Git development
 help / color / mirror / Atom feed
* Security Vulnerability in Git 2.54.0/OpenSSL 3.5.6 Status
@ 2026-06-27 19:18 Person, Tim
  2026-06-27 21:07 ` Todd Zullinger
  2026-06-29 13:57 ` Johannes Schindelin
  0 siblings, 2 replies; 5+ messages in thread
From: Person, Tim @ 2026-06-27 19:18 UTC (permalink / raw)
  To: git@vger.kernel.org

Good afternoon,

I am writing to determine when Git plans to release an update installer to patch the security vulnerability in Git 2.54.0 because of the included OpenSSL executable. This vulnerability is rated "Critical" in the CVE (https://www.cve.org/CVERecord?id=CVE-2026-34182). An updated version of the OpenSSL.exe fixing this problem has been available since 06/12/2026. I am just wondering if/when you plan to address this major security issue.

Respectfully,

Tim Person


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Security Vulnerability in Git 2.54.0/OpenSSL 3.5.6 Status
  2026-06-27 19:18 Security Vulnerability in Git 2.54.0/OpenSSL 3.5.6 Status Person, Tim
@ 2026-06-27 21:07 ` Todd Zullinger
  2026-06-27 21:17   ` Person, Tim
  2026-06-29 13:57 ` Johannes Schindelin
  1 sibling, 1 reply; 5+ messages in thread
From: Todd Zullinger @ 2026-06-27 21:07 UTC (permalink / raw)
  To: Person, Tim; +Cc: git@vger.kernel.org

Hi,

Person, Tim wrote:
> I am writing to determine when Git plans to release an
> update installer to patch the security vulnerability in
> Git 2.54.0 because of the included OpenSSL executable.
> This vulnerability is rated "Critical" in the CVE
> (https://www.cve.org/CVERecord?id=CVE-2026-34182). An
> updated version of the OpenSSL.exe fixing this problem has
> been available since 06/12/2026. I am just wondering
> if/when you plan to address this major security issue.

The Git project does not distribute any binaries.  You
likely want to direct this to the Git for Windows project¹.

That said, it's not even clear to me that the CVE you
reference affects git's usage of OpenSSL.

From a little skimming, the issue affects use of CMS (which
is something like the successor to S/MIME, as far as I can
tell).

The only place where git gets close to that area is if you
configure it to use x509 as gpg.program.  And then git uses
gpgsm, which is not affected by the CVE in OpenSSL.

¹ https://gitforwindows.org/

-- 
Todd

^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: Security Vulnerability in Git 2.54.0/OpenSSL 3.5.6 Status
  2026-06-27 21:07 ` Todd Zullinger
@ 2026-06-27 21:17   ` Person, Tim
  0 siblings, 0 replies; 5+ messages in thread
From: Person, Tim @ 2026-06-27 21:17 UTC (permalink / raw)
  To: Todd Zullinger; +Cc: git@vger.kernel.org

Todd,

Thank you for the reply, the explanation, and the information about who to contact.

Thanks,

Tim

-----Original Message-----
From: Todd Zullinger <tmz@pobox.com>
Sent: Saturday, June 27, 2026 2:07 PM
To: Person, Tim <Tim.Person@personent.com>
Cc: git@vger.kernel.org
Subject: Re: Security Vulnerability in Git 2.54.0/OpenSSL 3.5.6 Status

[You don't often get email from tmz@pobox.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

[CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.]

Hi,

Person, Tim wrote:
> I am writing to determine when Git plans to release an update
> installer to patch the security vulnerability in Git 2.54.0 because of
> the included OpenSSL executable.
> This vulnerability is rated "Critical" in the CVE
> (https://www/
> .cve.org%2FCVERecord%3Fid%3DCVE-2026-34182&data=05%7C02%7CTim.Person%4
> 0personentcloud.mail.onmicrosoft.com%7C350b58458bd84a5312f308ded490243
> 8%7Ce2de18dc8323462e8c47561025ebc66c%7C0%7C0%7C639181913006654964%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=caMSGrA%2FfpxkKs2o%2Bg1dE9JuEQQlOK3IBt8BzbZ%2F7GM%3D&reserved=0). An updated version of the OpenSSL.exe fixing this problem has been available since 06/12/2026. I am just wondering if/when you plan to address this major security issue.

The Git project does not distribute any binaries.  You likely want to direct this to the Git for Windows project¹.

That said, it's not even clear to me that the CVE you reference affects git's usage of OpenSSL.

From a little skimming, the issue affects use of CMS (which is something like the successor to S/MIME, as far as I can tell).

The only place where git gets close to that area is if you configure it to use x509 as gpg.program.  And then git uses gpgsm, which is not affected by the CVE in OpenSSL.

¹ https://gitforwindows.org/

--
Todd

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Security Vulnerability in Git 2.54.0/OpenSSL 3.5.6 Status
  2026-06-27 19:18 Security Vulnerability in Git 2.54.0/OpenSSL 3.5.6 Status Person, Tim
  2026-06-27 21:07 ` Todd Zullinger
@ 2026-06-29 13:57 ` Johannes Schindelin
  2026-07-01 21:39   ` Person, Tim
  1 sibling, 1 reply; 5+ messages in thread
From: Johannes Schindelin @ 2026-06-29 13:57 UTC (permalink / raw)
  To: Person, Tim; +Cc: git@vger.kernel.org

Hi Tim,

On Sat, 27 Jun 2026, Person, Tim wrote:

> I am writing to determine when Git plans to release an update installer
> to patch the security vulnerability in Git 2.54.0 because of the
> included OpenSSL executable. This vulnerability is rated "Critical" in
> the CVE (https://www.cve.org/CVERecord?id=CVE-2026-34182). An updated
> version of the OpenSSL.exe fixing this problem has been available since
> 06/12/2026. I am just wondering if/when you plan to address this major
> security issue.

OpenSSL.exe is not part of the critical path of Git for Windows. It is
merely included as a curiosity for historical reasons. The critical CVE
you mentioned does not affect anything in Git itself. Therefore, I did not
even consider making an out-of-band release of Git for Windows merely for
that OpenSSL v3.5.7 update.

The next Git for Windows release (v2.55.0, likely due later today, may
slip to tomorrow) will include OpenSSL v3.5.7.

Ciao,
Johannes

^ permalink raw reply	[flat|nested] 5+ messages in thread

* RE: Security Vulnerability in Git 2.54.0/OpenSSL 3.5.6 Status
  2026-06-29 13:57 ` Johannes Schindelin
@ 2026-07-01 21:39   ` Person, Tim
  0 siblings, 0 replies; 5+ messages in thread
From: Person, Tim @ 2026-07-01 21:39 UTC (permalink / raw)
  To: Johannes Schindelin; +Cc: git@vger.kernel.org

Johannes,

Thank you for the reply. I wasn't sure who to reach out to for this question. I really appreciate the response and the insight related to your process and timing.

Thank you and have a great rest of your day.

Thanks,

Tim

-----Original Message-----
From: Johannes Schindelin <Johannes.Schindelin@gmx.de> 
Sent: Monday, June 29, 2026 6:57 AM
To: Person, Tim <Tim.Person@personent.com>
Cc: git@vger.kernel.org
Subject: Re: Security Vulnerability in Git 2.54.0/OpenSSL 3.5.6 Status

[You don't often get email from johannes.schindelin@gmx.de. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]

[CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.]

Hi Tim,

On Sat, 27 Jun 2026, Person, Tim wrote:

> I am writing to determine when Git plans to release an update 
> installer to patch the security vulnerability in Git 2.54.0 because of 
> the included OpenSSL executable. This vulnerability is rated 
> "Critical" in the CVE 
> (https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww
> .cve.org%2FCVERecord%3Fid%3DCVE-2026-34182&data=05%7C02%7CTim.Person%4
> 0personentcloud.mail.onmicrosoft.com%7Cd04161ef041e4b2492fe08ded5e65ef7%7Ce2de18dc8323462e8c47561025ebc66c%7C0%7C0%7C639183382582991445%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=0dAHZbln7dV%2BrqdlWcsEGfDvkY5k0L%2Fon0NExDAIGzo%3D&reserved=0). An updated version of the OpenSSL.exe fixing this problem has been available since 06/12/2026. I am just wondering if/when you plan to address this major security issue.

OpenSSL.exe is not part of the critical path of Git for Windows. It is merely included as a curiosity for historical reasons. The critical CVE you mentioned does not affect anything in Git itself. Therefore, I did not even consider making an out-of-band release of Git for Windows merely for that OpenSSL v3.5.7 update.

The next Git for Windows release (v2.55.0, likely due later today, may slip to tomorrow) will include OpenSSL v3.5.7.

Ciao,
Johannes

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-07-01 21:39 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-27 19:18 Security Vulnerability in Git 2.54.0/OpenSSL 3.5.6 Status Person, Tim
2026-06-27 21:07 ` Todd Zullinger
2026-06-27 21:17   ` Person, Tim
2026-06-29 13:57 ` Johannes Schindelin
2026-07-01 21:39   ` Person, Tim

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox