security: CVE-2023-49569 - go-git/v5

[cmontemuino]

We've observed (Trivy scan) ghcr.io/dexidp/dex:v2.37.0 includes critical vulnerability CVE-2023-4956 in package github.com/go-git/go-git/v5.

• GHSA-449p-3h89-pw88
• https://nvd.nist.gov/vuln/detail/CVE-2023-4956

The vulnerability does not come from dex binary, but gotemplate. I've filed an issue in their repo and proposed a fix: hairyhenderson/gomplate#1960

When it's accepted and released, then a new version of dexidp/dex might be created.

Note: it makes all images that depend on dexidp/dex contain that critical vulnerability.

[nabokihms]

Thanks for mentioning it, @cmontemuino. 👍

[cmontemuino]

@nabokihms according to gotemplate's maintainer, the reported vulnerability is not applicable, so this issue might be closed:

This particular vulnerability is not applicable to gomplate's use of go-git, as gomplate only uses the in-memory filesystem when communicating with remote git servers:

Applications using BoundOS or in-memory filesystems are not affected by this issue.

hairyhenderson/gomplate#1960 (comment)

[dlukasiewicz]

Hey, seems like the issue on go is already closed, pull request is merged. Can You guys release new version with this package fixed?
"When it's accepted and released, then a new version of dexidp/dex might be created." i can still see that v2.37.0 is the newest one

Best Regards :) @cmontemuino @nabokihms

[nabokihms]

Opened a PR #3293