Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request to have new release due to the security issue CVE-2020-29652 #4765

Closed
LinuxSuRen opened this issue Dec 7, 2021 · 3 comments
Closed

Request to have new release due to the security issue CVE-2020-29652 #4765

LinuxSuRen opened this issue Dec 7, 2021 · 3 comments

Comments

@LinuxSuRen
Copy link

Describe the issue

I've scanned the Jenkins container image jenkins/jenkins:2.319.1 which contains git-lfs/3.0.2. This version has a security issue CVE-2020-29652

So, I'm wondering if the git-lfs community could create a new release. For instance, git-lfs 3.0.3

usr/local/bin/git-lfs (gobinary)
================================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

+---------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
|       LIBRARY       | VULNERABILITY ID | SEVERITY |         INSTALLED VERSION          |           FIXED VERSION            |                 TITLE                 |
+---------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+
| golang.org/x/crypto | CVE-2020-29652   | HIGH     | v0.0.0-20201112155050-0c6587e931a9 | v0.0.0-20201216223049-8b5274cf687f | golang: crypto/ssh: crafted           |
|                     |                  |          |                                    |                                    | authentication request can            |
|                     |                  |          |                                    |                                    | lead to nil pointer dereference       |
|                     |                  |          |                                    |                                    | -->avd.aquasec.com/nvd/cve-2020-29652 |
+---------------------+------------------+----------+------------------------------------+------------------------------------+---------------------------------------+

System environment
None.

Output of git lfs env
None.

Additional context
None
@LinuxSuRen LinuxSuRen mentioned this issue Dec 7, 2021
Open
@KalleOlaviNiemitalo
Copy link

According to #4734 and #4738, CVE-2020-29652 does not really apply to the Git LFS client, which does not use the vulnerable part of the library. Even if it did, a nil pointer dereference would not be very serious in client-side code because any party able to trigger it would also be able to make the client fail in other ways. So this is only about getting rid of a security scanner warning.

@LinuxSuRen
Copy link
Author

@KalleOlaviNiemitalo thanks for your response.

@bk2204
Copy link
Member

bk2204 commented Dec 7, 2021

Hey,

Since this doesn't actually introduce a security vulnerability (we definitely don't use Go's SSH library), we won't be doing a new release until 3.1.0 (or sooner if there's a security or critical bugfix release). We expect to do that in mid-January. I'm quite busy the next two weeks and then I expect the core team to be on vacation toward the end of the year, so the possibility of doing something other than an urgent release is just not very good.

If this is important to you, you can build from main or cherry-pick the commit.

Sorry for the bad news.

@bk2204 bk2204 closed this as completed Dec 7, 2021
@KalleOlaviNiemitalo KalleOlaviNiemitalo mentioned this issue Jan 19, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bk2204 @LinuxSuRen @KalleOlaviNiemitalo