Several security issues were fixed in go-git.
Software Description:
- golang-github-go-git-go-git: A highly extensible Git implementation in pure Go
Details:
Ionut Lalu discovered that go-git incorrectly handled certain specially
crafted Git server responses. An attacker could possibly use this issue to
cause a denial of service. (CVE-2023-49568, CVE-2025-21614)
Ionut Lalu discovered that go-git incorrectly handled file system paths
when using the ChrootOS implementation. A remote attacker could possibly
use this issue to perform a path traversal and create or modify arbitrary
files, leading to remote code execution. (CVE-2023-49569)
It was discovered that go-git did not properly sanitize arguments when
invoking git-upload-pack using the file transport protocol. An attacker
could possibly use this issue to inject arbitrary flag values when
interacting with local Git repositories. (CVE-2025-21613)
It was discovered that go-git did not properly verify integrity checks for
pack ...
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
go-git 5.4.2-4ubuntu0.24.04.3+esm2
Available with Ubuntu Pro
golang-github-go-git-go-git-dev 5.4.2-4ubuntu0.24.04.3+esm2
Available with Ubuntu Pro
Ubuntu 22.04 LTS
go-git 5.4.2-3ubuntu0.1~esm1
Available with Ubuntu Pro
golang-github-go-git-go-git-dev 5.4.2-3ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.https://ubuntu.com/security/notices/USN-8088-1
CVE-2023-49568, CVE-2023-49569, CVE-2025-21613, CVE-2025-21614,
CVE-2026-25934
Get the latest Linux and open source security news straight to your inbox.