Skip to content

build: upgrading git-lfs from packagecloud #2835

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 19, 2024
Merged

build: upgrading git-lfs from packagecloud #2835

merged 3 commits into from
May 19, 2024

Conversation

@itzg
Copy link
Owner

@itzg itzg commented May 19, 2024

Removing git-lfs for now due to numerous CVEs including two critical:

## Packages and Vulnerabilities

   2C    29H     0M     0L  stdlib 1.18.1
pkg:golang/stdlib@1.18.1

19: sha256:5c0fc48456768933513e10c645395539cfbe17f461f134498e8bfab06907dc4a
/usr/bin/git-lfs (evident by)

    x CRITICAL CVE-2023-24540
      https://scout.docker.com/v/CVE-2023-24540
      Affected range : <1.19.9
      Fixed version  : 1.19.9

    x CRITICAL CVE-2023-24538
      https://scout.docker.com/v/CVE-2023-24538
      Affected range : <1.19.8
      Fixed version  : 1.19.8

    x HIGH CVE-2023-29403
      https://scout.docker.com/v/CVE-2023-29403
      Affected range : <1.19.10
      Fixed version  : 1.19.10

    x HIGH CVE-2022-30580
      https://scout.docker.com/v/CVE-2022-30580
      Affected range : >=1.18.0-0
                     : <1.18.3
      Fixed version  : 1.18.3

    x HIGH CVE-2023-45287
      https://scout.docker.com/v/CVE-2023-45287
      Affected range : <1.20.0
      Fixed version  : 1.20.0

    x HIGH CVE-2023-45283
      https://scout.docker.com/v/CVE-2023-45283
      Affected range : <1.20.11
      Fixed version  : 1.20.11

    x HIGH CVE-2023-39325
      https://scout.docker.com/v/CVE-2023-39325
      Affected range : <1.20.10
      Fixed version  : 1.20.10

    x HIGH CVE-2023-24537
      https://scout.docker.com/v/CVE-2023-24537
      Affected range : <1.19.8
      Fixed version  : 1.19.8

    x HIGH CVE-2023-24536
      https://scout.docker.com/v/CVE-2023-24536
      Affected range : <1.19.8
      Fixed version  : 1.19.8

    x HIGH CVE-2023-24534
      https://scout.docker.com/v/CVE-2023-24534
      Affected range : <1.19.8
      Fixed version  : 1.19.8

    x HIGH CVE-2022-41725
      https://scout.docker.com/v/CVE-2022-41725
      Affected range : <1.19.6
      Fixed version  : 1.19.6

    x HIGH CVE-2022-41724
      https://scout.docker.com/v/CVE-2022-41724
      Affected range : <1.19.6
      Fixed version  : 1.19.6

    x HIGH CVE-2022-41723
      https://scout.docker.com/v/CVE-2022-41723
      Affected range : <1.19.6
      Fixed version  : 1.19.6

    x HIGH CVE-2022-41722
      https://scout.docker.com/v/CVE-2022-41722
      Affected range : <1.19.6
      Fixed version  : 1.19.6

    x HIGH CVE-2022-41720
      https://scout.docker.com/v/CVE-2022-41720
      Affected range : <1.18.9
      Fixed version  : 1.18.9

    x HIGH CVE-2022-41716
      https://scout.docker.com/v/CVE-2022-41716
      Affected range : <1.18.8
      Fixed version  : 1.18.8

    x HIGH CVE-2022-41715
      https://scout.docker.com/v/CVE-2022-41715
      Affected range : <1.18.7
      Fixed version  : 1.18.7

    x HIGH CVE-2022-32189
      https://scout.docker.com/v/CVE-2022-32189
      Affected range : >=1.18.0-0
                     : <1.18.5
      Fixed version  : 1.18.5

    x HIGH CVE-2022-30635
      https://scout.docker.com/v/CVE-2022-30635
      Affected range : >=1.18.0-0
                     : <1.18.4
      Fixed version  : 1.18.4

    x HIGH CVE-2022-30634
      https://scout.docker.com/v/CVE-2022-30634
      Affected range : >=1.18.0-0
                     : <1.18.3
      Fixed version  : 1.18.3

    x HIGH CVE-2022-30633
      https://scout.docker.com/v/CVE-2022-30633
      Affected range : >=1.18.0-0
                     : <1.18.4
      Fixed version  : 1.18.4

    x HIGH CVE-2022-30632
      https://scout.docker.com/v/CVE-2022-30632
      Affected range : >=1.18.0-0
                     : <1.18.4
      Fixed version  : 1.18.4

    x HIGH CVE-2022-30631
      https://scout.docker.com/v/CVE-2022-30631
      Affected range : >=1.18.0-0
                     : <1.18.4
      Fixed version  : 1.18.4

    x HIGH CVE-2022-30630
      https://scout.docker.com/v/CVE-2022-30630
      Affected range : >=1.18.0-0
                     : <1.18.4
      Fixed version  : 1.18.4

    x HIGH CVE-2022-29804
      https://scout.docker.com/v/CVE-2022-29804
      Affected range : >=1.18.0-0
                     : <1.18.3
      Fixed version  : 1.18.3

    x HIGH CVE-2022-2880
      https://scout.docker.com/v/CVE-2022-2880
      Affected range : <1.18.7
      Fixed version  : 1.18.7

    x HIGH CVE-2022-2879
      https://scout.docker.com/v/CVE-2022-2879
      Affected range : <1.18.7
      Fixed version  : 1.18.7

    x HIGH CVE-2022-28131
      https://scout.docker.com/v/CVE-2022-28131
      Affected range : >=1.18.0-0
                     : <1.18.4
      Fixed version  : 1.18.4

    x HIGH CVE-2022-27664
      https://scout.docker.com/v/CVE-2022-27664
      Affected range : <1.18.6
      Fixed version  : 1.18.6

    x HIGH CVE-2023-29400
      https://scout.docker.com/v/CVE-2023-29400
      Affected range : <1.19.9
      Fixed version  : 1.19.9

    x HIGH CVE-2023-24539
      https://scout.docker.com/v/CVE-2023-24539
      Affected range : <1.19.9
      Fixed version  : 1.19.9

@itzg itzg added the dependencies Pull requests that update a dependency file label May 19, 2024
@itzg itzg changed the title build: removing git-lfs until it fixes CVEs build: upgrading git-lfs May 19, 2024
@itzg itzg changed the title build: upgrading git-lfs build: upgrading git-lfs from packagecloud May 19, 2024
@itzg itzg merged commit 3402849 into master May 19, 2024
@itzg itzg deleted the build/git-lfs-cves branch May 19, 2024 22:27
@itzg itzg mentioned this pull request May 26, 2024
Merged
sevenrats pushed a commit to sevenrats/docker-minecraft-server that referenced this pull request Nov 19, 2024
@itzg @sevenrats
build: upgrading git-lfs from packagecloud (itzg#2835)
46a3e32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@itzg