-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Switch to upstream go-git. Fixes CVE-2023-49569 #12515
Conversation
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
It seems like we were planning on this anyway in #11483 and #11149, in particular since upstream |
For reference, the details:
So this only has impact if you have an untrusted Git server. For the principles of zero trust, this is definitely still very important to fix (especially as trusted Git servers can be hacked or supply chain attacked too), but most people will probably not be impacted by this as they use a trusted enterprise vendor |
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com>
Signed-off-by: Yuan Tang <terrytangyuan@gmail.com> Signed-off-by: Dillen Padhiar <dillen_padhiar@intuit.com>
This fixes a critical severity vulnerability https://www.cve.org/CVERecord?id=CVE-2023-49569. We cannot use the existing fork anymore. Security is always the highest priority.