Skip to content

fix(deps): update module github.com/go-git/go-git/v5 to v5.11.0 [security]#1891

Merged
michaelkedar merged 1 commit intogoogle:masterfrom
renovate-bot:renovate/go-github.com/go-git/go-git/v5-vulnerability
Jan 9, 2024
Merged

fix(deps): update module github.com/go-git/go-git/v5 to v5.11.0 [security]#1891
michaelkedar merged 1 commit intogoogle:masterfrom
renovate-bot:renovate/go-github.com/go-git/go-git/v5-vulnerability

Conversation

@renovate-bot
Copy link
Collaborator

@renovate-bot renovate-bot commented Dec 27, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/go-git/go-git/v5 v5.10.1 -> v5.11.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-49568

Impact

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.

Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability.
This is a go-git implementation issue and does not affect the upstream git cli.

Patches

Users running versions of go-git from v4 and above are recommended to upgrade to v5.11 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend limiting its use to only trust-worthy Git servers.

Credit

Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.

References

Release Notes

go-git/go-git (github.com/go-git/go-git/v5)

v5.11.0

Compare Source

What's Changed

New Contributors

Full Changelog: go-git/go-git@v5.10.1...v5.11.0

Configuration

📅 Schedule: Branch creation - "" in timezone Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@forking-renovate forking-renovate bot added the dependencies Pull requests that update a dependency file label Dec 27, 2023
@renovate-bot renovate-bot force-pushed the renovate/go-github.com/go-git/go-git/v5-vulnerability branch from 97a27db to 82a7a3c Compare December 27, 2023 15:30
@renovate-bot renovate-bot force-pushed the renovate/go-github.com/go-git/go-git/v5-vulnerability branch from 82a7a3c to d12dfaf Compare January 9, 2024 05:33
@renovate-bot renovate-bot force-pushed the renovate/go-github.com/go-git/go-git/v5-vulnerability branch from d12dfaf to cca0966 Compare January 9, 2024 22:41
@michaelkedar michaelkedar enabled auto-merge (squash) January 9, 2024 22:43
@michaelkedar michaelkedar merged commit 8639002 into google:master Jan 9, 2024
@renovate-bot renovate-bot deleted the renovate/go-github.com/go-git/go-git/v5-vulnerability branch March 12, 2024 10:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaelkedar michaelkedar michaelkedar approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@renovate-bot @michaelkedar