Update module github.com/hashicorp/go-getter to v1.7.0 [SECURITY] - autoclosed #255
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.4.1
->v1.7.0
GitHub Vulnerability Alerts
CVE-2022-29810
The Hashicorp go-getter library before 1.5.11 could write SSH credentials into its logfile, exposing sensitive credentials to local users able to read the logfile.
CVE-2022-30322
HashiCorp go-getter through 2.0.2 does not safely perform downloads. Arbitrary host access was possible via go-getter path traversal, symlink processing, and command injection flaws.
CVE-2022-30321
HashiCorp go-getter through 2.0.2 does not safely perform downloads. Protocol switching, endless redirect, and configuration bypass were possible via abuse of custom HTTP response header processing.
CVE-2022-26945
HashiCorp go-getter before 2.0.2 allows Command Injection.
CVE-2022-30323
HashiCorp go-getter through 2.0.2 does not safely perform downloads. Asymmetric resource exhaustion could occur when go-getter processed malicious HTTP responses.
CVE-2023-0475
HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
Release Notes
hashicorp/go-getter (github.com/hashicorp/go-getter)
v1.7.0
Compare Source
What's Changed
New Contributors
Full Changelog: hashicorp/go-getter@v1.6.2...v1.7.0
v1.6.2
Compare Source
What's Changed
no getter available for X-Terraform-Get source protocol
when using bare github or bitbucket hostnames: #370v1.6.1
Compare Source
v1.6.0
Compare Source
v1.5.11
Compare Source
What's Changed
New Contributors
Full Changelog: hashicorp/go-getter@v1.5.10...v1.5.11
v1.5.10
Compare Source
GOOGLE_OAUTH_ACCESS_TOKEN
environment variable as a potential source of a Google Cloud Platform access token. (#302)git::
sources would no longer accept direct commit ids in the optionalref
argument, and would instead only allow named refs from the remote. As a compromise, go-getter will now accept forref
anything thatgit checkout
would accept as a valid tree selector, unless you also setdepth
to activate shallow clone mode in which caseref
must be a named ref due to requirements of the Git protocol in that case. (#345)v1.5.9
Compare Source
Fix git shallow clone (
depth
parameter) for any ref. See #266v1.5.8
Compare Source
v1.5.7
Compare Source
In 1.5.7, we moved to using signore, an internal tool, for GPG signing.
v1.5.6
Compare Source
v1.5.5
Compare Source
IMPROVEMENTS:
v1.5.4
Compare Source
IMPROVEMENTS:
FIXES:
NOTES:
v1.5.3
Compare Source
IMPROVEMENTS:
BUGFIXES:
v1.5.2
Compare Source
Bug fixes:
v1.5.1
Compare Source
Enhancements:
v1.5.0
Compare Source
aws_profile
query paramter 261v1.4.2
Compare Source
Improvement:
setuid
or other sensitive bits.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.