🔒 This is a security release with multiple changes.

• A bug ingit_revparse_single is fixed that could have caused the function to enter an infinite loop given well-crafted inputs, potentially causing a Denial of Service attack in the calling application. This fixesCVE-2024-24575, which was discovered by researchers at Amazon AWS.

• A bug ingit_index_add is fixed that could have caused the function to corrupt its heap and possibly lead to arbitrary code execution. This fixesCVE-2024-24577, which was discovered by researchers at Amazon AWS.

• A bug in the smart transport negotiation could have caused an out-of-bounds read when a remote server did not advertise capabilities.

The libgit2 project thanks the researchers and outreach team at AWS Security for finding thegit_index_add andgit_revparse_single bugs, and providing details and reproduction steps during their responsible disclosure.

All users of the v1.6 release line are recommended to upgrade.