Bug 2329269
| Summary: | CVE-2024-53859 opentofu: go-gh `auth.TokenForHost` violates GitHub host security boundary within a codespace [fedora-all] | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Robb Gatica <rgatica> |
| Component: | opentofu | Assignee: | Mikel Olasagasti Uranga <mikel> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 41 | CC: | go-sig, mikel |
| Target Milestone: | --- | Keywords: | Security, SecurityTracking |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | {"flaws": ["50da4f36-c991-497a-8ba1-2d193f8ecddd"]} | ||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-12-05 16:52:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2329254 | ||
|
Description
Robb Gatica
2024-11-27 22:49:30 UTC
Module go-gh is only used as development tool: $ grep github.com/hashicorp/copywrite * -R main go.mod: github.com/hashicorp/copywrite v0.16.3 go.sum:github.com/hashicorp/copywrite v0.16.3 h1:9yOzvuMAVurKEmn2lIWLUYq1Nn7lsYTZMyXbUdEB9wk= go.sum:github.com/hashicorp/copywrite v0.16.3/go.mod h1:wl92lMJ9VBqxH9M5KWfseHzXtjj7Q2u5LnKhpS0Rclo= scripts/add-copyright-headers.sh:go run github.com/hashicorp/copywrite headers tools.go: _ "github.com/hashicorp/copywrite" $ cat tools.go (...) // This file tracks some external tools we use during development and release // processes. These are not used at runtime but having them here allows the // Go toolchain to see that we need to include them in go.mod and go.sum. (...) |