Bug 2258143 (CVE-2023-49569)
| Summary: | CVE-2023-49569 go-git: Maliciously crafted Git server replies can lead to path traversal and RCE on go-git clients | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | unspecified | CC: | agarcial, alcohan, amctagga, anjoseph, aoconnor, asegurap, bniver, btarraso, caswilli, crizzo, dfreiber, dhanak, dkenigsb, drow, dsimansk, eglynn, fdeutsch, fjansen, flucifre, gandhi.srini, gkamathe, gmeno, gparvin, jburrell, jforrest, jjoyce, jkoehler, jprabhak, jschluet, kaycoth, kingland, kverlaen, lbainbri, lchilton, lhh, lphiri, lsvaty, manissin, matzew, mbenjamin, mburns, mgarciac, mhackett, mnovotny, njean, oramraz, owatkins, pahickey, pgrist, pierdipi, prodsec-ir-bot, rguimara, rhaigner, rhos-maint, rhuss, sausingh, sdawley, sfeifer, sipoyare, smullick, sostapov, stirabos, thason, vereddy, vkumar, wtam |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | go-git 5.11 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A path traversal vulnerability was discovered in the go library go-git. This issue may allow an attacker to create and amend files across the filesystem when applications are using the default ChrootOS, potentially allowing remote code execution.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2259810, 2259709, 2259710, 2259711, 2259712, 2259713, 2259714, 2259715, 2259716, 2259717, 2259718, 2259719, 2259720, 2259721, 2259722, 2259723, 2259724, 2259725, 2259726, 2259812, 2259814, 2259816, 2259818, 2259820, 2259822, 2259824, 2259826, 2259827, 2259828, 2259829, 2259830, 2259831, 2259832, 2259833, 2259834, 2259835, 2270744, 2271878, 2271879 | ||
| Bug Blocks: | 2258168 | ||
|
Description
Pedro Sampaio
2024-01-12 22:05:28 UTC
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8 Via RHSA-2024:0298 https://access.redhat.com/errata/RHSA-2024:0298 The same vulnerability need to be fixed in OSE package also. registry.redhat.io/openshift4/ose-operator-registry container image, The image is picked from "registry.redhat.io/openshift4/ose-operator-registry:v4.14.0" It is blocking the security release. This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:0641 https://access.redhat.com/errata/RHSA-2024:0641 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:0642 https://access.redhat.com/errata/RHSA-2024:0642 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8 Via RHSA-2024:0729 https://access.redhat.com/errata/RHSA-2024:0729 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:0735 https://access.redhat.com/errata/RHSA-2024:0735 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2024:0740 https://access.redhat.com/errata/RHSA-2024:0740 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2024:0741 https://access.redhat.com/errata/RHSA-2024:0741 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.8 for RHEL 8 Via RHSA-2024:0820 https://access.redhat.com/errata/RHSA-2024:0820 This issue has been addressed in the following products: RHOSS-1.31-RHEL-8 Via RHSA-2024:0843 https://access.redhat.com/errata/RHSA-2024:0843 This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2024:0880 https://access.redhat.com/errata/RHSA-2024:0880 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2024:0832 https://access.redhat.com/errata/RHSA-2024:0832 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2024:0845 https://access.redhat.com/errata/RHSA-2024:0845 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2024:0833 https://access.redhat.com/errata/RHSA-2024:0833 This issue has been addressed in the following products: multicluster-globalhub 1.0 for RHEL 8 Via RHSA-2024:0989 https://access.redhat.com/errata/RHSA-2024:0989 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2023:7197 https://access.redhat.com/errata/RHSA-2023:7197 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2024:1052 https://access.redhat.com/errata/RHSA-2024:1052 Created grafana tracking bugs for this issue: Affects: fedora-39 [bug 2259834] Created pack tracking bugs for this issue: Affects: fedora-39 [bug 2259835] Created golang-github-git-5 tracking bugs for this issue: Affects: fedora-39 [bug 2259832] Created golang-github-hashicorp-hc-install tracking bugs for this issue: Affects: fedora-39 [bug 2259833] Created golang-github-hashicorp-hc-install tracking bugs for this issue: Affects: fedora-38 [bug 2259828] Created pack tracking bugs for this issue: Affects: fedora-38 [bug 2259830] Created grafana tracking bugs for this issue: Affects: fedora-38 [bug 2259829] Created cri-o tracking bugs for this issue: Affects: fedora-39 [bug 2259831] Created golang-github-hashicorp-hc-install tracking bugs for this issue: Affects: fedora-39 [bug 2259833] Created pack tracking bugs for this issue: Affects: fedora-38 [bug 2259830] Created cri-o:1.27/cri-o tracking bugs for this issue: Affects: fedora-38 [bug 2259826] Created cri-o:1.25/cri-o tracking bugs for this issue: Affects: fedora-38 [bug 2259822] Created cri-o:1.26/cri-o tracking bugs for this issue: Affects: fedora-38 [bug 2259824] Created golang-github-git-5 tracking bugs for this issue: Affects: fedora-38 [bug 2259827] Created cri-o:1.25/cri-o tracking bugs for this issue: Affects: fedora-38 [bug 2259822] Created cri-o:1.23/cri-o tracking bugs for this issue: Affects: fedora-38 [bug 2259818] Created cri-o:1.24/cri-o tracking bugs for this issue: Affects: fedora-38 [bug 2259820] Created cri-o:1.25/cri-o tracking bugs for this issue: Affects: fedora-38 [bug 2259822] Created cri-o:1.22/cri-o tracking bugs for this issue: Affects: fedora-38 [bug 2259816] Created cri-o tracking bugs for this issue: Affects: fedora-38 [bug 2259814] Created pack tracking bugs for this issue: Affects: epel-8 [bug 2259812] Created cri-o:1.21/cri-o tracking bugs for this issue: Affects: epel-8 [bug 2259810] This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.10 Via RHSA-2024:0692 https://access.redhat.com/errata/RHSA-2024:0692 This issue has been addressed in the following products: Red Hat Advanced Cluster Security 4.3 Via RHSA-2024:1549 https://access.redhat.com/errata/RHSA-2024:1549 This issue has been addressed in the following products: OPENSHIFT-BUILDS-1.0-RHEL-8 Via RHSA-2024:1557 https://access.redhat.com/errata/RHSA-2024:1557 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2024:1896 https://access.redhat.com/errata/RHSA-2024:1896 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:1891 https://access.redhat.com/errata/RHSA-2024:1891 This issue has been addressed in the following products: Red Hat Ceph Storage 6.1 Via RHSA-2024:2631 https://access.redhat.com/errata/RHSA-2024:2631 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2024:2047 https://access.redhat.com/errata/RHSA-2024:2047 This issue has been addressed in the following products: Red Hat Ceph Storage 7.1 Via RHSA-2024:3925 https://access.redhat.com/errata/RHSA-2024:3925 This issue has been addressed in the following products: Red Hat Ceph Storage 5.3 Via RHSA-2024:4118 https://access.redhat.com/errata/RHSA-2024:4118 Add public comment to show this issue has been fixed within these erratas for OCP 4.16.0 after correcting missing CVE names from the original erratas: https://access.redhat.com/errata/RHSA-2024:0040 https://access.redhat.com/errata/RHSA-2024:0041 This issue has been addressed in the following products: OPENSHIFT-BUILDS-1.1-RHEL-8 Via RHSA-2024:6221 https://access.redhat.com/errata/RHSA-2024:6221 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2024:8425 https://access.redhat.com/errata/RHSA-2024:8425 |