-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update module github.com/go-git/go-git/v5 to v5.11.0 [SECURITY] - abandoned #513
base: master
Are you sure you want to change the base?
Update module github.com/go-git/go-git/v5 to v5.11.0 [SECURITY] - abandoned #513
Conversation
472459e
to
fc90f83
Compare
7e51244
to
c6d49d5
Compare
915ddc2
to
068298a
Compare
5ed111f
to
c5246ea
Compare
c5246ea
to
4f0e3d1
Compare
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
Autoclosing SkippedThis PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error. |
This PR contains the following updates:
v5.4.2
->v5.11.0
GitHub Vulnerability Alerts
CVE-2023-49568
Impact
A denial of service (DoS) vulnerability was discovered in go-git versions prior to
v5.11
. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion ingo-git
clients.Applications using only the in-memory filesystem supported by
go-git
are not affected by this vulnerability.This is a
go-git
implementation issue and does not affect the upstreamgit
cli.Patches
Users running versions of
go-git
fromv4
and above are recommended to upgrade tov5.11
in order to mitigate this vulnerability.Workarounds
In cases where a bump to the latest version of
go-git
is not possible, we recommend limiting its use to only trust-worthy Git servers.Credit
Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.
References
CVE-2023-49569
Impact
A path traversal vulnerability was discovered in go-git versions prior to
v5.11
. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved.Applications are only affected if they are using the ChrootOS, which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS or in-memory filesystems are not affected by this issue.
This is a
go-git
implementation issue and does not affect the upstreamgit
cli.Patches
Users running versions of
go-git
fromv4
and above are recommended to upgrade tov5.11
in order to mitigate this vulnerability.Workarounds
In cases where a bump to the latest version of
go-git
is not possible in a timely manner, we recommend limiting its use to only trust-worthy Git servers.Credit
Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.
Release Notes
go-git/go-git (github.com/go-git/go-git/v5)
v5.11.0
Compare Source
What's Changed
New Contributors
Full Changelog: go-git/go-git@v5.10.1...v5.11.0
v5.10.1
Compare Source
What's Changed
New Contributors
Full Changelog: go-git/go-git@v5.10.0...v5.10.1
v5.10.0
Compare Source
What's Changed
New Contributors
Full Changelog: go-git/go-git@v5.9.0...v5.10.0
v5.9.0
Compare Source
What's Changed
New Contributors
Full Changelog: go-git/go-git@v5.8.1...v5.9.0
v5.8.1
Compare Source
What's Changed
Full Changelog: go-git/go-git@v5.8.0...v5.8.1
v5.8.0
Compare Source
What's Changed
doAddDirectory
by @ThinkChaos in https://github.com/go-git/go-git/pull/702New Contributors
Full Changelog: go-git/go-git@v5.7.0...v5.7.1
v5.7.0
Compare Source
What's Changed
New Contributors
Full Changelog: go-git/go-git@v5.6.1...v5.7.0
v5.6.1
Compare Source
What's Changed
firstErrLine
when it is empty by @ThinkChaos in https://github.com/go-git/go-git/pull/682Full Changelog: go-git/go-git@v5.6.0...v5.6.1
v5.6.0
Compare Source
What's Changed
Full Changelog: go-git/go-git@v5.5.2...v5.6.0
v5.5.2
Compare Source
What's Changed
Full Changelog: go-git/go-git@v5.5.1...v5.5.2
v5.5.1
Compare Source
What's Changed
CGO_ENABLED=0
by @pjbgf in https://github.com/go-git/go-git/pull/625Full Changelog: go-git/go-git@v5.5.0...v5.5.1
v5.5.0
Compare Source
What's Changed
GO_GIT_USER_AGENT_EXTRA
. Fixes #529 by @stewing in https://github.com/go-git/go-git/pull/531multi_ack
capability by @pjbgf in https://github.com/go-git/go-git/pull/613Full Changelog: go-git/go-git@v5.4.2...v5.5.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.