2258165 – (CVE-2023-49568) CVE-2023-49568 go-git: Maliciously crafted Git server replies can cause DoS on go-git clients

Bug 2258165 (CVE-2023-49568) - CVE-2023-49568 go-git: Maliciously crafted Git server replies can cause DoS on go-git clients

Summary: CVE-2023-49568 go-git: Maliciously crafted Git server replies can cause DoS o...

Keywords:
Status:	NEW
Alias:	CVE-2023-49568
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2259734 2259735 2259799 2259800 2259801 2259802 2259803 2259804 2259805 2259806 2259807 2259809 2259811 2259813 2259815 2259819 2259821 2259823 2259730 2259731 2259732 2259733 2259736 2259737 2259738 2259739 2259740 2259741 2259742 2259743 2259744 2259745 2259746 2259747 2259808 2259817
Blocks:	2258168
TreeView+	depends on / blocked

Reported:	2024-01-12 23:32 UTC by Pedro Sampaio
Modified:	2024-05-02 16:37 UTC (History)
CC List:	46 users (show)
Fixed In Version:	go-git 5.11
Doc Type:	If docs needed, set a value
Doc Text:	A denial of service (DoS) vulnerability was found in the go library go-git. This issue may allow an attacker to perform denial of service attacks by providing specially crafted responses from a Git server, which can trigger resource exhaustion in go-git clients.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2024:0931	None	None	None	2024-02-21 01:00:57 UTC
Red Hat Product Errata	RHBA-2024:0932	None	None	None	2024-02-21 01:01:15 UTC
Red Hat Product Errata	RHBA-2024:0933	None	None	None	2024-02-21 01:01:26 UTC
Red Hat Product Errata	RHBA-2024:1009	None	None	None	2024-02-27 19:49:33 UTC
Red Hat Product Errata	RHBA-2024:1010	None	None	None	2024-02-27 20:48:11 UTC
Red Hat Product Errata	RHBA-2024:1011	None	None	None	2024-02-27 21:40:32 UTC
Red Hat Product Errata	RHSA-2023:7197	None	None	None	2024-02-27 19:48:00 UTC
Red Hat Product Errata	RHSA-2024:0298	None	None	None	2024-01-18 16:37:35 UTC
Red Hat Product Errata	RHSA-2024:0641	None	None	None	2024-02-07 16:41:39 UTC
Red Hat Product Errata	RHSA-2024:0642	None	None	None	2024-02-07 17:36:54 UTC
Red Hat Product Errata	RHSA-2024:0691	None	None	None	2024-03-22 15:42:59 UTC
Red Hat Product Errata	RHSA-2024:0692	None	None	None	2024-03-22 16:04:19 UTC
Red Hat Product Errata	RHSA-2024:0729	None	None	None	2024-02-07 20:08:46 UTC
Red Hat Product Errata	RHSA-2024:0735	None	None	None	2024-02-13 17:23:45 UTC
Red Hat Product Errata	RHSA-2024:0740	None	None	None	2024-02-14 05:51:52 UTC
Red Hat Product Errata	RHSA-2024:0741	None	None	None	2024-02-14 06:34:12 UTC
Red Hat Product Errata	RHSA-2024:0820	None	None	None	2024-02-14 18:45:27 UTC
Red Hat Product Errata	RHSA-2024:0832	None	None	None	2024-02-21 00:30:47 UTC
Red Hat Product Errata	RHSA-2024:0833	None	None	None	2024-02-21 01:44:24 UTC
Red Hat Product Errata	RHSA-2024:0843	None	None	None	2024-02-15 12:55:54 UTC
Red Hat Product Errata	RHSA-2024:0845	None	None	None	2024-02-21 01:40:43 UTC
Red Hat Product Errata	RHSA-2024:0880	None	None	None	2024-02-20 11:03:39 UTC
Red Hat Product Errata	RHSA-2024:0989	None	None	None	2024-02-26 16:08:01 UTC
Red Hat Product Errata	RHSA-2024:1052	None	None	None	2024-03-06 00:38:28 UTC
Red Hat Product Errata	RHSA-2024:1557	None	None	None	2024-03-28 05:31:20 UTC
Red Hat Product Errata	RHSA-2024:1570	None	None	None	2024-03-28 20:50:11 UTC
Red Hat Product Errata	RHSA-2024:1887	None	None	None	2024-04-25 15:50:57 UTC
Red Hat Product Errata	RHSA-2024:1891	None	None	None	2024-04-26 12:38:45 UTC
Red Hat Product Errata	RHSA-2024:1896	None	None	None	2024-04-25 15:15:15 UTC
Red Hat Product Errata	RHSA-2024:2047	None	None	None	2024-05-02 16:37:30 UTC

Description Pedro Sampaio 2024-01-12 23:32:51 UTC

A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients.

Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability.
This is a go-git implementation issue and does not affect the upstream git cli.

References:

https://github.com/go-git/go-git/security/advisories/GHSA-mw99-9chc-xw7r

Comment 3 errata-xmlrpc 2024-01-18 16:37:34 UTC

This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8

Via RHSA-2024:0298 https://access.redhat.com/errata/RHSA-2024:0298

Comment 72 errata-xmlrpc 2024-02-07 16:41:36 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0641 https://access.redhat.com/errata/RHSA-2024:0641

Comment 73 errata-xmlrpc 2024-02-07 17:36:50 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0642 https://access.redhat.com/errata/RHSA-2024:0642

Comment 74 errata-xmlrpc 2024-02-07 20:08:43 UTC

This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8

Via RHSA-2024:0729 https://access.redhat.com/errata/RHSA-2024:0729

Comment 79 errata-xmlrpc 2024-02-13 17:23:42 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0735 https://access.redhat.com/errata/RHSA-2024:0735

Comment 80 errata-xmlrpc 2024-02-14 05:51:48 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0740 https://access.redhat.com/errata/RHSA-2024:0740

Comment 81 errata-xmlrpc 2024-02-14 06:34:09 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0741 https://access.redhat.com/errata/RHSA-2024:0741

Comment 82 errata-xmlrpc 2024-02-14 18:45:23 UTC

This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.8 for RHEL 8

Via RHSA-2024:0820 https://access.redhat.com/errata/RHSA-2024:0820

Comment 83 errata-xmlrpc 2024-02-15 12:55:50 UTC

This issue has been addressed in the following products:

  RHOSS-1.31-RHEL-8

Via RHSA-2024:0843 https://access.redhat.com/errata/RHSA-2024:0843

Comment 85 Jeremy West 2024-02-16 17:31:18 UTC

Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: epel-8 [bug 2259799]

Comment 86 Jeremy West 2024-02-16 19:43:56 UTC

Created cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259801]

Comment 87 Jeremy West 2024-02-16 19:43:57 UTC

Created pack tracking bugs for this issue:

Affects: epel-8 [bug 2259800]

Comment 88 Jeremy West 2024-02-16 19:44:00 UTC

Created cri-o:1.22/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259802]

Comment 89 Jeremy West 2024-02-16 19:44:05 UTC

Created cri-o:1.23/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259803]

Comment 90 Jeremy West 2024-02-16 19:44:09 UTC

Created cri-o:1.27/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259807]

Comment 96 errata-xmlrpc 2024-02-20 11:03:36 UTC

This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2024:0880 https://access.redhat.com/errata/RHSA-2024:0880

Comment 97 errata-xmlrpc 2024-02-21 00:30:44 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:0832 https://access.redhat.com/errata/RHSA-2024:0832

Comment 98 errata-xmlrpc 2024-02-21 01:40:40 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0845 https://access.redhat.com/errata/RHSA-2024:0845

Comment 99 errata-xmlrpc 2024-02-21 01:44:22 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:0833 https://access.redhat.com/errata/RHSA-2024:0833

Comment 101 errata-xmlrpc 2024-02-26 16:07:58 UTC

This issue has been addressed in the following products:

  multicluster-globalhub 1.0 for RHEL 8

Via RHSA-2024:0989 https://access.redhat.com/errata/RHSA-2024:0989

Comment 102 errata-xmlrpc 2024-02-27 19:47:57 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7197 https://access.redhat.com/errata/RHSA-2023:7197

Comment 105 errata-xmlrpc 2024-03-06 00:38:26 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:1052 https://access.redhat.com/errata/RHSA-2024:1052

Comment 107 Jeremy West 2024-03-19 15:16:26 UTC

Created pack tracking bugs for this issue:

Affects: fedora-39 [bug 2259823]

Comment 108 Jeremy West 2024-03-19 17:55:30 UTC

Created grafana tracking bugs for this issue:

Affects: fedora-39 [bug 2259821]

Comment 109 Jeremy West 2024-03-19 17:55:35 UTC

Created golang-github-hashicorp-hc-install tracking bugs for this issue:

Affects: fedora-39 [bug 2259819]

Comment 110 Jeremy West 2024-03-19 18:03:20 UTC

Created golang-github-git-5 tracking bugs for this issue:

Affects: fedora-39 [bug 2259817]

Comment 111 Jeremy West 2024-03-19 18:03:28 UTC

Created cri-o tracking bugs for this issue:

Affects: fedora-39 [bug 2259815]

Comment 112 Jeremy West 2024-03-19 18:22:55 UTC

Created pack tracking bugs for this issue:

Affects: fedora-38 [bug 2259813]

Comment 113 Jeremy West 2024-03-19 18:23:02 UTC

Created grafana tracking bugs for this issue:

Affects: fedora-38 [bug 2259811]

Comment 114 Jeremy West 2024-03-19 19:34:40 UTC

Created golang-github-hashicorp-hc-install tracking bugs for this issue:

Affects: fedora-38 [bug 2259809]

Comment 115 Jeremy West 2024-03-19 19:34:48 UTC

Created cri-o:1.26/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259806]

Comment 116 Jeremy West 2024-03-19 19:34:50 UTC

Created cri-o:1.24/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259804]

Comment 117 Jeremy West 2024-03-19 21:00:07 UTC

Created golang-github-git-5 tracking bugs for this issue:

Affects: fedora-38 [bug 2259808]

Comment 118 Jeremy West 2024-03-19 21:00:14 UTC

Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-38 [bug 2259805]

Comment 119 Brad Smith 2024-03-19 21:55:56 UTC

(In reply to Jeremy West from comment #118)
> Created cri-o:1.25/cri-o tracking bugs for this issue:
> 
> Affects: fedora-38 [bug 2259805]

cri-o 1.25 (and kubernetes 1.25) were in Fedora 37 which is end of life. Kubernetes 1.25 is also end of life. Propose cri-o 1.25 also be end of life

Comment 120 Brad Smith 2024-03-19 21:56:50 UTC

(In reply to Jeremy West from comment #116)
> Created cri-o:1.24/cri-o tracking bugs for this issue:
> 
> Affects: fedora-38 [bug 2259804]

Should be end-of-life. Availble for fedora 36.

Comment 121 Brad Smith 2024-03-19 21:58:31 UTC

(In reply to Jeremy West from comment #90)
> Created cri-o:1.27/cri-o tracking bugs for this issue:
> 
> Affects: fedora-38 [bug 2259807]

cri-o 1.27 is default cri-o for fedora 39.

Comment 122 errata-xmlrpc 2024-03-22 15:42:57 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.9

Via RHSA-2024:0691 https://access.redhat.com/errata/RHSA-2024:0691

Comment 123 errata-xmlrpc 2024-03-22 16:04:17 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.10

Via RHSA-2024:0692 https://access.redhat.com/errata/RHSA-2024:0692

Comment 124 errata-xmlrpc 2024-03-28 05:31:18 UTC

This issue has been addressed in the following products:

  OPENSHIFT-BUILDS-1.0-RHEL-8

Via RHSA-2024:1557 https://access.redhat.com/errata/RHSA-2024:1557

Comment 125 errata-xmlrpc 2024-03-28 20:50:09 UTC

This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.4

Via RHSA-2024:1570 https://access.redhat.com/errata/RHSA-2024:1570

Comment 126 errata-xmlrpc 2024-04-25 15:15:12 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:1896 https://access.redhat.com/errata/RHSA-2024:1896

Comment 127 errata-xmlrpc 2024-04-25 15:50:54 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:1887 https://access.redhat.com/errata/RHSA-2024:1887

Comment 128 errata-xmlrpc 2024-04-26 12:38:43 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:1891 https://access.redhat.com/errata/RHSA-2024:1891

Comment 129 errata-xmlrpc 2024-05-02 16:37:27 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:2047 https://access.redhat.com/errata/RHSA-2024:2047

Note You need to log in before you can comment on or make changes to this bug.

agarcial
amctagga
aoconnor
asegurap
aveerama
bradley.g.smith
btarraso
caswilli
dfreiber
dhanak
drow
dshah
dsimansk
eglynn
gparvin
jburrell
jjoyce
jkoehler
jschluet
kaycoth
kingland
kverlaen
lbainbri
lhh
lsvaty
matzew
mburns
mgarciac
mnovotny
njean
owatkins
pahickey
pgrist
pierdipi
rgarg
rguimara
rhaigner
rhos-maint
rhuss
sdawley
shbose
sipoyare
skontopo
tkral
ubhargav
vkumar