Question on CVE-2018-11235

Adam Dinwoodie
Thu Jul 19 17:07:00 GMT 2018

On Thu, 19 Jul 2018 at 08:56, Akihiko Kawaguchi wrote:
> Hello,
> Does anyone know when git client package to fix the following
> vulnerability will be released for Cygwin?
> Currently, all the versions I can choose on Cygwin installer are
> 2.16.1-1, 2.16.2-1 or 2.17.0-1.

I'm afraid personal life has got in the way of me producing a more
up-to-date version of Git since the versions you've found. I'll
produce a new release when I get the chance, but I don't want to
commit to any particular dates at this point.

In the meantime, I'd suggest either not cloning untrusted repositories
while using the `--recurse-submodules` option (or, as general security
practice, not cloning untrusted repositories at all), or compiling Git
locally yourself.

As a general point, if people want to compile Git themselves, it's
normally straightforward, either using the upstream Git sources, or
using the Cygport packaging sources from I only haven't released it
myself because I have a higher bar for making sure the test suite
passes and so forth for something that'll be used by a significant
chunk of the Cygwin user base, than for something that's only going to
be used by me.

Your local friendly Git package maintainer

Problem reports:
Unsubscribe info:

More information about the Cygwin mailing list