Git through 2.14.2 mishandles layers of tree objects, which allows remote attackers to cause a denial of service (memory consumption) via a crafted repository, aka a Git bomb. This can also have an impact of disk consumption; however, an affected process typically would not survive its attempt to build the data structure in memory before writing to disk.
Created git tracking bugs for this issue:
Affects: fedora-all [bug 1510457]
git <= 2.14.3 is vulnerable here, I believe. The upstream commit which resolves this is https://git.kernel.org/pub/scm/git/git.git/commit/?id=a937b37e76 (merged yesterday). I imagine we'll see some maint releases from upstream shortly. The commit applies cleanly to 2.9.x (which f25 runs). I didn't look any further back than that.