Source: golang-github-go-git-go-git Version: 5.4.2-4 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for go-git. CVE-2023-49568[0]: | A denial of service (DoS) vulnerability was discovered in go-git | versions prior to v5.11. This vulnerability allows an attacker to | perform denial of service attacks by providing specially crafted | responses from a Git server which triggers resource exhaustion in | go-git clients. Applications using only the in-memory filesystem | supported by go-git are not affected by this vulnerability. This is | a go-git implementation issue and does not affect the upstream | git cli. CVE-2023-49569[1]: | A path traversal vulnerability was discovered in go-git versions | prior to v5.11. This vulnerability allows an attacker to create and | amend files across the filesystem. In the worse case scenario, | remote code execution could be achieved. Applications are only | affected if they are using the ChrootOS | https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , | which is the default when using "Plain" versions of Open and Clone | funcs (e.g. PlainClone). Applications using BoundOS | https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or | in-memory filesystems are not affected by this issue. This is a go- | git implementation issue and does not affect the upstream git cli. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-49568 https://www.cve.org/CVERecord?id=CVE-2023-49568 https://github.com/go-git/go-git/security/advisories/GHSA-mw99-9chc-xw7r [1] https://security-tracker.debian.org/tracker/CVE-2023-49569 https://www.cve.org/CVERecord?id=CVE-2023-49569 https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.6.9-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled