Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] #1259

stackit-pipeline · 2025-01-07T00:46:00Z

This PR contains the following updates:

Package	Type	Update	Change
github.com/go-git/go-git/v5	require	minor	`v5.12.0` -> `v5.13.0`

GitHub Vulnerability Alerts

CVE-2025-21613

Impact

An argument injection vulnerability was discovered in go-git versions prior to v5.13.

Successful exploitation of this vulnerability could allow an attacker to set arbitrary values to git-upload-pack flags. This only happens when the file transport protocol is being used, as that is the only protocol that shells out to git binaries.

Affected versions

Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend users to enforce restrict validation rules for values passed in the URL field.

Credit

Thanks to @vin01 for responsibly disclosing this vulnerability to us.

CVE-2025-21614

Impact

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.13. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.

This is a go-git implementation issue and does not affect the upstream git cli.

Patches

Users running versions of go-git from v4 and above are recommended to upgrade to v5.13 in order to mitigate this vulnerability.

Workarounds

In cases where a bump to the latest version of go-git is not possible, we recommend limiting its use to only trust-worthy Git servers.

Credit

Thanks to Ionut Lalu for responsibly disclosing this vulnerability to us.

Release Notes

go-git/go-git (github.com/go-git/go-git/v5)

`v5.13.0`

Compare Source

What's Changed

build: bump github.com/go-git/go-git/v5 from 5.11.0 to 5.12.0 in /cli/go-git by @dependabot in https://github.com/go-git/go-git/pull/1065
build: bump golang.org/x/net from 0.22.0 to 0.23.0 by @dependabot in https://github.com/go-git/go-git/pull/1068
build: bump golang.org/x/net from 0.23.0 to 0.24.0 by @dependabot in https://github.com/go-git/go-git/pull/1071
Properly support skipping of non-mandatory extensions by @codablock in https://github.com/go-git/go-git/pull/1066
git: Refine some codes in test and non-test. by @onee-only in https://github.com/go-git/go-git/pull/1077
plumbing: protocol/packp, client-side filter capability support by @edigaryev in https://github.com/go-git/go-git/pull/1000
build: bump golang.org/x/net from 0.22.0 to 0.23.0 in /cli/go-git by @dependabot in https://github.com/go-git/go-git/pull/1078
plumbing: fix sideband demux on flush by @aymanbagabas in https://github.com/go-git/go-git/pull/1084
storage: dotgit, head reference usually comes first by @aymanbagabas in https://github.com/go-git/go-git/pull/1085
build: bump golang.org/x/text from 0.14.0 to 0.15.0 by @dependabot in https://github.com/go-git/go-git/pull/1091
build: bump golang.org/x/crypto from 0.22.0 to 0.23.0 by @dependabot in https://github.com/go-git/go-git/pull/1094
build: bump golang.org/x/net from 0.24.0 to 0.25.0 by @dependabot in https://github.com/go-git/go-git/pull/1093
git: Added an example for Repository.Branches by @johnmatthiggins in https://github.com/go-git/go-git/pull/1088
git: worktree_commit, Modify checking empty commit. Fixes #723 by @onee-only in https://github.com/go-git/go-git/pull/1050
plumbing: transport/http, Wrap http errors to return reason. Fixes #1097 by @ggambetti in https://github.com/go-git/go-git/pull/1100
build: bump golang.org/x/sys from 0.20.0 to 0.21.0 by @dependabot in https://github.com/go-git/go-git/pull/1106
build: bump golang.org/x/text from 0.15.0 to 0.16.0 by @dependabot in https://github.com/go-git/go-git/pull/1107
Bumps Go versions and go-billy by @pjbgf in https://github.com/go-git/go-git/pull/1056
_examples: Fixed a dead link COMPATIBILITY.md by @gecko655 in https://github.com/go-git/go-git/pull/1109
build: bump github.com/jessevdk/go-flags from 1.5.0 to 1.6.1 in /cli/go-git by @dependabot in https://github.com/go-git/go-git/pull/1115
build: bump github.com/elazarl/goproxy from v0.0.0-20230808193330-2592e75ae04a to v0.0.0-20240618083138-03be62527ccb by @hbelmiro in https://github.com/go-git/go-git/pull/1124
build: bump golang.org/x/net from 0.25.0 to 0.26.0 by @dependabot in https://github.com/go-git/go-git/pull/1104
Add option approximating git clean -x flag. by @msuozzo in https://github.com/go-git/go-git/pull/995
Revert "Add option approximating git clean -x flag." by @pjbgf in https://github.com/go-git/go-git/pull/1129
Fix reference updated concurrently error for the filesystem storer by @Javier-varez in https://github.com/go-git/go-git/pull/1116
build: bump golang.org/x/net from 0.26.0 to 0.27.0 by @dependabot in https://github.com/go-git/go-git/pull/1134
utils: merkletrie, Align error message with upstream by @pjbgf in https://github.com/go-git/go-git/pull/1142
plumbing: transport/file, Change paths to absolute by @pjbgf in https://github.com/go-git/go-git/pull/1141
plumbing: gitignore, Fix loading of ignored .gitignore files. by @Achilleshiel in https://github.com/go-git/go-git/pull/1114
build: bump github.com/skeema/knownhosts from 1.2.2 to 1.3.0 by @dependabot in https://github.com/go-git/go-git/pull/1147
plumbing: transport/ssh, Add support for SSH @cert-authority. by @Javier-varez in https://github.com/go-git/go-git/pull/1157
build: run example tests during CI workflow by @crazybolillo in https://github.com/go-git/go-git/pull/1030
storage: filesystem, Fix object cache not working due to uninitialised objects being put into cache by @SatelliteMind in https://github.com/go-git/go-git/pull/1138
git: Fix fetching missing commits by @AriehSchneier in https://github.com/go-git/go-git/pull/1032
plumbing: format/packfile, remove duplicate checks in findMatch() by @edigaryev in https://github.com/go-git/go-git/pull/1152
git: worktree, Fix file reported as Untracked while it is committed by @rodrigocam in https://github.com/go-git/go-git/pull/1023
build: bump golang.org/x/sys from 0.22.0 to 0.23.0 by @dependabot in https://github.com/go-git/go-git/pull/1160
plumbing: filemode, Remove check for setting size of .git/index file by @nicholasSUSE in https://github.com/go-git/go-git/pull/1159
build: bump golang.org/x/net from 0.27.0 to 0.28.0 by @dependabot in https://github.com/go-git/go-git/pull/1163
Fix some lint warning and increase stalebot to 180 days by @pjbgf in https://github.com/go-git/go-git/pull/1128
adjust path extracted from file: url on Windows by @tomqwpl in https://github.com/go-git/go-git/pull/416
build: bump golang.org/x/sys from 0.23.0 to 0.24.0 by @dependabot in https://github.com/go-git/go-git/pull/1164
Add RestoreStaged to Worktree that mimics the behaviour of git restore --staged ... by @ben-tbotlabs in https://github.com/go-git/go-git/pull/493
plumbing: signature, support the same x509 signature formats as git by @yoavamit in https://github.com/go-git/go-git/pull/1169
fix: allow discovery of non bare repos in fsLoader by @jakobmoellerdev in https://github.com/go-git/go-git/pull/1170
build: bump golang.org/x/sys from 0.24.0 to 0.25.0 by @dependabot in https://github.com/go-git/go-git/pull/1178
build: bump golang.org/x/text from 0.17.0 to 0.18.0 by @dependabot in https://github.com/go-git/go-git/pull/1179
build: bump golang.org/x/net from 0.28.0 to 0.29.0 by @dependabot in https://github.com/go-git/go-git/pull/1184
Consume push URLs when they are provided by @mcepl in https://github.com/go-git/go-git/pull/1191
*: use gocheck's MkDir instead of TempDir for tests. Fixes #807 by @uragirii in https://github.com/go-git/go-git/pull/1194
build: bump golang.org/x/net from 0.29.0 to 0.30.0 by @dependabot in https://github.com/go-git/go-git/pull/1200
worktree: .git/index not correctly generated when running on Windows by @BeChris in https://github.com/go-git/go-git/pull/1198
git: worktree, Fix sparse reset. Fixes #90 by @onee-only in https://github.com/go-git/go-git/pull/1101
git: worktree, Pass context on updateSubmodules. Fixes #1098 by @onee-only in https://github.com/go-git/go-git/pull/1154
build: bump github.com/go-git/go-billy/v5 from 5.5.1-0.20240427054813-8453aa90c6ec to 5.6.0 by @dependabot in https://github.com/go-git/go-git/pull/1211
Update contributing guidelines by @pjbgf in https://github.com/go-git/go-git/pull/1217
build: bump github.com/ProtonMail/go-crypto from 1.0.0 to 1.1.1 by @dependabot in https://github.com/go-git/go-git/pull/1222
build: bump golang.org/x/sys from 0.26.0 to 0.27.0 by @dependabot in https://github.com/go-git/go-git/pull/1223
build: bump golang.org/x/crypto from 0.28.0 to 0.29.0 by @dependabot in https://github.com/go-git/go-git/pull/1221
build: bump github.com/ProtonMail/go-crypto from 1.1.1 to 1.1.2 by @dependabot in https://github.com/go-git/go-git/pull/1226
build: bump github.com/stretchr/testify from 1.9.0 to 1.10.0 by @dependabot in https://github.com/go-git/go-git/pull/1232
build: bump github.com/ProtonMail/go-crypto from 1.1.2 to 1.1.3 by @dependabot in https://github.com/go-git/go-git/pull/1231
build: General improvements around fuzzing by @pjbgf in https://github.com/go-git/go-git/pull/1229
build: bump golang.org/x/net from 0.30.0 to 0.32.0 by @dependabot in https://github.com/go-git/go-git/pull/1241
build: group dependabot updates for golang.org by @AriehSchneier in https://github.com/go-git/go-git/pull/1243
build: bump github/codeql-action from 2.22.11 to 3.27.6 by @dependabot in https://github.com/go-git/go-git/pull/1244
build: bump golang.org/x/crypto from 0.21.0 to 0.31.0 in /cli/go-git by @dependabot in https://github.com/go-git/go-git/pull/1246
build: bump golang.org/x/crypto from 0.30.0 to 0.31.0 by @dependabot in https://github.com/go-git/go-git/pull/1247
build: bump github.com/gliderlabs/ssh from 0.3.7 to 0.3.8 by @dependabot in https://github.com/go-git/go-git/pull/1248
add comment preventing people from creating invalid trees by @petar in https://github.com/go-git/go-git/pull/732
build: bump github/codeql-action from 3.27.6 to 3.27.9 by @dependabot in https://github.com/go-git/go-git/pull/1250
plumbing: Properly encode index version 4 by @BeChris in https://github.com/go-git/go-git/pull/1251
Fix typos by @deining in https://github.com/go-git/go-git/pull/1148
Fix reset files in subfolders by @linglo in https://github.com/go-git/go-git/pull/1177
git: update switch cases by @hezhizhen in https://github.com/go-git/go-git/pull/1182
build: bump golang.org/x/net from 0.32.0 to 0.33.0 in the golang-org group by @dependabot in https://github.com/go-git/go-git/pull/1256
fix(1212): Fix invalid reference name error while cloning branches containing /- by @varmakarthik12 in https://github.com/go-git/go-git/pull/1257
pktline : accept upercase hexadecimal value as pktline length information by @BeChris in https://github.com/go-git/go-git/pull/1220
build: bump github/codeql-action from 3.27.9 to 3.28.0 by @dependabot in https://github.com/go-git/go-git/pull/1260
build: bump github.com/elazarl/goproxy from 0.0.0-20240618083138-03be62527ccb to 1.2.1 by @dependabot in https://github.com/go-git/go-git/pull/1262
git: worktree_commit, sanitize author and commiter name and email before creating the commit object. Fixes #680 by @BeChris in https://github.com/go-git/go-git/pull/1261

New Contributors

@johnmatthiggins made their first contribution in https://github.com/go-git/go-git/pull/1088
@ggambetti made their first contribution in https://github.com/go-git/go-git/pull/1100
@gecko655 made their first contribution in https://github.com/go-git/go-git/pull/1109
@hbelmiro made their first contribution in https://github.com/go-git/go-git/pull/1124
@msuozzo made their first contribution in https://github.com/go-git/go-git/pull/995
@Javier-varez made their first contribution in https://github.com/go-git/go-git/pull/1116
@Achilleshiel made their first contribution in https://github.com/go-git/go-git/pull/1114
@crazybolillo made their first contribution in https://github.com/go-git/go-git/pull/1030
@SatelliteMind made their first contribution in https://github.com/go-git/go-git/pull/1138
@rodrigocam made their first contribution in https://github.com/go-git/go-git/pull/1023
@nicholasSUSE made their first contribution in https://github.com/go-git/go-git/pull/1159
@tomqwpl made their first contribution in https://github.com/go-git/go-git/pull/416
@ben-tbotlabs made their first contribution in https://github.com/go-git/go-git/pull/493
@yoavamit made their first contribution in https://github.com/go-git/go-git/pull/1169
@uragirii made their first contribution in https://github.com/go-git/go-git/pull/1194
@petar made their first contribution in https://github.com/go-git/go-git/pull/732
@deining made their first contribution in https://github.com/go-git/go-git/pull/1148
@linglo made their first contribution in https://github.com/go-git/go-git/pull/1177
@varmakarthik12 made their first contribution in https://github.com/go-git/go-git/pull/1257

Full Changelog: go-git/go-git@v5.12.0...v5.13.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

stackit-pipeline · 2025-01-07T00:46:01Z

ℹ Artifact update notice

File name: scripts/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

7 additional dependencies were updated
The go directive was updated for compatibility reasons

Details:

Package	Change
`go`	`1.18` -> `1.24.0`
`github.com/ProtonMail/go-crypto`	`v1.0.0` -> `v1.1.3`
`github.com/cyphar/filepath-securejoin`	`v0.2.4` -> `v0.2.5`
`github.com/go-git/go-billy/v5`	`v5.5.0` -> `v5.6.0`
`github.com/skeema/knownhosts`	`v1.2.2` -> `v1.3.0`
`golang.org/x/crypto`	`v0.21.0` -> `v0.31.0`
`golang.org/x/net`	`v0.23.0` -> `v0.33.0`
`golang.org/x/tools`	`v0.13.0` -> `v0.21.1-0.20240508182429-e35e4ccd0d2d`

bahkauv70 · 2025-02-12T08:13:28Z

Postponed until minimum go version has been increased

stackit-pipeline · 2025-02-13T00:45:16Z

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (v5.13.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

stackit-pipeline added the renovate Renovate dependency updates label Jan 7, 2025

stackit-pipeline force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch 6 times, most recently from 62c7aaa to ff34a40 Compare January 15, 2025 00:44

stackit-pipeline force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch 4 times, most recently from 44185ef to 02cb92f Compare January 22, 2025 00:45

stackit-pipeline force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch 2 times, most recently from b7250df to 3121a96 Compare January 25, 2025 00:43

stackit-pipeline force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch 5 times, most recently from 709e94a to 1c73c20 Compare February 6, 2025 00:45

stackit-pipeline force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch from 1c73c20 to 25f6d15 Compare February 7, 2025 00:45

Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY]

e52894c

stackit-pipeline force-pushed the renovate/go-github.com-go-git-go-git-v5-vulnerability branch from 25f6d15 to e52894c Compare February 12, 2025 00:45

bahkauv70 closed this Feb 12, 2025

bahkauv70 deleted the renovate/go-github.com-go-git-go-git-v5-vulnerability branch February 12, 2025 08:13

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] #1259

Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] #1259

Uh oh!

stackit-pipeline commented Jan 7, 2025 •

edited

Loading

Uh oh!

stackit-pipeline commented Jan 7, 2025 •

edited

Loading

Uh oh!

bahkauv70 commented Feb 12, 2025

Uh oh!

stackit-pipeline commented Feb 13, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] #1259

Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] #1259

Uh oh!

Conversation

stackit-pipeline commented Jan 7, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

CVE-2025-21613

Impact

Affected versions

Workarounds

Credit

CVE-2025-21614

Impact

Patches

Workarounds

Credit

Release Notes

v5.13.0

What's Changed

New Contributors

Configuration

Uh oh!

stackit-pipeline commented Jan 7, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

ℹ Artifact update notice

File name: scripts/go.mod

Uh oh!

bahkauv70 commented Feb 12, 2025

Uh oh!

stackit-pipeline commented Feb 13, 2025

Renovate Ignore Notification

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

stackit-pipeline commented Jan 7, 2025 •

edited

Loading

`v5.13.0`

stackit-pipeline commented Jan 7, 2025 •

edited

Loading