The following vulnerabilities were published for git.

CVE-2025-27613[0], CVE-2025-27614[1], CVE-2025-46835[2],
CVE-2025-48384[3], CVE-2025-48385[4] and CVE-2025-48386[5].

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-27613
https://www.cve.org/CVERecord?id=CVE-2025-27613
[1] https://security-tracker.debian.org/tracker/CVE-2025-27614
https://www.cve.org/CVERecord?id=CVE-2025-27614
[2] https://security-tracker.debian.org/tracker/CVE-2025-46835
https://www.cve.org/CVERecord?id=CVE-2025-46835
[3] https://security-tracker.debian.org/tracker/CVE-2025-48384
https://www.cve.org/CVERecord?id=CVE-2025-48384
[4] https://security-tracker.debian.org/tracker/CVE-2025-48385
https://www.cve.org/CVERecord?id=CVE-2025-48385
[5] https://security-tracker.debian.org/tracker/CVE-2025-48386
https://www.cve.org/CVERecord?id=CVE-2025-48386
[6] https://lore.kernel.org/git/xmqq5xg2wrd1.fsf@gitster.g/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Please note the CVEs affect Debian's git 2.50.0-1 as well, AFAICS.
They are supposed to be fixed for upstream's git version

	2.50.1

(https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.50.1.adoc)

Regards
Harri

Dear maintainer,

I've prepared an NMU for git (versioned as 1:2.50.1-0.1) and uploaded
it to DELAYED/1. Please feel free to tell me if I should cancel it.

cu
Adrian

We believe that the bug you reported is fixed in the latest version of
git, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1108983@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <bunk@debian.org> (supplier of updated git package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 29 Jul 2025 20:54:28 +0300
Source: git
Architecture: source
Version: 1:2.50.1-0.1
Distribution: unstable
Urgency: medium
Maintainer: Jonathan Nieder <jrnieder@gmail.com>
Changed-By: Adrian Bunk <bunk@debian.org>
Closes: 1108983
Changes:
 git (1:2.50.1-0.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * New upstream release.
     - CVE-2025-27613: gitk: file creation/truncation after cloning
       untrusted repository
     - CVE-2025-27614: gitk: user can be tricked into running any
       script after cloning untrusted repository
     - CVE-2025-46835: git-gui: file creation/overwriting after
       cloning untrusted repository
     - CVE-2025-48384: script execution after cloning untrusted
       repository
     - CVE-2025-48385: protocol injection when fetching
     - Closes: #1108983
Checksums-Sha1:
 b505838c95886bd3a4afe258830291a4225a565a 2676 git_2.50.1-0.1.dsc
 54416ce0aee97292caaf89ec8fb313c1ea825c2f 7880972 git_2.50.1.orig.tar.xz
 008af8c413400e3837805fdb4d2987d1c34fac84 811604 git_2.50.1-0.1.debian.tar.xz
Checksums-Sha256:
 924b0830bb42a17e36770fbff890a56ce990e3e55eab1672e0823669c4ce35e8 2676 git_2.50.1-0.1.dsc
 7e3e6c36decbd8f1eedd14d42db6674be03671c2204864befa2a41756c5c8fc4 7880972 git_2.50.1.orig.tar.xz
 66bd1e928719ce7c84c5eaee180c90da41df0e7c42ffb1c4a150319b501b3a1b 811604 git_2.50.1-0.1.debian.tar.xz
Files:
 9ea8eb4ac51608880884f2679124eafb 2676 vcs optional git_2.50.1-0.1.dsc
 2cb96fae126d66f8ff23a68f8dd5d748 7880972 vcs optional git_2.50.1.orig.tar.xz
 8a5c90661d193c6ba35b0cd41b8e9a81 811604 vcs optional git_2.50.1-0.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmiJUxEACgkQiNJCh6LY
mLHl+g/+MIoeTTJd2wq2hDXjV/ya11VD7+tP3JKJu7J1K+VDxKMtd7jMt9zFEeTP
yvnJJhkztWedoMXvwdHSU16OyjkPMCb9g8siPsvuFeL+DFRaHzaaqccXsF58egQR
Em4qV2UTxNihtyPELThD0heMySv9PqYXgT2DRHBf8AYZIF49n/shOqwWg93VJrPs
IeWP/HwkxWiZILcgUxdvUHzUM72wPJHdeHVJ3bYpP4dGSWtRgAWO1a/5y/rKiLv+
IPcJWN6vwFairrz80XJ+JpDs7Nd6WRSC/QgaAuBEvG6W0CNJ4exBDBrbOZ1rSuvq
5f/Cirn/83Hvyg+WnbaxIzULhG6hMLP8s8qWy6hXyGPDRK62zQhStRwMfb5jbKl5
X/4fbBU2Wtbrvkf9YEVmmrnL0+STxNOMAHDRXesKvmIsHh6Gm9hsEr13YPKhHBKM
RZBJbZXUdJwbXCKlyfc5XQc9AwM42BDZ+dvDGNbi/C/Y1Cnah6i+ZlBKY5ARousW
dmnNRsNg7pKgpAW+LHQ+faJJ0O9cpgmd8o7G3ALWxktzrENTUmLiBP45uuGJJm/7
VjebNCGhC+zXqwPwSfWnYAy2/qESEVZ2vn0JOPBBnA2Y6sdQg3bAkr7suwvLUnpu
TGv701LZeFYqElFXilTxa73YIXt80wKsmiMZAC2AD2ID6ZXw1I4=
=BpgQ
-----END PGP SIGNATURE-----

We believe that the bug you reported is fixed in the latest version of
git, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1108983@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Adrian Bunk <bunk@debian.org> (supplier of updated git package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 30 Jul 2025 21:10:52 +0300
Source: git
Architecture: source
Version: 1:2.47.3-0+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Jonathan Nieder <jrnieder@gmail.com>
Changed-By: Adrian Bunk <bunk@debian.org>
Closes: 1108983
Changes:
 git (1:2.47.3-0+deb13u1) trixie; urgency=medium
 .
   * Non-maintainer upload.
   * New upstream release.
     - CVE-2025-27613: gitk: file creation/truncation after cloning
       untrusted repository
     - CVE-2025-27614: gitk: user can be tricked into running any
       script after cloning untrusted repository
     - CVE-2025-46835: git-gui: file creation/overwriting after
       cloning untrusted repository
     - CVE-2025-48384: script execution after cloning untrusted
       repository
     - CVE-2025-48385: protocol injection when fetching
     - Closes: #1108983
Checksums-Sha1:
 ee3209ec18d30a2cd71330998debf84c51431edc 2702 git_2.47.3-0+deb13u1.dsc
 408774745b5dadeddcf1e7223201927123e504ea 7657416 git_2.47.3.orig.tar.xz
 7242067a7c86f70fbd239d3d479a855b0ce320b9 793112 git_2.47.3-0+deb13u1.debian.tar.xz
Checksums-Sha256:
 41ee783af84774dfab31ff6af54a07f70513dd09914e2d622626f4dfecae0a86 2702 git_2.47.3-0+deb13u1.dsc
 9c2eb1250781b3e5bfef098572d07fdf132d67e6c065e4307332ade9819a1501 7657416 git_2.47.3.orig.tar.xz
 db44b90ab928d41959f5945a49fcaa101385a4bd085b118b5fd40162a0a84066 793112 git_2.47.3-0+deb13u1.debian.tar.xz
Files:
 14b7604dd821e2f027cf46b336f9413b 2702 vcs optional git_2.47.3-0+deb13u1.dsc
 467860ca61d8840cda3fb10db687f771 7657416 vcs optional git_2.47.3.orig.tar.xz
 f42dbbc65c6800848bb2aa481e3fd8e4 793112 vcs optional git_2.47.3-0+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmioOagACgkQiNJCh6LY
mLEntA/6A83dw3PrPSwn8BF8B+q/GVsTvYNRU5YfKiYTMdKp+8K3DP8BL15xxRqf
jU4EiOfZ29RixiBdwc868qw5xaJEZePmEYTC2oOaAygdzOnyfC9L9yAfHattD8XS
COTZs8+12CIYBuvGBMxdudHaMKypk6MRz++zg4Cd7qiP8/w/GflxfXp/vYVZnJF1
8E+iPmB/XlwXQkE5wNVbNSEJ9NpWxf1CAKXDe4sALS7kNRwj3Zfqdh6lZXfqspFe
xxYjlV2yzzdipohygkyQeBHaT9uT7dIU5UJ6g28gSODy9dZNsWrjAPsFJ9uIicix
AtXo1RSHdj1Nax1LU953J6NNUXImpTj8IbTgwaIGeyQo8bi82Lo0vQdX9/pnqIaS
bx7lI9cuTtgNaLFN3lAJVfzXLDP+ssr0Op5AL3soWxENLi3jNawctig2rE8Ned3Q
7OVz6u3Jv0G44Wfqoa7V+lzcpP0hkYtI4P8OEAB6zoPUrx2maKubSe1k+O+/Uwp3
OMbktEeVXE4aIXTPrW0CLVxXqty/A5jF9YXr4vq8Fj3Rg/7NoOnHfvZkwmci/Mm+
ubnFGHr+c9vY3ON+ias6hdTLj14MwALJ0hTDCdHdmcTuHOekNuMuK/ciWNcYRFve
a2FAhKGtWin0tHFgVfy4vZK3fhkjk+Xii8iQ9Z76JCI6SK+Xr54=
=0ZPE
-----END PGP SIGNATURE-----