Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update module github.com/go-git/go-git/v5 to v5.13.0 [security] #175

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update module github.com/go-git/go-git/v5 to v5.13.0 [security] #175

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 6, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/go-git/go-git/v5 v5.7.0 -> v5.13.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-49569

Impact

A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved.

Applications are only affected if they are using the ChrootOS, which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS or in-memory filesystems are not affected by this issue.
This is a go-git implementation issue and does not affect the upstream git cli.

Patches

Users running versions of go-git from v4 and above are recommended to upgrade to v5.11 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible in a timely manner, we recommend limiting its use to only trust-worthy Git servers.

Credit

Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.

CVE-2023-49568

Impact

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.

Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability.
This is a go-git implementation issue and does not affect the upstream git cli.

Patches

Users running versions of go-git from v4 and above are recommended to upgrade to v5.11 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend limiting its use to only trust-worthy Git servers.

Credit

Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.

References

CVE-2025-21613

Impact

An argument injection vulnerability was discovered in go-git versions prior to v5.13.

Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries.

Affected versions

Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field.

Credit

Thanks to @​vin01 for responsibly disclosing this vulnerability to us.

CVE-2025-21614

Impact

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.

This is a go-git implementation issue and does not affect the upstream git cli.

Patches

Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend limiting its use to only trust-worthy Git servers.

Credit

Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.

Release Notes

go-git/go-git (github.com/go-git/go-git/v5)

v5.13.0

Compare Source

What's Changed

New Contributors

Full Changelog: go-git/go-git@v5.12.0...v5.13.0

v5.12.0

Compare Source

What's Changed

New Contributors

Full Changelog: go-git/go-git@v5.11.0...v5.12.0

v5.11.0

Compare Source

What's Changed

New Contributors

Full Changelog: go-git/go-git@v5.10.1...v5.11.0

v5.10.1

Compare Source

What's Changed

New Contributors

Full Changelog: go-git/go-git@v5.10.0...v5.10.1

v5.10.0

Compare Source

What's Changed

New Contributors

Full Changelog: go-git/go-git@v5.9.0...v5.10.0

v5.9.0

Compare Source

What's Changed

New Contributors

Full Changelog: go-git/go-git@v5.8.1...v5.9.0

v5.8.1

Compare Source

What's Changed

Full Changelog: go-git/go-git@v5.8.0...v5.8.1

v5.8.0

Compare Source

What's Changed

New Contributors

Full Changelog: go-git/go-git@v5.7.0...v5.7.1

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate Renovate
Copy link
Contributor Author

renovate bot commented Aug 6, 2024
edited
Loading

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 11 additional dependencies were updated
  • The go directive was updated for compatibility reasons

Details:

Package Change
go 1.19 -> 1.23.4
golang.org/x/mod v0.11.0 -> v0.17.0
github.com/skeema/knownhosts v1.1.1 -> v1.3.0
github.com/Microsoft/go-winio v0.5.2 -> v0.6.1
github.com/ProtonMail/go-crypto v0.0.0-20230518184743-7afd39499903 -> v1.1.3
github.com/go-git/go-billy/v5 v5.4.1 -> v5.6.0
github.com/google/go-cmp v0.5.9 -> v0.6.0
github.com/sergi/go-diff v1.1.0 -> v1.3.2-0.20230802210424-5b0b94c5c0d3
golang.org/x/crypto v0.9.0 -> v0.31.0
golang.org/x/net v0.10.0 -> v0.33.0
golang.org/x/sys v0.8.0 -> v0.28.0
golang.org/x/text v0.9.0 -> v0.21.0

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 6, 2024

Pull Request Test Coverage Report for Build 10262318787

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 65.0%
Totals Coverage Status
Change from base Build 5410056807: 0.0%
Covered Lines: 338
Relevant Lines: 520
💛 - Coveralls

@renovate renovate bot changed the title fix(deps): update module github.com/go-git/go-git/v5 to v5.11.0 [security] fix(deps): update module github.com/go-git/go-git/v5 to v5.13.0 [security] Jan 6, 2025
@renovate renovate bot force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch from 22c5c22 to 56eed6e Compare January 6, 2025 17:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants