Bug#1060701: marked as done (golang-github-go-git-go-git: CVE-2023-49568 CVE-2023-49569)

Wed, 29 May 2024 10:21:19 -0700 

Your message dated Wed, 29 May 2024 17:20:15 +0000
with message-id <e1scmyf-00h2en...@fasolo.debian.org>
and subject line Bug#1060701: fixed in golang-github-go-git-go-git 5.11.0-1
has caused the Debian Bug report #1060701,
regarding golang-github-go-git-go-git: CVE-2023-49568 CVE-2023-49569
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1060701: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060701
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: golang-github-go-git-go-git
Version: 5.4.2-4
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerabilities were published for go-git.

CVE-2023-49568[0]:
| A denial of service (DoS) vulnerability was discovered in go-git
| versions prior to v5.11. This vulnerability allows an attacker to
| perform denial of service attacks by providing specially crafted
| responses from a Git server which triggers resource exhaustion in
| go-git clients.  Applications using only the in-memory filesystem
| supported by go-git are not affected by this vulnerability. This is
| a go-git implementation issue and does not affect the upstream
| git cli.


CVE-2023-49569[1]:
| A path traversal vulnerability was discovered in go-git versions
| prior to v5.11. This vulnerability allows an attacker to create and
| amend files across the filesystem. In the worse case scenario,
| remote code execution could be achieved.  Applications are only
| affected if they are using the  ChrootOS
| https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS ,
| which is the default when using "Plain" versions of Open and Clone
| funcs (e.g. PlainClone). Applications using  BoundOS
| https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS  or
| in-memory filesystems are not affected by this issue. This is a go-
| git implementation issue and does not affect the upstream git cli.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-49568
    https://www.cve.org/CVERecord?id=CVE-2023-49568
    https://github.com/go-git/go-git/security/advisories/GHSA-mw99-9chc-xw7r
[1] https://security-tracker.debian.org/tracker/CVE-2023-49569
    https://www.cve.org/CVERecord?id=CVE-2023-49569
    https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.6.9-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---
--- Begin Message --- 
Source: golang-github-go-git-go-git
Source-Version: 5.11.0-1
Done: Maytham Alsudany <maytha8the...@gmail.com>

We believe that the bug you reported is fixed in the latest version of
golang-github-go-git-go-git, which is due to be installed in the Debian FTP 
archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1060...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Maytham Alsudany <maytha8the...@gmail.com> (supplier of updated 
golang-github-go-git-go-git package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 16 Apr 2024 15:37:15 +0300
Source: golang-github-go-git-go-git
Architecture: source
Version: 5.11.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg...@tracker.debian.org>
Changed-By: Maytham Alsudany <maytha8the...@gmail.com>
Closes: 1060701
Changes:
 golang-github-go-git-go-git (5.11.0-1) unstable; urgency=medium
 .
   * Team upload.
 .
   [ Pirate Praveen ]
   * New upstream release 5.11.0 (Fixes: CVE-2023-49568, CVE-2023-49569)
     (Closes: #1060701)
   * Bump Standards-Version to 4.6.2 (no changes needed)
 .
   [ Maytham Alsudany ]
   * Symlink github.com/imdario/mergo to new import path (dario.cat/mergo)
   * Update (B-)Deps, add support for nocheck builds
   * Use fake home directory containing test data during tests
   * Disable more tests that require internet
   * Disable gitignore test with unreliable tilde expansion
Checksums-Sha1:
 e7b9a9349dbebba24a09cbef31bcaf4fb682fec5 3182 
golang-github-go-git-go-git_5.11.0-1.dsc
 ea7df9ec2e73c20db9a0cfa483a02bfb41a13c87 535293 
golang-github-go-git-go-git_5.11.0.orig.tar.gz
 3d8e0c9b512219e04e9667ed0c786cc0cb38c3b1 5400 
golang-github-go-git-go-git_5.11.0-1.debian.tar.xz
 e19e9b6216116b939c34e74f5fb95719c1713f43 10685 
golang-github-go-git-go-git_5.11.0-1_source.buildinfo
Checksums-Sha256:
 a6ae92d85a3ecc846d81a25c334c3eace29b2dfcc74904004403b873af8c6d35 3182 
golang-github-go-git-go-git_5.11.0-1.dsc
 071d1d8d31226ae6f0b569feee2c84489b115dde37279299a9aef58605143d66 535293 
golang-github-go-git-go-git_5.11.0.orig.tar.gz
 29403a2c8087ff4480f6e37fb4aaea1747f41d8b26d035f8d1fd41f0c6db7236 5400 
golang-github-go-git-go-git_5.11.0-1.debian.tar.xz
 d3a06b479f9701630712a25a60689b86f097a7b5ff5ad87fcf4a10dbd07d2d31 10685 
golang-github-go-git-go-git_5.11.0-1_source.buildinfo
Files:
 4242f24a0aa874923319570e6abe88b0 3182 golang optional 
golang-github-go-git-go-git_5.11.0-1.dsc
 748600740029c8eb941ee85c0cd9aa6e 535293 golang optional 
golang-github-go-git-go-git_5.11.0.orig.tar.gz
 2300134b1041a9e29fc1e37970b43038 5400 golang optional 
golang-github-go-git-go-git_5.11.0-1.debian.tar.xz
 25f3243329fb5c75e24d08efa877ee28 10685 golang optional 
golang-github-go-git-go-git_5.11.0-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtgob82PcExn/Co6JEWhSvN91FcAFAmZXXrEACgkQEWhSvN91
FcBr9Q//SuHeeysTkPqFRkT3QDgzo6cwXtEFi8EOwRAUSUZvOCQAQoHngQKRANQj
SA/+pP/vkSkfzo+x2npffp3RiaElEjM8DowLUOljsxswGPpvZTT/B7N3Nc3DpHT0
PCkJoFPI6A4dVPTD4pqiC0QUpvRQEQwCkpDEORXuLFd9W/kOYQ6HeBbzpGHRAgdi
iE+sIGcwzLCgzpaQ+XgMesPZ8RgoYmTm/euzXv88mSrbDR1ghK3fIa9jHOg5qYQ0
UGVjZcUwUlLF+uOJQob9MbEDtMo76nSeuOvze5KTalKvNWkhOSSb916vdOlloYbX
tJtCi/dDgQw39s336mbohc7vLPtcSc1FMtDmBazyFY9PPOL3YA2RYzKehQWWk4oL
/EhyBetaVUz/Wbi/sTZ7a/YN6sSki17JyjNqjx/HdkVNkpKGTYyktFvEwbTcRUV6
6d9DqT0YodU83kN6G/0dYdQ3djSTxEAkGgO7Sfg4bRx2dnuMZlU94Ql2P9K+sZuV
5zkGuMcKdfhs5P2sxUGJgOC8qgpNYCOkO93VY0scXmfYxcd7qCzt7dnWeHL5jvr+
a7YEnNatY2TlBVJ0LwrFIecWJ5QdSINMSQU881KIiTzg3bvTVsUUS3tIkvm88kk4
HntNKmOpVA5bovYkVqo5/I/Xdf8FfLbOGJpI05v4xF3q3AlnUmU=
=+xQR
-----END PGP SIGNATURE-----

Attachment: pgpb_F5hgvRFc.pgp
Description: PGP signature


--- End Message ---

Reply via email to