[Git][security-tracker-team/security-tracker][master] golang-github-hashicorp-go-getter removed from the archive
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Tue Jan 20 19:11:42 GMT 2026
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
223564a1 by Moritz Muehlenhoff at 2026-01-20T20:11:19+01:00
golang-github-hashicorp-go-getter removed from the archive
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -58180,8 +58180,8 @@ CVE-2025-38502 (In the Linux kernel, the following vulnerability has been resolv
- linux 6.16.3-1
NOTE: https://git.kernel.org/linus/abad3d0bad72a52137e0c350c59542d75ae4f513 (6.17-rc1)
CVE-2025-8959 (HashiCorp's go-getter library subdirectory download feature is vulnera ...)
- - golang-github-hashicorp-go-getter <unfixed> (bug #1111318)
- [bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+ - golang-github-hashicorp-go-getter <removed> (bug #1111318)
+ [bookworm] - golang-github-hashicorp-go-getter <ignored> (Minor issue)
[bullseye] - golang-github-hashicorp-go-getter <postponed> (Minor issue)
NOTE: https://discuss.hashicorp.com/t/hcsec-2025-23-hashicorp-go-getter-vulnerable-to-arbitrary-read-through-symlink-attack/76242
CVE-2025-8898 (The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress ...)
@@ -180849,8 +180849,8 @@ CVE-2024-6300 (Incomplete cleanup when performing redactions in Conduit, allowin
CVE-2024-6299 (Lack of consideration of key expiry when validating signatures in Cond ...)
NOT-FOR-US: Conduit
CVE-2024-6257 (HashiCorp\u2019s go-getter library can be coerced into executing Git u ...)
- - golang-github-hashicorp-go-getter <unfixed> (bug #1075823)
- [bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+ - golang-github-hashicorp-go-getter <removed> (bug #1075823)
+ [bookworm] - golang-github-hashicorp-go-getter <ignored> (Minor issue)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
NOTE: https://discuss.hashicorp.com/t/hcsec-2024-13-hashicorp-go-getter-vulnerable-to-code-execution-on-git-update-via-git-config-manipulation/68081
CVE-2024-6238 (pgAdmin <= 8.8 has an installation Directory permission issue.Because ...)
@@ -204580,8 +204580,8 @@ CVE-2024-3900 (Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by
CVE-2024-3825 (Versions of the BlazeMeter Jenkins plugin prior to 4.22 contain a flaw ...)
NOT-FOR-US: Jenkins plugin
CVE-2024-3817 (HashiCorp\u2019s go-getter library is vulnerable to argument injection ...)
- - golang-github-hashicorp-go-getter <unfixed> (bug #1083184)
- [bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+ - golang-github-hashicorp-go-getter <removed> (bug #1083184)
+ [bookworm] - golang-github-hashicorp-go-getter <ignored> (Minor issue)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[buster] - golang-github-hashicorp-go-getter <not-affected> (Vulnerable code not present)
NOTE: https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040
@@ -289769,8 +289769,8 @@ CVE-2023-0477 (The Auto Featured Image (Auto Post Thumbnail) WordPress plugin be
CVE-2023-0476 (A LDAP injection vulnerability exists in Tenable.sc due to improper va ...)
NOT-FOR-US: Tenable
CVE-2023-0475 (HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompressi ...)
- - golang-github-hashicorp-go-getter <unfixed> (bug #1032100)
- [bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+ - golang-github-hashicorp-go-getter <removed> (bug #1032100)
+ [bookworm] - golang-github-hashicorp-go-getter <ignored> (Minor issue)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[buster] - golang-github-hashicorp-go-getter <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
NOTE: https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125
@@ -351778,24 +351778,24 @@ CVE-2022-30325 (An issue was found on TRENDnet TEW-831DR 1.0 601.130.1.1356 devi
CVE-2022-30324 (HashiCorp Nomad and Nomad Enterprise version 0.2.0 up to 1.3.0 were im ...)
- nomad <not-affected> (In Debian Nomad doesn't bundle go-getter, but build depends a shared deb)
CVE-2022-30323 (go-getter up to 1.5.11 and 2.0.2 panicked when processing password-pro ...)
- - golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
- [bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+ - golang-github-hashicorp-go-getter <removed> (bug #1011741)
+ [bookworm] - golang-github-hashicorp-go-getter <ignored> (Minor issue)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[buster] - golang-github-hashicorp-go-getter <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
NOTE: https://github.com/hashicorp/go-getter/pull/359
NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0)
CVE-2022-30322 (go-getter up to 1.5.11 and 2.0.2 allowed asymmetric resource exhaustio ...)
- - golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
- [bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+ - golang-github-hashicorp-go-getter <removed> (bug #1011741)
+ [bookworm] - golang-github-hashicorp-go-getter <ignored> (Minor issue)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[buster] - golang-github-hashicorp-go-getter <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
NOTE: https://github.com/hashicorp/go-getter/pull/359
NOTE: https://github.com/hashicorp/go-getter/commit/a2ebce998f8d4105bd4b78d6c99a12803ad97a45 (v1.6.0)
CVE-2022-30321 (go-getter up to 1.5.11 and 2.0.2 allowed arbitrary host access via go- ...)
- - golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
- [bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+ - golang-github-hashicorp-go-getter <removed> (bug #1011741)
+ [bookworm] - golang-github-hashicorp-go-getter <ignored> (Minor issue)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[buster] - golang-github-hashicorp-go-getter <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
@@ -361992,8 +361992,8 @@ CVE-2022-0936 (Cross-site Scripting (XSS) - Stored in GitHub repository autolab/
CVE-2022-26946
RESERVED
CVE-2022-26945 (go-getter up to 1.5.11 and 2.0.2 allowed protocol switching, endless r ...)
- - golang-github-hashicorp-go-getter <unfixed> (bug #1011741)
- [bookworm] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
+ - golang-github-hashicorp-go-getter <removed> (bug #1011741)
+ [bookworm] - golang-github-hashicorp-go-getter <ignored> (Minor issue)
[bullseye] - golang-github-hashicorp-go-getter <no-dsa> (Minor issue)
[buster] - golang-github-hashicorp-go-getter <postponed> (Limited support, minor issue, follow bullseye DSAs/point-releases)
NOTE: https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/223564a10e24f60c48279cf392b62b8cfdd4ef95
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/223564a10e24f60c48279cf392b62b8cfdd4ef95
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260120/769b19c6/attachment.htm>
More information about the debian-security-tracker-commits
mailing list