1 files changed, 35 insertions, 1 deletions

diff --git a/RelNotes/2.37.4.txt b/RelNotes/2.37.4.txt
index 732176376..e42a5c162 100644
--- a/RelNotes/2.37.4.txt
+++ b/RelNotes/2.37.4.txt
@@ -2,11 +2,45 @@ Git 2.37.4 Release Notes
 ========================
 
 This primarily is to backport various fixes accumulated on the 'master'
-front since 2.37.3.
+front since 2.37.3, and also includes the same security fixes as in
+v2.30.6.
 
 Fixes since v2.37.3
 -------------------
 
+ * CVE-2022-39253:
+   When relying on the `--local` clone optimization, Git dereferences
+   symbolic links in the source repository before creating hardlinks
+   (or copies) of the dereferenced link in the destination repository.
+   This can lead to surprising behavior where arbitrary files are
+   present in a repository's `$GIT_DIR` when cloning from a malicious
+   repository.
+
+   Git will no longer dereference symbolic links via the `--local`
+   clone mechanism, and will instead refuse to clone repositories that
+   have symbolic links present in the `$GIT_DIR/objects` directory.
+
+   Additionally, the value of `protocol.file.allow` is changed to be
+   "user" by default.
+
+   Credit for finding CVE-2022-39253 goes to Cory Snider of Mirantis.
+   The fix was authored by Taylor Blau, with help from Johannes
+   Schindelin.
+
+ * CVE-2022-39260:
+   An overly-long command string given to `git shell` can result in
+   overflow in `split_cmdline()`, leading to arbitrary heap writes and
+   remote code execution when `git shell` is exposed and the directory
+   `$HOME/git-shell-commands` exists.
+
+   `git shell` is taught to refuse interactive commands that are
+   longer than 4MiB in size. `split_cmdline()` is hardened to reject
+   inputs larger than 2GiB.
+
+   Credit for finding CVE-2022-39260 goes to Kevin Backhouse of
+   GitHub. The fix was authored by Kevin Backhouse, Jeff King, and
+   Taylor Blau.
+
  * An earlier optimization discarded a tree-object buffer that is
    still in use, which has been corrected.