside the repository. The vulnerability is fixed in version 3.7.1. As a workaround, support for symlinks in Git may be disabled by setting the core.symlinks configuration option to false, after which further clones and fetches will not create symbolic links. However, any symbolic or hard links in existing repositories will still provide the opportunity for Git LFS to write to their targets.

Created: 2025-10-17 Last update: 2025-10-18 09:30

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2025-26625: Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. The git lfs checkout and git lfs pull commands do not check for symbolic links before writing to files in the working tree, allowing an attacker to craft a repository containing symbolic or hard links that cause Git LFS to write to arbitrary file system locations accessible to the user running these commands. As well, when the git lfs checkout and git lfs pull commands are run in a bare repository, they could write to files visible outside the repository. The vulnerability is fixed in version 3.7.1. As a workaround, support for symlinks in Git may be disabled by setting the core.symlinks configuration option to false, after which further clones and fetches will not create symbolic links. However, any symbolic or hard links in existing repositories will still provide the opportunity for Git LFS to write to their targets.

Created: 2025-10-17 Last update: 2025-10-18 09:30

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2025-09-10 Last update: 2025-09-10 15:02

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).

Created: 2025-02-21 Last update: 2025-02-27 13:25

news

[2025-01-26] git-lfs 3.6.1-1 MIGRATED to testing (Debian testing watch)
[2025-01-25] Accepted git-lfs 3.3.0-1+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Andrew Shadura)
[2025-01-24] Accepted git-lfs 3.3.0-1+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Andrew Shadura)
[2025-01-22] Accepted git-lfs 2.13.2-1+deb11u1 (source) into oldstable-security (Andrej Shadura) (signed by: Andrew Shadura)
[2025-01-21] Accepted git-lfs 3.6.1-1 (source) into unstable (Stephen Gelman)
[2025-01-20] Accepted git-lfs 3.5.0-2 (source) into unstable (Andrej Shadura) (signed by: Andrew Shadura)
[2024-04-09] git-lfs 3.5.0-1 MIGRATED to testing (Debian testing watch)
[2024-03-07] Accepted git-lfs 3.5.0-1 (source) into unstable (Stephen Gelman)
[2023-12-18] git-lfs 3.4.1-1 MIGRATED to testing (Debian testing watch)
[2023-12-18] git-lfs 3.4.1-1 MIGRATED to testing (Debian testing watch)
[2023-12-15] Accepted git-lfs 3.4.1-1 (source) into unstable (Stephen Gelman)
[2023-08-16] git-lfs 3.4.0-1 MIGRATED to testing (Debian testing watch)
[2023-08-14] Accepted git-lfs 3.4.0-1 (source) into unstable (Stephen Gelman)
[2022-12-28] Accepted git-lfs 3.3.0-1~bpo11+1 (source) into bullseye-backports (Stephen Gelman)
[2022-12-03] git-lfs 3.3.0-1 MIGRATED to testing (Debian testing watch)
[2022-12-01] Accepted git-lfs 3.3.0-1 (source) into unstable (Stephen Gelman)
[2022-06-10] Accepted git-lfs 3.2.0-1~bpo11+1 (source) into bullseye-backports (Stephen Gelman)
[2022-05-28] git-lfs 3.2.0-1 MIGRATED to testing (Debian testing watch)
[2022-05-26] Accepted git-lfs 3.2.0-1 (source) into unstable (Stephen Gelman)
[2022-04-28] git-lfs 3.1.4-2 MIGRATED to testing (Debian testing watch)
[2022-04-25] Accepted git-lfs 3.1.4-2 (source) into unstable (Stephen Gelman)
[2022-04-25] Accepted git-lfs 3.1.4-1 (source) into unstable (Stephen Gelman)
[2022-04-25] Accepted git-lfs 3.1.1-1 (source) into unstable (Stephen Gelman)
[2021-11-14] Accepted git-lfs 3.0.2-1~bpo11+1 (source) into bullseye-backports (Stephen Gelman)
[2021-11-08] git-lfs 3.0.2-1 MIGRATED to testing (Debian testing watch)
[2021-11-06] Accepted git-lfs 3.0.2-1 (source) into unstable (Stephen Gelman)
[2021-09-02] Accepted git-lfs 2.13.3-2~bpo11+1 (source amd64 all) into bullseye-backports, bullseye-backports (Debian FTP Masters) (signed by: Stephen Gelman)
[2021-08-27] git-lfs 2.13.3-2 MIGRATED to testing (Debian testing watch)
[2021-08-25] Accepted git-lfs 2.13.3-2 (source) into unstable (Stephen Gelman)
[2021-08-20] git-lfs 2.13.3-1 MIGRATED to testing (Debian testing watch)

1
2

bugs [bug history graph]

all: 4
RC: 1
I&N: 2
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 1)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
l10n (-, 100)
debci

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing