Given that we can't release 2.18 on bots,
this means upgrading to 2.17.2 on bots.

Additionally, 2.18 has been released to Win devs already. So, devs should get 2.18.1.

I think the most important is to release 2.18.1 to devs on Win, Pri0.5-like important.

Updating bots can be handled with Pri-1.

Regarding Windows, keep in mind

P.S. Folks at Microsoft tried to follow the known exploit recipe on
Git for Windows (but not Cygwin or other Git implementations on
Windows) and found that the recipe (or its variants they can think
of) would not make their system vulnerable.

atm, there is no git 2.18.1 for win released yet https://github.com/git-for-windows/git/releases  , only 2.19.1

Given the P.S. I've missed (thanks, jrn@) in #c4, i think we can wait a bit for iannucci@ to finish his work on new pipeline of third_package releases and then take on this bug.