Last week, a security fix was released for Git. The fix patches a bug in the Git client that is exploitable on operating systems with case insensitive file systems such as Windows and OS X.
Heroku has updated the Git installer that we ship with Toolbelt for Windows. We have also removed an old Git version from the OS X installer (it was not generally used).
In addition, we’ve added a Git version warning in Toolbelt that will prompt you to update Git if you’re using a vulnerable version on Windows (shown here) or OS X:
$ heroku apps
WARNING: Your version of git is 1.9.3. Which has serious security vulnerabilities.
More information here: https://blog.heroku.com/archives/2014/12/23/update_your_git_clients_on_windows_and_os_x
Heroku Toolbelt ships msysGit for Windows and users should update to 1.9.5, available from the msysGit website. OS X users should update their system Git using, for example, the OS X installers or using Homebrew.
Details of the exploit are available on the Git Blame blog and from the Git mailing list announcement.