Debian Package Tracker
Register | Log in
Subscribe

git

fast, scalable, distributed revision control system

Choose email to subscribe with

general
  • source: git (main)
  • version: 1:2.50.0-1
  • maintainer: Jonathan Nieder (DMD)
  • uploaders: Anders Kaseorg [DMD]
  • arch: all any
  • std-ver: 4.7.0
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 1:2.20.1-2+deb10u3
  • o-o-sec: 1:2.20.1-2+deb10u9
  • oldstable: 1:2.30.2-1+deb11u2
  • old-sec: 1:2.30.2-1+deb11u4
  • old-bpo: 1:2.39.2-1~bpo11+1
  • stable: 1:2.39.5-0+deb12u2
  • stable-sec: 1:2.39.5-0+deb12u2
  • testing: 1:2.47.2-0.2
  • unstable: 1:2.50.0-1
  • exp: 1:2.50.0+next.20250615-1
versioned links
  • 1:2.20.1-2+deb10u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:2.20.1-2+deb10u9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:2.30.2-1+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:2.30.2-1+deb11u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:2.39.2-1~bpo11+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:2.39.5-0+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:2.45.2+next.20240614-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:2.47.2-0.2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:2.50.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 1:2.50.0+next.20250615-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • git (285 bugs: 0, 138, 147, 0)
  • git-all (2 bugs: 0, 0, 2, 0)
  • git-cvs (8 bugs: 0, 3, 5, 0)
  • git-doc (7 bugs: 0, 1, 6, 0)
  • git-email (18 bugs: 0, 7, 11, 0)
  • git-gui (21 bugs: 0, 11, 10, 0)
  • git-man (28 bugs: 0, 7, 21, 0)
  • git-mediawiki
  • git-svn (27 bugs: 0, 10, 17, 0)
  • gitk (28 bugs: 0, 9, 19, 0)
  • gitweb (17 bugs: 0, 7, 10, 0)
action needed
Problems while searching for a new upstream version high
uscan had problems while searching for a new upstream version:
more than one main upstream tarballs listed.
Created: 2021-08-24 Last update: 2025-07-09 07:02
6 security issues in trixie high

There are 6 open security issues in trixie.

6 important issues:
  • CVE-2025-27613:
  • CVE-2025-27614:
  • CVE-2025-46835:
  • CVE-2025-48384: Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
  • CVE-2025-48385: Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
  • CVE-2025-48386: Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The wincred credential helper uses a static buffer (target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with wcsncat(), leading to potential buffer overflows. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
Created: 2025-07-08 Last update: 2025-07-09 05:32
6 security issues in sid high

There are 6 open security issues in sid.

6 important issues:
  • CVE-2025-27613:
  • CVE-2025-27614:
  • CVE-2025-46835:
  • CVE-2025-48384: Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
  • CVE-2025-48385: Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
  • CVE-2025-48386: Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The wincred credential helper uses a static buffer (target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with wcsncat(), leading to potential buffer overflows. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
Created: 2025-07-08 Last update: 2025-07-09 05:32
7 security issues in bullseye high

There are 7 open security issues in bullseye.

6 important issues:
  • CVE-2025-27613:
  • CVE-2025-27614:
  • CVE-2025-46835:
  • CVE-2025-48384: Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
  • CVE-2025-48385: Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
  • CVE-2025-48386: Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The wincred credential helper uses a static buffer (target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with wcsncat(), leading to potential buffer overflows. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
1 ignored issue:
  • CVE-2024-32020: Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user. Cloning local repositories will cause Git to either copy or hardlink files of the source repository into the target repository. This significantly speeds up such local clones compared to doing a "proper" clone and saves both disk space and compute time. When cloning a repository located on the same disk that is owned by a different user than the current user we also end up creating such hardlinks. These files will continue to be owned and controlled by the potentially-untrusted user and can be rewritten by them at will in the future. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.
Created: 2025-07-08 Last update: 2025-07-09 05:32
6 security issues in bookworm high

There are 6 open security issues in bookworm.

6 important issues:
  • CVE-2025-27613:
  • CVE-2025-27614:
  • CVE-2025-46835:
  • CVE-2025-48384: Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
  • CVE-2025-48385: Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
  • CVE-2025-48386: Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The wincred credential helper uses a static buffer (target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with wcsncat(), leading to potential buffer overflows. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1.
Created: 2025-07-08 Last update: 2025-07-09 05:32
Failed to analyze the VCS repository. Please troubleshoot and fix the issue. high
vcswatch reports that there is an error with this package's VCS, or the debian/changelog file inside it. Please check the error shown below and try to fix it. You might have to update the VCS URL in the debian/control file to point to the correct repository.

Repository size 537989120 exceeds 500 MiB, blocking it
Created: 2017-12-03 Last update: 2025-06-17 09:30
1 security issue in buster high

There is 1 open security issue in buster.

1 important issue:
  • CVE-2024-32020: Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, local clones may end up hardlinking files into the target repository's object database when source and target repository reside on the same disk. If the source repository is owned by a different user, then those hardlinked files may be rewritten at any point in time by the untrusted user. Cloning local repositories will cause Git to either copy or hardlink files of the source repository into the target repository. This significantly speeds up such local clones compared to doing a "proper" clone and saves both disk space and compute time. When cloning a repository located on the same disk that is owned by a different user than the current user we also end up creating such hardlinks. These files will continue to be owned and controlled by the potentially-untrusted user and can be rewritten by them at will in the future. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4.
Created: 2024-05-15 Last update: 2024-06-26 14:02
The package has not entered testing even though the delay is over normal
The package has not entered testing even though the 20-day delay is over. Check why.
Created: 2025-07-07 Last update: 2025-07-09 13:02
26 bugs tagged patch in the BTS normal
The BTS contains patches fixing 26 bugs (33 if counting merged bugs), consider including or untagging them.
Created: 2025-01-06 Last update: 2025-07-09 13:00
Depends on packages which need a new maintainer normal
The packages that git depends on which need a new maintainer are:
  • cvsps (#501257)
    • Depends: cvsps
    • Build-Depends: cvsps
  • docbook-xsl (#802370)
    • Build-Depends-Indep: docbook-xsl
Created: 2019-11-22 Last update: 2025-07-09 12:31
lintian reports 18 warnings normal
Lintian reports 18 warnings about this package. You should make the package lintian clean getting rid of them.
Created: 2025-03-16 Last update: 2025-03-16 12:00
Build log checks report 1 warning low
Build log checks report 1 warning
Created: 2024-03-28 Last update: 2024-03-28 01:30
Standards version of the package is outdated. wishlist
The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).
Created: 2019-07-08 Last update: 2025-06-17 11:00
testing migrations
  • excuses:
    • Migration status for git (1:2.47.2-0.2 to 1:2.50.0-1): BLOCKED: Needs an approval (either due to a freeze, the source suite or a manual hint)
    • Issues preventing migration:
    • ∙ ∙ blocked by freeze: is a key package (Follow the freeze policy when applying for an unblock)
    • Additional info:
    • ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/g/git.html
    • ∙ ∙ Reproducible on amd64 - info ♻
    • ∙ ∙ Reproducible on arm64 - info ♻
    • ∙ ∙ Waiting for reproducibility test results on armhf - info ♻
    • ∙ ∙ 22 days old (needed 20 days)
    • Not considered
news
[rss feed]
  • [2025-06-24] git 1:2.47.2-0.2 MIGRATED to testing (Debian testing watch)
  • [2025-06-22] Accepted git 1:2.47.2-0.2 (source) into testing-proposed-updates (Sebastian Andrzej Siewior)
  • [2025-06-17] Accepted git 1:2.50.0+next.20250615-1 (source) into experimental (Jonathan Nieder)
  • [2025-06-17] Accepted git 1:2.50.0-1 (source) into unstable (Jonathan Nieder)
  • [2025-06-17] Accepted git 1:2.49.0-3 (source) into unstable (Jonathan Nieder)
  • [2025-05-29] Accepted git 1:2.50.0~rc0+next.20250528-1 (source) into experimental (Jonathan Nieder)
  • [2025-05-29] Accepted git 1:2.49.0-2 (source) into unstable (Jonathan Nieder)
  • [2025-03-16] Accepted git 1:2.49.0+next.20250314-1 (source) into experimental (Jonathan Nieder)
  • [2025-03-15] Accepted git 1:2.49.0-1 (source) into unstable (Jonathan Nieder)
  • [2025-01-29] git 1:2.47.2-0.1 MIGRATED to testing (Debian testing watch)
  • [2025-01-28] Accepted git 1:2.30.2-1+deb11u4 (source) into oldstable-security (Sean Whitton)
  • [2025-01-27] Accepted git 1:2.39.5-0+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
  • [2025-01-26] Accepted git 1:2.39.5-0+deb12u2 (source) into stable-security (Debian FTP Masters) (signed by: Salvatore Bonaccorso)
  • [2025-01-21] Accepted git 1:2.47.2-0.1 (source) into unstable (Salvatore Bonaccorso)
  • [2025-01-02] Accepted git 1:2.48.0~rc1+next.20250101-1 (source) into experimental (Jonathan Nieder)
  • [2025-01-02] Accepted git 1:2.47.1-1 (source) into unstable (Jonathan Nieder)
  • [2024-12-22] Accepted git 1:2.45.2-1.3 (source) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
  • [2024-11-08] Accepted git 1:2.45.2-1.2 (source) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
  • [2024-10-23] Accepted git 1:2.45.2-1.1 (source) into unstable (Chris Hofstaedtler) (signed by: Christian Hofstaedtler)
  • [2024-09-15] Accepted git 1:2.39.5-0+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Jonathan Nieder)
  • [2024-09-13] Accepted git 1:2.39.5-0+deb12u1 (source) into stable-security (Debian FTP Masters) (signed by: Jonathan Nieder)
  • [2024-09-03] Accepted git 1:2.30.2-1+deb11u3 (source) into oldstable-security (Sean Whitton)
  • [2024-08-25] git 1:2.45.2-1 MIGRATED to testing (Debian testing watch)
  • [2024-06-26] Accepted git 1:2.20.1-2+deb10u9 (source) into oldoldstable (Sean Whitton)
  • [2024-06-16] Accepted git 1:2.45.2+next.20240614-1 (source) into experimental (Jonathan Nieder)
  • [2024-06-16] Accepted git 1:2.45.2-1 (source) into unstable (Jonathan Nieder)
  • [2024-05-20] Accepted git 1:2.45.1+next.20240516-1 (source) into experimental (Jonathan Nieder)
  • [2024-05-20] Accepted git 1:2.45.1-1 (source) into unstable (Jonathan Nieder)
  • [2024-01-06] Accepted git 1:2.43.0+next.20240104-1 (source) into experimental (Josh Steadmon) (signed by: Jonathan Nieder)
  • [2023-12-12] git 1:2.43.0-1 MIGRATED to testing (Debian testing watch)
  • 1
  • 2
bugs [bug history graph]
  • all: 450 465
  • RC: 1
  • I&N: 205 206
  • M&W: 244 258
  • F&P: 0
  • patch: 26 33
links
  • homepage
  • lintian (0, 18)
  • buildd: logs, exp, checks, reproducibility, cross
  • popcon
  • browse source code
  • edit tags
  • other distros
  • security tracker
  • screenshots
  • l10n (-, 94)
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 1:2.50.0-1ubuntu2
  • 91 bugs (2 patches)
  • patches for 1:2.50.0-1ubuntu2

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing