Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update module github.com/go-git/go-git/v5 to v5.13.0 [security] #543

Merged
merged 1 commit into from
Jan 8, 2025
Merged

fix(deps): update module github.com/go-git/go-git/v5 to v5.13.0 [security] #543

merged 1 commit into from
Jan 8, 2025

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 6, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/go-git/go-git/v5 v5.12.0 -> v5.13.0 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2025-21613

Impact

An argument injection vulnerability was discovered in go-git versions prior to v5.13.

Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries.

Affected versions

Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field.

Credit

Thanks to @​vin01 for responsibly disclosing this vulnerability to us.

CVE-2025-21614

Impact

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.

This is a go-git implementation issue and does not affect the upstream git cli.

Patches

Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend limiting its use to only trust-worthy Git servers.

Credit

Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.

Release Notes

go-git/go-git (github.com/go-git/go-git/v5)

v5.13.0

Compare Source

What's Changed

New Contributors

Full Changelog: go-git/go-git@v5.12.0...v5.13.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies label Jan 6, 2025
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Jan 6, 2025

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

  • Branch has one or more failed status checks

davidgit
davidgit previously approved these changes Jan 8, 2025
View reviewed changes
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Jan 8, 2025
edited
Loading

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 7 additional dependencies were updated

Details:

Package Change
github.com/ProtonMail/go-crypto v1.0.0 -> v1.1.3
github.com/cyphar/filepath-securejoin v0.2.4 -> v0.2.5
github.com/go-git/go-billy/v5 v5.5.0 -> v5.6.0
github.com/skeema/knownhosts v1.2.2 -> v1.3.0
golang.org/x/exp v0.0.0-20240119083558-1b970713d09a -> v0.0.0-20240719175910-8a7402abbf56
golang.org/x/mod v0.17.0 -> v0.19.0
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d -> v0.23.0

@renovate renovate bot force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch from 2925b19 to c63be7c Compare January 8, 2025 14:28
@renovate renovate bot force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch from c63be7c to 54c4153 Compare January 8, 2025 14:38
@coveralls
Copy link

Pull Request Test Coverage Report for Build 12672786397

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 32.443%
Totals Coverage Status
Change from base Build 12672766527: 0.0%
Covered Lines: 2052
Relevant Lines: 6325
💛 - Coveralls

@alvarocabanas alvarocabanas merged commit c567f1f into master Jan 8, 2025
11 of 12 checks passed
@alvarocabanas alvarocabanas deleted the renovate/go-github.com-go-git-go-git-v5-vulnerability branch January 8, 2025 14:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alvarocabanas alvarocabanas alvarocabanas approved these changes

@davidgit davidgit davidgit left review comments

Assignees
No one assigned
Labels
dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@coveralls @davidgit @alvarocabanas