A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli. References: https://github.com/go-git/go-git/security/advisories/GHSA-449p-3h89-pw88
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.9 for RHEL 8 Via RHSA-2024:0298 https://access.redhat.com/errata/RHSA-2024:0298
The same vulnerability need to be fixed in OSE package also. registry.redhat.io/openshift4/ose-operator-registry container image, The image is picked from "registry.redhat.io/openshift4/ose-operator-registry:v4.14.0" It is blocking the security release.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:0641 https://access.redhat.com/errata/RHSA-2024:0641
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:0642 https://access.redhat.com/errata/RHSA-2024:0642
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.7 for RHEL 8 Via RHSA-2024:0729 https://access.redhat.com/errata/RHSA-2024:0729
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:0735 https://access.redhat.com/errata/RHSA-2024:0735
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2024:0740 https://access.redhat.com/errata/RHSA-2024:0740
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2024:0741 https://access.redhat.com/errata/RHSA-2024:0741
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.8 for RHEL 8 Via RHSA-2024:0820 https://access.redhat.com/errata/RHSA-2024:0820
This issue has been addressed in the following products: RHOSS-1.31-RHEL-8 Via RHSA-2024:0843 https://access.redhat.com/errata/RHSA-2024:0843
This issue has been addressed in the following products: Openshift Serverless 1 on RHEL 8 Via RHSA-2024:0880 https://access.redhat.com/errata/RHSA-2024:0880
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2024:0832 https://access.redhat.com/errata/RHSA-2024:0832
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2024:0845 https://access.redhat.com/errata/RHSA-2024:0845
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2024:0833 https://access.redhat.com/errata/RHSA-2024:0833
This issue has been addressed in the following products: multicluster-globalhub 1.0 for RHEL 8 Via RHSA-2024:0989 https://access.redhat.com/errata/RHSA-2024:0989
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2023:7197 https://access.redhat.com/errata/RHSA-2023:7197
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2023:7198 https://access.redhat.com/errata/RHSA-2023:7198
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2024:1052 https://access.redhat.com/errata/RHSA-2024:1052
Created grafana tracking bugs for this issue: Affects: fedora-39 [bug 2259834]
Created pack tracking bugs for this issue: Affects: fedora-39 [bug 2259835]
Created golang-github-git-5 tracking bugs for this issue: Affects: fedora-39 [bug 2259832]
Created golang-github-hashicorp-hc-install tracking bugs for this issue: Affects: fedora-39 [bug 2259833]
Created golang-github-hashicorp-hc-install tracking bugs for this issue: Affects: fedora-38 [bug 2259828]
Created pack tracking bugs for this issue: Affects: fedora-38 [bug 2259830]
Created grafana tracking bugs for this issue: Affects: fedora-38 [bug 2259829]
Created cri-o tracking bugs for this issue: Affects: fedora-39 [bug 2259831]
Created cri-o:1.27/cri-o tracking bugs for this issue: Affects: fedora-38 [bug 2259826]
Created cri-o:1.25/cri-o tracking bugs for this issue: Affects: fedora-38 [bug 2259822]
Created cri-o:1.26/cri-o tracking bugs for this issue: Affects: fedora-38 [bug 2259824]
Created golang-github-git-5 tracking bugs for this issue: Affects: fedora-38 [bug 2259827]
Created cri-o:1.23/cri-o tracking bugs for this issue: Affects: fedora-38 [bug 2259818]
Created cri-o:1.24/cri-o tracking bugs for this issue: Affects: fedora-38 [bug 2259820]
Created cri-o:1.22/cri-o tracking bugs for this issue: Affects: fedora-38 [bug 2259816]
Created cri-o tracking bugs for this issue: Affects: fedora-38 [bug 2259814]
Created pack tracking bugs for this issue: Affects: epel-8 [bug 2259812]
Created cri-o:1.21/cri-o tracking bugs for this issue: Affects: epel-8 [bug 2259810]
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.10 Via RHSA-2024:0692 https://access.redhat.com/errata/RHSA-2024:0692
This issue has been addressed in the following products: Red Hat Advanced Cluster Security 4.3 Via RHSA-2024:1549 https://access.redhat.com/errata/RHSA-2024:1549
This issue has been addressed in the following products: OPENSHIFT-BUILDS-1.0-RHEL-8 Via RHSA-2024:1557 https://access.redhat.com/errata/RHSA-2024:1557
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2024:1896 https://access.redhat.com/errata/RHSA-2024:1896
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:1891 https://access.redhat.com/errata/RHSA-2024:1891
This issue has been addressed in the following products: Red Hat Ceph Storage 6.1 Via RHSA-2024:2631 https://access.redhat.com/errata/RHSA-2024:2631
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Via RHSA-2024:2047 https://access.redhat.com/errata/RHSA-2024:2047
This issue has been addressed in the following products: Red Hat Ceph Storage 7.1 Via RHSA-2024:3925 https://access.redhat.com/errata/RHSA-2024:3925
This issue has been addressed in the following products: Red Hat Ceph Storage 5.3 Via RHSA-2024:4118 https://access.redhat.com/errata/RHSA-2024:4118
Add public comment to show this issue has been fixed within these erratas for OCP 4.16.0 after correcting missing CVE names from the original erratas: https://access.redhat.com/errata/RHSA-2024:0040 https://access.redhat.com/errata/RHSA-2024:0041
This issue has been addressed in the following products: OPENSHIFT-BUILDS-1.1-RHEL-8 Via RHSA-2024:6221 https://access.redhat.com/errata/RHSA-2024:6221
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2024:8425 https://access.redhat.com/errata/RHSA-2024:8425