diff --git a/.git.metadata b/.git.metadata
index a01d0b6..511c40f 100644
--- a/.git.metadata
+++ b/.git.metadata
@@ -1,2 +1,2 @@
-7577a22e233e892dba5cf19a3a57cef2062d01e6 SOURCES/git-2.43.5.tar.sign
-31decef72034ae36c8098a9e6bb13a7dd4859fd9 SOURCES/git-2.43.5.tar.xz
+ee5544e5682b2dd8bc7cfe0cf8952eb4f04a308f SOURCES/git-2.43.7.tar.sign
+4034a9389fe34767a272d7085e9e7d93fb5ff18f SOURCES/git-2.43.7.tar.xz
diff --git a/.gitignore b/.gitignore
index dc23a3b..bab1821 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/git-2.43.5.tar.sign
-SOURCES/git-2.43.5.tar.xz
+SOURCES/git-2.43.7.tar.sign
+SOURCES/git-2.43.7.tar.xz
diff --git a/SOURCES/git-2.43.7-t-avoid-git-config-syntax-from-newer-releases.patch b/SOURCES/git-2.43.7-t-avoid-git-config-syntax-from-newer-releases.patch
new file mode 100644
index 0000000..df348b8
--- /dev/null
+++ b/SOURCES/git-2.43.7-t-avoid-git-config-syntax-from-newer-releases.patch
@@ -0,0 +1,59 @@
+From 428c9241c6918f52ac22fb8e83ce7c736a2f5e00 Mon Sep 17 00:00:00 2001
+From: Todd Zullinger <tmz@pobox.com>
+Date: Tue, 8 Jul 2025 17:05:27 -0400
+Subject: [PATCH] t: avoid git config syntax from newer releases
+
+In a recent security release, 05e9cd64ee (config: quote values
+containing CR character, 2025-05-19) added calls to `git config get`,
+`git config set`, and `git config unset` which are not present on the
+maint-2.43 branch.
+
+These subcommands were added in the following commits, released in
+git-2.46.0:
+
+  4e51389000 (builtin/config: introduce "get" subcommand, 2024-05-06),
+  00bbdde141 (builtin/config: introduce "set" subcommand, 2024-05-06),
+  95ea69c67b (builtin/config: introduce "unset" subcommand, 2024-05-06)
+
+Revert to the previous `git config` syntax for older maintenance
+branches.
+
+Signed-off-by: Todd Zullinger <tmz@pobox.com>
+Signed-off-by: Junio C Hamano <gitster@pobox.com>
+---
+ t/t1300-config.sh           | 4 ++--
+ t/t7450-bad-git-dotfiles.sh | 4 ++--
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/t/t1300-config.sh b/t/t1300-config.sh
+index 1010410b7e2926..baf9b4823111d5 100755
+--- a/t/t1300-config.sh
++++ b/t/t1300-config.sh
+@@ -2595,8 +2595,8 @@ test_expect_success 'writing value with trailing CR not stripped on read' '
+ 
+ 	printf "bar\r\n" >expect &&
+ 	git init cr-test &&
+-	git -C cr-test config set core.foo $(printf "bar\r") &&
+-	git -C cr-test config get core.foo >actual &&
++	git -C cr-test config core.foo $(printf "bar\r") &&
++	git -C cr-test config --get core.foo >actual &&
+ 
+ 	test_cmp expect actual
+ '
+diff --git a/t/t7450-bad-git-dotfiles.sh b/t/t7450-bad-git-dotfiles.sh
+index 20262855664a97..d1546e3311b27f 100755
+--- a/t/t7450-bad-git-dotfiles.sh
++++ b/t/t7450-bad-git-dotfiles.sh
+@@ -362,10 +362,10 @@ test_expect_success SYMLINKS,!WINDOWS,!MINGW 'submodule must not checkout into d
+ 	git -C repo mv sub $(printf "sub\r") &&
+ 
+ 	# Ensure config values containing CR are wrapped in quotes.
+-	git config unset -f repo/.gitmodules submodule.sub.path &&
++	git config --unset -f repo/.gitmodules submodule.sub.path &&
+ 	printf "\tpath = \"sub\r\"\n" >>repo/.gitmodules &&
+ 
+-	git config unset -f repo/.git/modules/sub/config core.worktree &&
++	git config --unset -f repo/.git/modules/sub/config core.worktree &&
+ 	{
+ 		printf "[core]\n" &&
+ 		printf "\tworktree = \"../../../sub\r\"\n"
diff --git a/SPECS/git.spec b/SPECS/git.spec
index 8d4613b..f8c5f18 100644
--- a/SPECS/git.spec
+++ b/SPECS/git.spec
@@ -92,8 +92,8 @@
 #global rcrev   .rc0
 
 Name:           git
-Version:        2.43.5
-Release:        3%{?rcrev}%{?dist}
+Version:        2.43.7
+Release:        1%{?rcrev}%{?dist}
 Summary:        Fast Version Control System
 License:        GPLv2
 URL:            https://git-scm.com/
@@ -150,6 +150,11 @@ Patch6:         git-2.43.0-slow-shallow-clones.patch
 # https://github.com/gitgitgadget/git/pull/1853
 Patch7:         git-2.43.5-sanitize-sideband-channel-messages.patch
 
+# t: avoid git config syntax from newer releases
+#
+# https://github.com/git/git/commit/428c9241c6918f52ac22fb8e83ce7c736a2f5e00
+Patch8:         git-2.43.7-t-avoid-git-config-syntax-from-newer-releases.patch
+
 %if %{with docs}
 # pod2man is needed to build Git.3pm
 BuildRequires:  %{_bindir}/pod2man
@@ -1111,6 +1116,10 @@ rmdir --ignore-fail-on-non-empty "$testdir"
 %{?with_docs:%{_pkgdocdir}/git-svn.html}
 
 %changelog
+* Fri Jul 11 2025 Ondřej Pohořelský <opohorel@redhat.com> - 2.43.7-1
+- update to 2.43.7
+- Resolves: RHEL-102440, RHEL-102454, RHEL-102674, RHEL-102680
+
 * Fri Apr 04 2025 Ondřej Pohořelský <opohorel@redhat.com> - 2.43.5-3
 - add the option to sanitize sideband channel messages
 - Resolves: RHEL-74177