[release-v0.12] CVE-2023-49569 go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients #1544
Conversation
Update our CI-oriented GitHub actions to run when commits merge in a `release-v*` branch, or a pull request is opened against a `release-v*` branch. With this change, future release branches will automatically have CI checks enabled. This commit should be backported to enable CI in a prior release branch. This implements a portion of SHIP-0038. Signed-off-by: Adam Kaplan <[email protected]>
…d to path traversal and RCE on go-git clients Update go-git dependency to mitigate the following security issue. GHSA-449p-3h89-pw88
openshift-ci
bot
added
the
release-note
|
/kind dependency-change |
openshift-ci
bot
added
the
kind/dependency-change
|
/cc @adambkaplan |
|
/hold Will want #1543 to merge first |
openshift-ci
bot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adambkaplan The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
Verify check failure can be ignored - issue was noted in #15433. |
|
The Verify failure needs to be checked. I think the golangci-lint gets updated very often, and sometimes the latest version comes with new validations that trigger new errors/warnings. My recommendation is to download the golangci-lint latest version locally, and run it against your branch, then you should see the same errors/warnings, so you can fix them as part of this same pr. |
|
/retest |
|
@sayan-biswas: Cannot trigger testing until a trusted user reviews the PR and leaves an In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/hold cancel Verify check passes with #1547 on this branch. |
openshift-ci
bot
removed
the
do-not-merge/hold
|
Red-button merging this - future PRs against |
adambkaplan
merged commit 95a10fd
into
shipwright-io:release-v0.12
SaschaSchwarze0
changed the title
Changes
Update go-git dependency to mitigate the following security issue.
GHSA-449p-3h89-pw88
Submitter Checklist
See the contributor guide
for details on coding conventions, github and prow interactions, and the code review process.
Release Notes