chore(deps): update rust crate libgit2-sys to v0.16.2 [security] #9
Conversation
|
|
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
PR Type: Enhancement
PR Summary: This pull request addresses critical security vulnerabilities in the libgit2-sys crate by updating it from version 0.16.1+1.7.1 to 0.16.2+1.7.2. The update includes fixes for issues that could potentially lead to Denial of Service, heap corruption, arbitrary code execution, and out-of-bounds read vulnerabilities. It ensures that the libgit2-sys crate now bundles or links to the secure version of the libgit2 library, version 1.7.2, mitigating the risks associated with the previously vulnerable versions.
Decision: Comment
📝 Type: 'Enhancement' - not supported yet.
- Sourcery currently only approves 'Typo fix' PRs.
✅ Issue addressed: this change correctly addresses the issue or implements the desired feature.
No details provided.
📝 Complexity: the changes are too large or complex for Sourcery to approve.
- Unsupported files: the diff contains files that Sourcery does not currently support during reviews.
General suggestions:
- Ensure thorough testing of the updated libgit2-sys crate in the context of your application to verify that the security fixes do not introduce any regressions or compatibility issues.
- Consider setting up automated dependency update tools, if not already in place, to promptly address future security vulnerabilities.
- Review the detailed release notes and vulnerability descriptions to understand the impact of the changes and any potential action required beyond the version update.
Thanks for using Sourcery. We offer it for free for open source projects and would be very grateful if you could help us grow. If you like it, would you consider sharing Sourcery on your favourite social media? ✨
renovate-bot
changed the title
This PR contains the following updates:
0.16.1+1.7.1->0.16.2GitHub Vulnerability Alerts
GHSA-22q8-ghmq-63vf
The libgit2 project fixed three security issues in the 1.7.2 release. These issues are:
git_revparse_singlefunction can potentially enter an infinite loop on a well-crafted input, potentially causing a Denial of Service. This function is exposed in thegit2crate via theRepository::revparse_singlemethod.git_index_addfunction may cause heap corruption and possibly lead to arbitrary code execution. This function is exposed in thegit2crate via theIndex::addmethod.The
libgit2-syscrate bundles libgit2, or optionally links to a system libgit2 library. In either case, versions of the libgit2 library less than 1.7.2 are vulnerable. The 0.16.2 release oflibgit2-sysbundles the fixed version of 1.7.2, and requires a system libgit2 version of at least 1.7.2.It is recommended that all users upgrade.
Release Notes
rust-lang/git2-rs (libgit2-sys)
v0.16.2Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.