[bronxbomber92]

Xcode is distributed and released over the AppStore and can be rev-ed at any frequency, independently of the OS; Apple's update model not does prevent an expedient update.

Perhaps the main cause for delay is the associated QA efforts to make sure that other components in the stack which depend on git don't break in the case that git has broken binary compatibility (i.e. changed its public interface).

[atdt]

If things are tied up in QA, that is a problem in and of itself, because relevance is an important quality for a security bugfix to have. If my system is compromised today, it will do me little good that the bugfix Apple ships next month was tested extensively for compatibility with Xcode.

It is too late for there to be an expedient update from Apple. The vulnerability was disclosed to oss-security over a month ago, on March 15[0]. SUSE had a patch out the next day[1]. By March 24, Debian, Ubuntu, Red Hat, CentOS and Oracle had all issued fixes.[2]

[0]: http://www.openwall.com/lists/oss-security/2016/03/15/5

[1]: http://lists.opensuse.org/opensuse-security-announce/2016-03...

[2]: http://www.securitytracker.com/id/1035290

[bronxbomber92]

I should clarify that I don't know why an update hasn't been pushed. I was only speculating why it might be taking so long.