Thursday, March 12, 2026

[USN-8088-1] go-git vulnerabilities

==========================================================================
Ubuntu Security Notice USN-8088-1
March 12, 2026

golang-github-go-git-go-git vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in go-git.

Software Description:
- golang-github-go-git-go-git: A highly extensible Git implementation in pure Go

Details:

Ionut Lalu discovered that go-git incorrectly handled certain specially
crafted Git server responses. An attacker could possibly use this issue to
cause a denial of service. (CVE-2023-49568, CVE-2025-21614)

Ionut Lalu discovered that go-git incorrectly handled file system paths
when using the ChrootOS implementation. A remote attacker could possibly
use this issue to perform a path traversal and create or modify arbitrary
files, leading to remote code execution. (CVE-2023-49569)

It was discovered that go-git did not properly sanitize arguments when
invoking git-upload-pack using the file transport protocol. An attacker
could possibly use this issue to inject arbitrary flag values when
interacting with local Git repositories. (CVE-2025-21613)

It was discovered that go-git did not properly verify integrity checks for
pack and index files. An attacker could possibly use this issue to cause
go-git to process corrupted repository data, resulting in unexpected errors
or an incorrect repository state. (CVE-2026-25934)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
go-git 5.4.2-4ubuntu0.24.04.3+esm2
Available with Ubuntu Pro
golang-github-go-git-go-git-dev 5.4.2-4ubuntu0.24.04.3+esm2
Available with Ubuntu Pro

Ubuntu 22.04 LTS
go-git 5.4.2-3ubuntu0.1~esm1
Available with Ubuntu Pro
golang-github-go-git-go-git-dev 5.4.2-3ubuntu0.1~esm1
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8088-1
CVE-2023-49568, CVE-2023-49569, CVE-2025-21613, CVE-2025-21614,
CVE-2026-25934

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)