HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
Release Notes
hashicorp/go-getter (github.com/hashicorp/go-getter)
### [`v1.7.0`](https://togithub.com/hashicorp/go-getter/releases/tag/v1.7.0)
[Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.6.2...v1.7.0)
#### What's Changed
- docs: provide logging recommendations by [@mickael-hc](https://togithub.com/mickael-hc) in [https://github.com/hashicorp/go-getter/pull/371](https://togithub.com/hashicorp/go-getter/pull/371)
- Update aws sdk version by [@Jukie](https://togithub.com/Jukie) in [https://github.com/hashicorp/go-getter/pull/384](https://togithub.com/hashicorp/go-getter/pull/384)
- Update S3 URL in README by [@twelvelabs](https://togithub.com/twelvelabs) in [https://github.com/hashicorp/go-getter/pull/378](https://togithub.com/hashicorp/go-getter/pull/378)
- Migrate to GHA by [@claire-labry](https://togithub.com/claire-labry) in [https://github.com/hashicorp/go-getter/pull/379](https://togithub.com/hashicorp/go-getter/pull/379)
- \[COMPLIANCE] Update MPL 2.0 LICENSE by [@hashicorp-copywrite](https://togithub.com/hashicorp-copywrite) in [https://github.com/hashicorp/go-getter/pull/386](https://togithub.com/hashicorp/go-getter/pull/386)
- remove codesign entirely from go-getter by [@claire-labry](https://togithub.com/claire-labry) in [https://github.com/hashicorp/go-getter/pull/408](https://togithub.com/hashicorp/go-getter/pull/408)
- Add decompression bomb mitigation options for v1 by [@picatz](https://togithub.com/picatz) in [https://github.com/hashicorp/go-getter/pull/412](https://togithub.com/hashicorp/go-getter/pull/412)
- v1: decompressors: add LimitedDecompressors helper by [@shoenig](https://togithub.com/shoenig) in [https://github.com/hashicorp/go-getter/pull/413](https://togithub.com/hashicorp/go-getter/pull/413)
#### New Contributors
- [@mickael-hc](https://togithub.com/mickael-hc) made their first contribution in [https://github.com/hashicorp/go-getter/pull/371](https://togithub.com/hashicorp/go-getter/pull/371)
- [@Jukie](https://togithub.com/Jukie) made their first contribution in [https://github.com/hashicorp/go-getter/pull/384](https://togithub.com/hashicorp/go-getter/pull/384)
- [@twelvelabs](https://togithub.com/twelvelabs) made their first contribution in [https://github.com/hashicorp/go-getter/pull/378](https://togithub.com/hashicorp/go-getter/pull/378)
- [@hashicorp-copywrite](https://togithub.com/hashicorp-copywrite) made their first contribution in [https://github.com/hashicorp/go-getter/pull/386](https://togithub.com/hashicorp/go-getter/pull/386)
**Full Changelog**: https://github.com/hashicorp/go-getter/compare/v1.6.2...v1.7.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
v1.6.2
->v1.7.0
GitHub Vulnerability Alerts
CVE-2023-0475
HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompression bombs. Fixed in 1.7.0 and 2.2.0.
Release Notes
hashicorp/go-getter (github.com/hashicorp/go-getter)
### [`v1.7.0`](https://togithub.com/hashicorp/go-getter/releases/tag/v1.7.0) [Compare Source](https://togithub.com/hashicorp/go-getter/compare/v1.6.2...v1.7.0) #### What's Changed - docs: provide logging recommendations by [@mickael-hc](https://togithub.com/mickael-hc) in [https://github.com/hashicorp/go-getter/pull/371](https://togithub.com/hashicorp/go-getter/pull/371) - Update aws sdk version by [@Jukie](https://togithub.com/Jukie) in [https://github.com/hashicorp/go-getter/pull/384](https://togithub.com/hashicorp/go-getter/pull/384) - Update S3 URL in README by [@twelvelabs](https://togithub.com/twelvelabs) in [https://github.com/hashicorp/go-getter/pull/378](https://togithub.com/hashicorp/go-getter/pull/378) - Migrate to GHA by [@claire-labry](https://togithub.com/claire-labry) in [https://github.com/hashicorp/go-getter/pull/379](https://togithub.com/hashicorp/go-getter/pull/379) - \[COMPLIANCE] Update MPL 2.0 LICENSE by [@hashicorp-copywrite](https://togithub.com/hashicorp-copywrite) in [https://github.com/hashicorp/go-getter/pull/386](https://togithub.com/hashicorp/go-getter/pull/386) - remove codesign entirely from go-getter by [@claire-labry](https://togithub.com/claire-labry) in [https://github.com/hashicorp/go-getter/pull/408](https://togithub.com/hashicorp/go-getter/pull/408) - Add decompression bomb mitigation options for v1 by [@picatz](https://togithub.com/picatz) in [https://github.com/hashicorp/go-getter/pull/412](https://togithub.com/hashicorp/go-getter/pull/412) - v1: decompressors: add LimitedDecompressors helper by [@shoenig](https://togithub.com/shoenig) in [https://github.com/hashicorp/go-getter/pull/413](https://togithub.com/hashicorp/go-getter/pull/413) #### New Contributors - [@mickael-hc](https://togithub.com/mickael-hc) made their first contribution in [https://github.com/hashicorp/go-getter/pull/371](https://togithub.com/hashicorp/go-getter/pull/371) - [@Jukie](https://togithub.com/Jukie) made their first contribution in [https://github.com/hashicorp/go-getter/pull/384](https://togithub.com/hashicorp/go-getter/pull/384) - [@twelvelabs](https://togithub.com/twelvelabs) made their first contribution in [https://github.com/hashicorp/go-getter/pull/378](https://togithub.com/hashicorp/go-getter/pull/378) - [@hashicorp-copywrite](https://togithub.com/hashicorp-copywrite) made their first contribution in [https://github.com/hashicorp/go-getter/pull/386](https://togithub.com/hashicorp/go-getter/pull/386) **Full Changelog**: https://github.com/hashicorp/go-getter/compare/v1.6.2...v1.7.0Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.