Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] v0.12.0 impacted by CVE-2023-49569 #1498

Closed
1 task done
adambkaplan opened this issue Feb 19, 2024 · 3 comments · Fixed by #1544
Closed
1 task done

[BUG] v0.12.0 impacted by CVE-2023-49569 #1498

adambkaplan opened this issue Feb 19, 2024 · 3 comments · Fixed by #1544
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@adambkaplan
Copy link
Member

Is there an existing issue for this?

  • I have searched the existing issues

Kubernetes Version

Any supported

Shipwright Version

v0.12.0

Current Behavior

builds v0.12.0 contains a Critical security adivsory in the go-git library, which was patched last December and is scheduled to be released with v0.13.0.

Expected Behavior

We should patch v0.12.0 with this security fix, and release a v0.12.1.

Steps To Reproduce

No response

Anything else?

Advisory: GHSA-449p-3h89-pw88

PR with fix: #1445 (comment)
@adambkaplan adambkaplan added the kind/bug Categorizes issue or PR as related to a bug. label Feb 19, 2024
@adambkaplan adambkaplan mentioned this issue Feb 19, 2024
Closed
@qu1queee
Copy link
Contributor

From Refinement, we understand the urgent on this, so adding this as an Urgent Item.

@Adarsh-jaiss
Copy link
Member

Hey @adambkaplan @qu1queee , This issue is open for a quite long time, if possible can you please elaborate more about the issue, and how can i fix this?
I would love to look into it

@adambkaplan
Copy link
Member Author

adambkaplan commented Mar 19, 2024
edited
Loading

This item was actually fixed by #1544 today. Thanks for looking into this, though!

@adambkaplan adambkaplan linked a pull request Mar 19, 2024 that will close this issue
[release-v0.12] CVE-2023-49569 go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients #1544
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
Shipwright Overview
Status: Done
Milestone
No milestone
3 participants
@adambkaplan @qu1queee @Adarsh-jaiss