A flaw in previous versions of the Git version control system could allow an attacker to execute malicious code on remote server and client systems. The problem affects Git version 2.7.0 and earlier. The Git developers built a fix into version 2.7.1, which was released in February of this year, but they didn't raise awareness about the potential problem, so many Git users are still unaware of it.

The problem stems from coding errors that would allow a potential buffer overflow through the use of a large attacker-controlled filename. Programmer Laël Cellier found the flaw and reported it to GitHub last year as part of a bug bounty effort. As of now, it does not appear that the malware industry has used this problem for a real-world attack, but once the information is public, it is only a matter of time before someone starts devising an attack. Git users are encouraged to upgrade to version 2.7.1 or later as soon as possible. See the story at the Register for additional information.