Skip to content

v3.6.1

Latest
Latest
Compare
Choose a tag to compare
@chrisd8088 chrisd8088 released this 14 Jan 19:27
· 34 commits to main since this release
v3.6.1
This tag was signed with the committer’s verified signature.
chrisd8088 Chris Darroch
GPG key ID: F54FE648088335A9
Learn about vigilant mode.
ea47a34
This commit was signed with the committer’s verified signature.
chrisd8088 Chris Darroch
GPG key ID: F54FE648088335A9
Learn about vigilant mode.

This release introduces a security fix for all platforms, which has been assigned CVE-2024-53263.

When requesting credentials from Git for a remote host, prior versions of Git LFS passed portions of the host's URL to the git-credential(1) command without checking for embedded line-ending control characters, and then sent any credentials received back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker might have been able to retrieve a user's Git credentials.

Git LFS now prevents bare line feed (LF) characters from being included in the values sent to the git-credential(1) command, and also prevents bare carriage return (CR) characters from being included unless the credential.protectProtocol configuration option is set to a value equivalent to false.

We would like to extend a special thanks to the following open-source contributors:

  • @Ry0taK for reporting this to us responsibly

Bugs

  • Reject bare line-ending control characters in Git credential requests (@chrisd8088)

Packages

Up to date packages are available on PackageCloud and Homebrew.

RPM RHEL 7/CentOS 7
RPM RHEL 8/Rocky Linux 8
RPM RHEL 9/Rocky Linux 9
Debian 10
Debian 11
Debian 12

SHA-256 hashes:

git-lfs-darwin-amd64-v3.6.1.zip
b53c361e6c85479507ed39ba99b87ec0888ac52f5afd2084fc68af4103081391

git-lfs-darwin-arm64-v3.6.1.zip
83b4ea3b0c72ba19e3bc46e47e92476f4505cc96693333b9fa0a314dddacc4ba

git-lfs-freebsd-386-v3.6.1.tar.gz
976e6123166ad54cd752a70a50f10d3cac22d35afc622f9ad1129320dc463bce

git-lfs-freebsd-amd64-v3.6.1.tar.gz
77c58f7d9ff207efa371fcf048900fa404d12393434c23c767a2f7dbabd0d8e1

git-lfs-linux-386-v3.6.1.tar.gz
62dd22e2cde54c051faaf58b5432f033a0cb6bf366d00648b1bc1b9ed1e819e1

git-lfs-linux-amd64-v3.6.1.tar.gz
2138d2e405a12f1a088272e06790b76699b79cb90d0317b77aafaf35de908d76

git-lfs-linux-arm-v3.6.1.tar.gz
7e3e7df9d7cc663efab9d996c67af17d99afe8b0ce2fc002703cac0b8826f4f7

git-lfs-linux-arm64-v3.6.1.tar.gz
1c2720ff53528fbe769633d448d830aa7b682141e3c4f6a9f26b9cf3b2548d0a

git-lfs-linux-loong64-v3.6.1.tar.gz
0135b9fa6c8a13d4c7cec6e434b6cc4391b74321aa13743dd7e8f14bd33648f8

git-lfs-linux-ppc64le-v3.6.1.tar.gz
86d42801b6e70522560eb3e33c0512f9733b3dad1ca08471cd135f445029cdfb

git-lfs-linux-riscv64-v3.6.1.tar.gz
e26adb02957e859385159d60dd642b800a265d3fcd38590266d3428aefb4ddba

git-lfs-linux-s390x-v3.6.1.tar.gz
c9aa0391ac58c5ed695fceec891c953d12fe78ae31ecbd5fd3cb4204cf8273a9

git-lfs-v3.6.1.tar.gz
1417b7ee9a8fba8d649a89f070fdcde8b2593ca2caa74e3e808d2bb35d5ca5f7

git-lfs-windows-386-v3.6.1.zip
74fd0d4c9ea314719b6890667b0e528c4467726e1a7302e68221afba806a69b5

git-lfs-windows-amd64-v3.6.1.zip
aaca788e04f91676e58654d5ecf96cf03c76768a63b3a6918281a9678884c20c

git-lfs-windows-arm64-v3.6.1.zip
ad40ab00a73ef4bf63c969472d0e5a824686b495dbc01ea8e9e4cc456c49a4b0

git-lfs-windows-v3.6.1.exe
5492bd2d7b37fcb821f48cac17895feb2506d26ad4cde996a30940e86dfecc27

hashes.asc
a5d1256409e83743608fdc43716bd1dc2fbffe00b5f116016d5886187874dcab

sha256sums.asc
4f16f1db8a18631ac9b21cce1545a692373e2b5edc8e211cd959c447d14dfef2

Contributors

chrisd8088 and Ry0taK
Assets 21
Loading