I'm a Program Manager for version control in Microsoft Visual Studio Team Services and the co-maintainer of the libgit2 project, the Git repository management library that underpins tools like GitHub, Visual Studio and Xcode. I also develop version control tools and I also write and speak about Git and version control.
Now Available: Git for Visual Studio Training
Just released: professional training for using Git inside Visual Studio. This training provides an introduction to using the Git version control system, explain differences between Git and traditional, centralized version control, and provide advanced concepts like extending the Git functionality.Start Learning for Free
A security vulnerability in Git
has been announced:
a bug in URL parsing can cause
git clone to execute arbitrary commands.
These URLs look quite suspicious, so it's unlikely that you'd be convinced
through social engineering to clone them yourself. But they can be hidden
in repository submodules.
Unless you're a Continuous Integration build agent, I hope that it's quite
uncommon that you
git clone --recursive a repository that you do not trust.
So this vulnerability is rather uncommon, but as with any security
vulnerability that has the possibility of remote code execution, you should
upgrade your Git clients immediately.
Git version 2.14.1 is the latest and greatest version of Git, and has been patched. But most people don't actually build from source, so your version of Git is probably provided to you by a distribution. You may have different versions available to you - ones that have had the patches applied by your vendor - so you may not be able to determine if you're vulnerable simply by looking at the version number.
Here's some simple steps to determine whether you're vulnerable and some upgrade instructions if you are.