Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update module github.com/hashicorp/go-getter to v1.7.0 [SECURITY] - autoclosed #255

Closed
wants to merge 1 commit into from
Closed

Update module github.com/hashicorp/go-getter to v1.7.0 [SECURITY] - autoclosed #255

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Nov 20, 2022
edited

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
github.com/hashicorp/go-getter v1.4.1 -> v1.7.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-29810

The Hashicorp go-getter library before 1.5.11 could write SSH credentials into its logfile, exposing sensitive credentials to local users able to read the logfile.

CVE-2022-30322

HashiCorp go-getter through 2.0.2 does not safely perform downloads. Arbitrary host access was possible via go-getter path traversal, symlink processing, and command injection flaws.

CVE-2022-30321

HashiCorp go-getter through 2.0.2 does not safely perform downloads. Protocol switching, endless redirect, and configuration bypass were possible via abuse of custom HTTP response header processing.

CVE-2022-26945

HashiCorp go-getter before 2.0.2 allows Command Injection.

CVE-2022-30323

HashiCorp go-getter through 2.0.2 does not safely perform downloads. Asymmetric resource exhaustion could occur when go-getter processed malicious HTTP responses.

CVE-2023-0475

HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.

Release Notes

hashicorp/go-getter (github.com/hashicorp/go-getter)

v1.7.0

Compare Source

What's Changed

New Contributors

Full Changelog: hashicorp/go-getter@v1.6.2...v1.7.0

v1.6.2

Compare Source

What's Changed

  • Fix no getter available for X-Terraform-Get source protocol when using bare github or bitbucket hostnames: #​370

v1.6.1

Compare Source

v1.6.0

Compare Source

v1.5.11

Compare Source

What's Changed

New Contributors

Full Changelog: hashicorp/go-getter@v1.5.10...v1.5.11

v1.5.10

Compare Source

  • When fetching files from Google Cloud Storage, go-getter will now consider the GOOGLE_OAUTH_ACCESS_TOKEN environment variable as a potential source of a Google Cloud Platform access token. (#​302)
  • Fixed a regression from v1.5.9 where git:: sources would no longer accept direct commit ids in the optional ref argument, and would instead only allow named refs from the remote. As a compromise, go-getter will now accept for ref anything that git checkout would accept as a valid tree selector, unless you also set depth to activate shallow clone mode in which case ref must be a named ref due to requirements of the Git protocol in that case. (#​345)

v1.5.9

Compare Source

Fix git shallow clone (depth parameter) for any ref. See #​266

v1.5.8

Compare Source

v1.5.7

Compare Source

In 1.5.7, we moved to using signore, an internal tool, for GPG signing.

v1.5.6

Compare Source

v1.5.5

Compare Source

IMPROVEMENTS:

v1.5.4

Compare Source

IMPROVEMENTS:

FIXES:

  • Allow to context cancel HTTP requests #​321

NOTES:

  • This version requires Go 1.15+ and will no longer compile on older versions

v1.5.3

Compare Source

IMPROVEMENTS:

BUGFIXES:

v1.5.2

Compare Source

Bug fixes:

  • The goreleaser release pipeline that was created and used for the 1.5.1 release was missing the GOPRIVATE env var being set, which caused private modules to be skipped. This release contains the same code as 1.5.1, but with GOPRIVATE set to github.com/hashicorp.

v1.5.1

Compare Source

Enhancements:

  • Adds support for vhost-style s3 buckets (#​283)

v1.5.0

Compare Source

v1.4.2

Compare Source

Improvement:

  • Expose a Umask option to mask file permissions when storing local files or decompressing an archive. Helpful for clearing setuid or other sensitive bits.
  • feat(detector): provide a detector for repositories hosted on GitLab.com
  • Use default AWS credential chain under normal circumstances

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/go-github.com/hashicorp/go-getter-vulnerability branch from 98675e4 to 6191d16 Compare March 18, 2023 04:15
@renovate renovate bot changed the title Update module github.com/hashicorp/go-getter to v1.6.1 [SECURITY] Update module github.com/hashicorp/go-getter to v1.7.0 [SECURITY] Mar 18, 2023
@renovate renovate bot changed the title Update module github.com/hashicorp/go-getter to v1.7.0 [SECURITY] Update module github.com/hashicorp/go-getter to v1.7.0 [SECURITY] - autoclosed Sep 7, 2023
@renovate renovate bot closed this Sep 7, 2023
@renovate renovate bot deleted the renovate/go-github.com/hashicorp/go-getter-vulnerability branch September 7, 2023 09:43
@renovate renovate bot changed the title Update module github.com/hashicorp/go-getter to v1.7.0 [SECURITY] - autoclosed Update module github.com/hashicorp/go-getter to v1.7.0 [SECURITY] Sep 7, 2023
@renovate renovate bot reopened this Sep 7, 2023
@renovate renovate bot restored the renovate/go-github.com/hashicorp/go-getter-vulnerability branch September 7, 2023 12:02
@renovate renovate bot force-pushed the renovate/go-github.com/hashicorp/go-getter-vulnerability branch from 6191d16 to 4c0fb89 Compare September 7, 2023 12:04
@renovate renovate bot changed the title Update module github.com/hashicorp/go-getter to v1.7.0 [SECURITY] Update module github.com/hashicorp/go-getter to v1.7.0 [SECURITY] - autoclosed May 16, 2024
@renovate renovate bot closed this May 16, 2024
@renovate renovate bot deleted the renovate/go-github.com/hashicorp/go-getter-vulnerability branch May 16, 2024 00:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants