Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork948
Block insecure non-multi options in clone/clone_from#1609
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Merged
Byron merged 1 commit intogitpython-developers:mainfromBeuc:block-insecure-options-clone-non-multiJul 10, 2023
Merged
Block insecure non-multi options in clone/clone_from#1609
Byron merged 1 commit intogitpython-developers:mainfromBeuc:block-insecure-options-clone-non-multiJul 10, 2023
Uh oh!
There was an error while loading.Please reload this page.
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
Thanks a million! I think it's sufficient to 'sample' only a couple of test as we know the fix is present for all clones, and I don't think that will change. I will see to create a new release shortly. |
Here is the new release:https://github.com/gitpython-developers/GitPython/releases/tag/3.1.32 |
Great! I reached out to Skyk to register another CVE for this additional fix. |
renovatebot referenced this pull request in allenporter/flux-localJul 12, 2023
[](https://renovatebot.com)This PR contains the following updates:| Package | Change | Age | Adoption | Passing | Confidence ||---|---|---|---|---|---|| [GitPython](https://togithub.com/gitpython-developers/GitPython) |`==3.1.31` -> `==3.1.32` |[](https://docs.renovatebot.com/merge-confidence/)|[](https://docs.renovatebot.com/merge-confidence/)|[](https://docs.renovatebot.com/merge-confidence/)|[](https://docs.renovatebot.com/merge-confidence/)|---### Release Notes<details><summary>gitpython-developers/GitPython (GitPython)</summary>###[`v3.1.32`](https://togithub.com/gitpython-developers/GitPython/releases/tag/3.1.32):- with another security update[CompareSource](https://togithub.com/gitpython-developers/GitPython/compare/3.1.31...3.1.32)#### What's Changed- Bump cygwin/cygwin-install-action from 3 to 4 by[@​dependabot](https://togithub.com/dependabot) in[https://github.com/gitpython-developers/GitPython/pull/1572](https://togithub.com/gitpython-developers/GitPython/pull/1572)- Fix up the commit trailers functionality by[@​itsluketwist](https://togithub.com/itsluketwist) in[https://github.com/gitpython-developers/GitPython/pull/1576](https://togithub.com/gitpython-developers/GitPython/pull/1576)- Name top-level exceptions as private variables by[@​Hawk777](https://togithub.com/Hawk777) in[https://github.com/gitpython-developers/GitPython/pull/1590](https://togithub.com/gitpython-developers/GitPython/pull/1590)- fix pypi long description by[@​eUgEntOptIc44](https://togithub.com/eUgEntOptIc44) in[https://github.com/gitpython-developers/GitPython/pull/1603](https://togithub.com/gitpython-developers/GitPython/pull/1603)- Don't rely on **del** by[@​r-darwish](https://togithub.com/r-darwish) in[https://github.com/gitpython-developers/GitPython/pull/1606](https://togithub.com/gitpython-developers/GitPython/pull/1606)- Block insecure non-multi options in clone/clone_from by[@​Beuc](https://togithub.com/Beuc) in[https://github.com/gitpython-developers/GitPython/pull/1609](https://togithub.com/gitpython-developers/GitPython/pull/1609)#### New Contributors- [@​Hawk777](https://togithub.com/Hawk777) made their firstcontribution in[https://github.com/gitpython-developers/GitPython/pull/1590](https://togithub.com/gitpython-developers/GitPython/pull/1590)- [@​eUgEntOptIc44](https://togithub.com/eUgEntOptIc44) made theirfirst contribution in[https://github.com/gitpython-developers/GitPython/pull/1603](https://togithub.com/gitpython-developers/GitPython/pull/1603)- [@​r-darwish](https://togithub.com/r-darwish) made their firstcontribution in[https://github.com/gitpython-developers/GitPython/pull/1606](https://togithub.com/gitpython-developers/GitPython/pull/1606)- [@​Beuc](https://togithub.com/Beuc) made their firstcontribution in[https://github.com/gitpython-developers/GitPython/pull/1609](https://togithub.com/gitpython-developers/GitPython/pull/1609)**Full Changelog**:gitpython-developers/GitPython@3.1.31...3.1.32</details>---### Configuration📅 **Schedule**: Branch creation - At any time (no schedule defined),Automerge - At any time (no schedule defined).🚦 **Automerge**: Enabled.♻ **Rebasing**: Whenever PR becomes conflicted, or you tick therebase/retry checkbox.🔕 **Ignore**: Close this PR and you won't be reminded about this updateagain.---- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, checkthis box---This PR has been generated by [MendRenovate](https://www.mend.io/free-developer-tools/renovate/). Viewrepository job log[here](https://developer.mend.io/github/allenporter/flux-local).<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi41LjMiLCJ1cGRhdGVkSW5WZXIiOiIzNi41LjMiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
%5d(https%3a%2f%2frenovatebot.com){kind=link}
Snyk didn't answer, so I eventually reached out to MITRE who assignedCVE-2023-40267 to this issue. |
otc-zuulbot pushed a commit to opentelekomcloud-infra/eyes_on_docs that referenced this pull requestAug 14, 2023
Bump gitpython from 3.1.31 to 3.1.32Bumps gitpython from 3.1.31 to 3.1.32.Release notesSourced from gitpython's releases.v3.1.32 - with another security updateWhat's ChangedBump cygwin/cygwin-install-action from 3 to 4 by @dependabot ingitpython-developers/GitPython#1572Fix up the commit trailers functionality by @itsluketwist ingitpython-developers/GitPython#1576Name top-level exceptions as private variables by @Hawk777 ingitpython-developers/GitPython#1590fix pypi long description by @eUgEntOptIc44 ingitpython-developers/GitPython#1603Don't rely on del by @r-darwish ingitpython-developers/GitPython#1606Block insecure non-multi options in clone/clone_from by @Beuc ingitpython-developers/GitPython#1609New Contributors@Hawk777 made their first contribution ingitpython-developers/GitPython#1590@eUgEntOptIc44 made their first contribution ingitpython-developers/GitPython#1603@r-darwish made their first contribution ingitpython-developers/GitPython#1606@Beuc made their first contribution ingitpython-developers/GitPython#1609Full Changelog: gitpython-developers/GitPython@3.1.31...3.1.32Commits5d45ce2 prepare 3.1.32 releaseca965ec Merge pull request #1609 from Beuc/block-insecure-options-clone-non-multi5c59e0d Block insecure non-multi options in clone/clone_fromc09a71e Merge pull request #1606 from r-darwish/no-dela3859ee fixes8186159 Don't rely on del741edb5 Merge pull request #1603 from eUgEntOptIc44/eugenoptic44-fix-pypi-long-descri...0c543cd Improve readability of README.md9cd7ddb Improve the 'long_description' displayed on pypi6fc11e6 update README to reflect the status quo on git command usageAdditional commits viewable in compare viewDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting@dependabot rebase.Dependabot commands and optionsYou can trigger Dependabot actions by commenting on this PR:@dependabot rebase will rebase this PR@dependabot recreate will recreate this PR, overwriting any edits that have been made to it@dependabot merge will merge this PR after your CI passes on it@dependabot squash and merge will squash and merge this PR after your CI passes on it@dependabot cancel merge will cancel a previously requested merge and block automerging@dependabot reopen will reopen this PR if it is closed@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.Reviewed-by: Vladimir Vshivkov
TheRealHaoLiu added a commit to TheRealHaoLiu/awx that referenced this pull requestAug 28, 2023
CVE-2023-40267 GitPython: Insecure non-multi options in clone and clone_from is not blockedhttps://bugzilla.redhat.com/show_bug.cgi?id=2231474GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix forCVE-2022-24439.References:gitpython-developers/GitPython@ca965ecgitpython-developers/GitPython#1609
TheRealHaoLiu added a commit to ansible/awx that referenced this pull requestAug 28, 2023
CVE-2023-40267 GitPython: Insecure non-multi options in clone and clone_from is not blockedhttps://bugzilla.redhat.com/show_bug.cgi?id=2231474GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix forCVE-2022-24439.References:gitpython-developers/GitPython@ca965ecgitpython-developers/GitPython#1609
djyasin pushed a commit to djyasin/awx that referenced this pull requestSep 16, 2024
CVE-2023-40267 GitPython: Insecure non-multi options in clone and clone_from is not blockedhttps://bugzilla.redhat.com/show_bug.cgi?id=2231474GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix forCVE-2022-24439.References:gitpython-developers/GitPython@ca965ecgitpython-developers/GitPython#1609
djyasin pushed a commit to djyasin/awx that referenced this pull requestNov 11, 2024
CVE-2023-40267 GitPython: Insecure non-multi options in clone and clone_from is not blockedhttps://bugzilla.redhat.com/show_bug.cgi?id=2231474GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix forCVE-2022-24439.References:gitpython-developers/GitPython@ca965ecgitpython-developers/GitPython#1609
1 task
1 task
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Labels
None yet
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
I'm part of the Debian LTS (Long Term Support) Team and I'm working on integrating the fix forCVE-2022-24439 for GitPython in Debian.
After contacting@Byron privately we determined that#1521 would need a follow-up fix, which I hereby propose in this PR.
I also modified 2 tests to validate the change, but I'm not sure if we want to double-check (multi/non-multi) all the currenttt clone/clone_from tests, so I didn't, but I can do so if necessary.