CVE-2014-9390 aka "Git on case-insensitive filesystems"

I did not give the exact assessment on the risk in either my blog post on this topic ( or the announcement for the maintenance release to fix this issue (

Somebody at Atlassian summarised it very well. It says:

"""An attacker needs write access to a repository in order to push the malicious changes in the first place. The actual risk for most teams' repositories is relatively low, as there is typically a high level of trust between those who have the necessary permissions to write to a repository.

However, all developers should exercise caution when pulling from third party or untrusted repositories until they upgrade to a patched version of Git."""

It is a short and well written post, worth a read:
Shared publiclyView activity