But a fix should come via the normal update channel soon? I'm on wily, should I expect to add this PPA or risk vulnerability?

Ubuntu should announce the fix at https://www.ubuntu.com/usn/ but I can't load the page right now.

(removed DSA link as per advice below)

That Debian advisory is a different, older vulnerability. Looks like they know about it but haven't released anything yet:

https://security-tracker.debian.org/tracker/source-package/g...

Oops, thanks.

https://bugs.launchpad.net/ubuntu/+source/git/+bug/1557787 is the tracking bug for this issue. Seems like it's fixed on xenial but not yet in older releases.

Unfortunately it looks like the distros have not been particularly diligent about releasing a fix via the security channel (according to the article), so this PPA is a workaround