security: CVE-2023-49569 - go-git/v5
cmontemuino opened this issue · 2 comments
cmontemuino commented
We've observed version 3.11.6 includes critical vulnerability CVE-2023-49569 in package github.com/go-git/go-git/v5
.
Root cause is in go.mod
file:
// TODO: once https://github.com/go-git/go-git/pull/416 is merged, this can be
// removed and we can use the upstream module. This commit on my fork is a
// cherry-pick from the PR on top of v5.10.0
replace github.com/go-git/go-git/v5 => github.com/hairyhenderson/go-git/v5 v5.0.0-20231120010526-e49f9324b2fc
require (
github.com/go-git/go-billy/v5 v5.5.0
github.com/go-git/go-git/v5 v5.10.0
)
Version v5.11.0 has been published already, so it should be an easy fix.
cmontemuino commented
Fix: #1961
hairyhenderson commented
so it should be an easy fix.
Not quite - the fork needs to be updated first.
This particular vulnerability is not applicable to gomplate's use of go-git, as gomplate only uses the in-memory filesystem when communicating with remote git servers:
Applications using BoundOS or in-memory filesystems are not affected by this issue.
I will take care of this, but for the time being you can safely instruct your scanner ignore this vulnerability.