Update module github.com/cli/cli/v2 to v2.63.0 [SECURITY] #31
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
ℹ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate
bot
force-pushed
the
renovate/go-github.com-cli-cli-v2-vulnerability
branch
from
f6bf2b2
to
66fddfe
Compare
renovate
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v2.47.0->v2.63.0GitHub Vulnerability Alerts
CVE-2024-52308
Summary
A security vulnerability has been identified in GitHub CLI that could allow remote code execution (RCE) when users connect to a malicious Codespace SSH server and use the
gh codespace sshorgh codespace logscommands.Details
The vulnerability stems from the way GitHub CLI handles SSH connection details when executing commands. When developers connect to remote Codespaces, they typically use a SSH server running within a devcontainer, often provided through the default devcontainer image. GitHub CLI retrieves SSH connection details, such as remote username, which is used in executing
sshcommands forgh codespace sshorgh codespace logscommands.This exploit occurs when a malicious third-party devcontainer contains a modified SSH server that injects
ssharguments within the SSH connection details.gh codespace sshandgh codespace logscommands could execute arbitrary code on the user's workstation if the remote username contains something like-oProxyCommand="echo hacked" #. The-oProxyCommandflag causessshto execute the provided command while#shell comment causes any otherssharguments to be ignored.In
2.62.0, the remote username information is being validated before being used.Impact
Successful exploitation could lead to arbitrary code execution on the user's workstation, potentially compromising the user's data and system.
Remediation and Mitigation
ghto2.62.0CVE-2024-53858
Summary
A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing
gitsubmodules hosted outside of GitHub.com and ghe.com.Details
This vulnerability stems from several
ghcommands used to clone a repository with submodules from a non-GitHub host includinggh repo clone,gh repo fork,gh pr checkout. These GitHub CLI commands invokegitwith instructions to retrieve authentication tokens using thecredential.helperconfiguration variable for any host encountered.Prior to
2.63.0, hosts other than GitHub.com and ghe.com are treated as GitHub Enterprise Server hosts and have tokens sourced from the following environment variables before falling back to host-specific tokens stored within system-specific secured storage:GITHUB_ENTERPRISE_TOKENGH_ENTERPRISE_TOKENGITHUB_TOKENwhenCODESPACESenvironment variable is setThe result being
gitsending authentication tokens when cloning submodules.In
2.63.0, these GitHub CLI commands will limit the hosts for whichghacts as a credential helper to source authentication tokens. Additionally,GITHUB_TOKENwill only be used for GitHub.com and ghe.com.Impact
Successful exploitation could lead to a third-party using leaked authentication tokens to access privileged resources.
Remediation and mitigation
ghto2.63.0Release Notes
cli/cli (github.com/cli/cli/v2)
v2.63.0: GitHub CLI 2.63.0Compare Source
What's Changed
getAttestationsfunctions by @malancas in https://github.com/cli/cli/pull/9892baseRefOidinpr viewby @daliusd in https://github.com/cli/cli/pull/9938heredocstrings by @BagToad in https://github.com/cli/cli/pull/9948release createfails due to missingworkflowOAuth scope by @BagToad in https://github.com/cli/cli/pull/9791Full Changelog: cli/cli@v2.62.0...v2.63.0
Security
A security vulnerability has been identified in the GitHub CLI that could leak authentication tokens when cloning repositories containing git submodules hosted outside of GitHub.com and ghe.com.
For more information, see GHSA-jwcm-9g39-pmcw
New Contributors
v2.62.0: GitHub CLI 2.62.0Compare Source
What's Changed
Full Changelog: cli/cli@v2.61.0...v2.62.0
Security
A security vulnerability has been identified in GitHub CLI that could allow remote code execution (RCE) when users connect to a malicious Codespace SSH server and use the
gh codespace sshorgh codespace logscommands.For more information, see GHSA-p2h2-3vg9-4p87
GitHub CLI notifies users about latest extension upgrades
Similar to the notification of latest
ghreleases, thev2.62.0version of GitHub CLI will notify users about latest extension upgrades when the extension is used:Why does this matter?
This removes a common pain point of extension authors as they have had to reverse engineer and implement a similar mechanism within their extensions directly.
With this quality of life improvement, there are 2 big benefits:
What do you need to do?
Extension authors should review their extensions and consider removing any custom logic previously implemented to notify users of new releases.
v2.61.0: GitHub CLI 2.61.0Compare Source
Ensure users understand consequences before making repository visibility changes
In
v2.61.0,gh repo editcommand has been enhanced to inform users about consequences of changing visibility and ensure users are intentional before making irreversible changes:gh repo editvisibility change requires confirmation when changing frompublic,private, orinternalgh repo edit --visibilitychange requires new--accept-visibility-change-consequencesflag to confirmgh repo editexperienceWhat's Changed
projectcommand by @jtmcg in https://github.com/cli/cli/pull/9816gh rulesetby @andyfeller in https://github.com/cli/cli/pull/9815gh repo editby @andyfeller in https://github.com/cli/cli/pull/9845gh attestation verifyby @malancas in https://github.com/cli/cli/pull/9838gh attestation verifyshould only verify provenance attestations by default by @malancas in https://github.com/cli/cli/pull/9825dnf5commands as default by @its-miroma in https://github.com/cli/cli/pull/9844gh attestation verifypolicy enforcement refactor by @malancas in https://github.com/cli/cli/pull/9848gh attestation verifyby @malancas in https://github.com/cli/cli/pull/9877gh cache listwhen--jsonis provided by @williammartin in https://github.com/cli/cli/pull/9883gh pr create -wignore template flag by @nilvng in https://github.com/cli/cli/pull/9863New Contributors
Full Changelog: cli/cli@v2.60.1...v2.61.0
v2.60.1: GitHub CLI 2.60.1Compare Source
This is a small patch release to fix installing
ghviago installwhich was broken with v2.60.0.What's Changed
Full Changelog: cli/cli@v2.60.0...v2.60.1
v2.60.0: GitHub CLI 2.60.0Compare Source
What's Changed
LiveSigstoreVerifier.Verifyshould error if no attestations are present by @phillmv in https://github.com/cli/cli/pull/9742gh at verifyretries fetching attestations if it receives a 5xx by @phillmv in https://github.com/cli/cli/pull/9797working-with-us.mdby @BagToad in https://github.com/cli/cli/pull/9800ghis supported on GitHub Enterprise Cloud by @BagToad in https://github.com/cli/cli/pull/9805Acceptance Test Changes
workflow,run, andcachecommands by @BagToad in https://github.com/cli/cli/pull/9766apiacceptance tests by @BagToad in https://github.com/cli/cli/pull/9770releasecommands by @BagToad in https://github.com/cli/cli/pull/9771organdssh-keycommands by @BagToad in https://github.com/cli/cli/pull/9812gh authcommands by @jtmcg in https://github.com/cli/cli/pull/9787repocommands by @jtmcg in https://github.com/cli/cli/pull/9783searchcommand by @BagToad in https://github.com/cli/cli/pull/9786variablecommands by @andyfeller in https://github.com/cli/cli/pull/978secretcommands by @andyfeller in https://github.com/cli/cli/pull/9782New Contributors
Full Changelog: cli/cli@v2.59.0...v2.60.0
v2.59.0: GitHub CLI 2.59.0Compare Source
What's Changed
SECURITY.mdwith expectations for privately reported vulnerabilities by @BagToad in https://github.com/cli/cli/pull/9687darwin-amd64binary on an Apple Silicon macOS device by @timrogers in https://github.com/cli/cli/pull/9650repo license list/viewandrepo gitignore list/viewby @BagToad in https://github.com/cli/cli/pull/9721GH_ACCEPTANCE_SCRIPTenv var to target a single script by @williammartin in https://github.com/cli/cli/pull/9756issuecommand by @williammartin in https://github.com/cli/cli/pull/9757gist listby @heaths in https://github.com/cli/cli/pull/9728New Contributors
Full Changelog: cli/cli@v2.58.0...v2.59.0
v2.58.0: GitHub CLI 2.58.0Compare Source
What's Changed
attestation verifycustom issuer mismatch error by @bdehamer in https://github.com/cli/cli/pull/9616attestation trusted-rootcommand by @BagToad in https://github.com/cli/cli/pull/9635attestation trusted-rootcommand by @bdehamer in https://github.com/cli/cli/pull/9610trusted-rootcommand by @bdehamer in https://github.com/cli/cli/pull/9638dnf5instructions todocs/install_linux.mdby @its-miroma in https://github.com/cli/cli/pull/9660New Contributors
Full Changelog: cli/cli@v2.57.0...v2.58.0
v2.57.0: GitHub CLI 2.57.0Compare Source
What's Changed
--activeflag to thegh auth statuscommand by @velumuruganr in https://github.com/cli/cli/pull/9520gh attestation verifytest for custom OIDC issuers by @bdehamer in https://github.com/cli/cli/pull/9595darwin-arm64binary, but adarwin-amd64binary is available by @timrogers in https://github.com/cli/cli/pull/9599gh attestation verifybundle parsing and validation errors by @malancas in https://github.com/cli/cli/pull/9564attestation verifyoutput when no TTY present by @bdehamer in https://github.com/cli/cli/pull/9612New Contributors
Full Changelog: cli/cli@v2.56.0...v2.57.0
v2.56.0: GitHub CLI 2.56.0Compare Source
Important note about renewed GPG key
The Debian and RedHat releases have been signed with a new GPG key. If you are experiencing issues updating your
.debor.rpmpackages, please read cli/cli#9569.What's Changed
gh repo syncstdout by @muzimuzhi in https://github.com/cli/cli/pull/9491Internalfromgh repo createprompt when owner is not an org by @jtmcg in https://github.com/cli/cli/pull/9465gh run viewby @benebsiny in https://github.com/cli/cli/pull/9482repo syncby @muzimuzhi in https://github.com/cli/cli/pull/9509gh attestation verifyhandles empty JSONL files by @malancas in https://github.com/cli/cli/pull/9541New Contributors
Full Changelog: cli/cli@v2.55.0...v2.56.0
v2.55.0: GitHub CLI 2.55.0Compare Source
What's Changed
gh variable getto use repo host by @andyfeller in https://github.com/cli/cli/pull/9411gh repo set-defaultby @thecaffeinedev in https://github.com/cli/cli/pull/9431gh run downloaddownloads the latest artifact by default by @sato11 in https://github.com/cli/cli/pull/9412--project.*flags'namewithtitlein docs by @jtmcg in https://github.com/cli/cli/pull/9443gh release create --notes-from-tagbehavior with multiline tag annotation by @babakks in https://github.com/cli/cli/pull/9385pr create --editorby @benebsiny in https://github.com/cli/cli/pull/9433gh attestationby @codysoyland in https://github.com/cli/cli/pull/9442cli/gh-extension-precompileby @BagToad in https://github.com/cli/cli/pull/9462working-with-us.mdby @BagToad in https://github.com/cli/cli/pull/9468gh issue develop -b does-not-exist-on-remoteby @benebsiny in https://github.com/cli/cli/pull/9477--project <number>flags ingh searchtoowner/numberby @jtmcg in https://github.com/cli/cli/pull/9453New Contributors
Full Changelog: cli/cli@v2.54.0...v2.55.0
v2.54.0: GitHub CLI 2.54.0Compare Source
What's Changed
--bareclone targets by @hyperrealist in https://github.com/cli/cli/pull/9271--remove-milestoneoption toissue editandpr editby @babakks in https://github.com/cli/cli/pull/9344New Contributors
Full Changelog: cli/cli@v2.53.0...v2.54.0
v2.53.0: GitHub CLI 2.53.0Compare Source
What's Changed
--jsonoption tovariable getcommand by @babakks in https://github.com/cli/cli/pull/9128gh repo createto clarify owner by @jessehouwing in https://github.com/cli/cli/pull/9309gh pr view --json stateReasonby @williammartin in https://github.com/cli/cli/pull/9307issue create --editorby @notomo in https://github.com/cli/cli/pull/7193pr update-branchcommand by @babakks in https://github.com/cli/cli/pull/8953New Contributors
Full Changelog: cli/cli@v2.52.0...v2.53.0
v2.52.0: GitHub CLI 2.52.0Compare Source
What's Changed
-aflag togh run listby @joshuajtward in https://github.com/cli/cli/pull/9162gh at verifypublic beta note by @phillmv in https://github.com/cli/cli/pull/9243New Contributors
Full Changelog: cli/cli@v2.51.0...v2.52.0
v2.51.0: GitHub CLI 2.51.0Compare Source
What's Changed
signer-repoandsigner-workflowflags togh attestation verifyby @malancas in https://github.com/cli/cli/pull/9137--json-resultflag with--format=jsonin the attestation cmd by @phillmv in https://github.com/cli/cli/pull/9172New Contributors
Full Changelog: cli/cli@v2.50.0...v2.51.0
v2.50.0: GitHub CLI 2.50.0Compare Source
What's Changed
gh pr checksby @nobe4 in https://github.com/cli/cli/pull/9079gh pr viewby @nobe4 in https://github.com/cli/cli/pull/9080Attemptsfield toAttempt; expose ingh run viewandgh run lsby @cawfeecake in https://github.com/cli/cli/pull/8905gh variable get FOOcommand by @arnested in https://github.com/cli/cli/pull/9106gh attestation verifyshared workflow use case by @malancas in https://github.com/cli/cli/pull/9107New Contributors
Full Changelog: cli/cli@v2.49.2...v2.50.0
v2.49.2: GitHub CLI 2.49.2Compare Source
What's Changed
run listdoc with available--jsonfields by @babakks in https://github.com/cli/cli/pull/8934Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.