MegaLinter still uses vulnerable git version in docker images #2286

vroad · 2023-01-23T04:32:22Z

❯ docker run --rm --entrypoint='' oxsecurity/megalinter-terraform:v6 git --version
git version 2.36.3

MegaLinter should update git client to 2.39.1 to fix CVE-2022-41903

The text was updated successfully, but these errors were encountered:

nvuillam · 2023-02-06T21:04:59Z

Fixed by #2312 :)
New version: 2.38.3

vroad · 2023-02-07T03:30:41Z

@nvuillam
First version that fixes RCE vulnerabilities is 2.39.1, not 2.38.3.

I just pulled v6 images from Docker Hub, they still uses vulnerable version.

❯ docker run --rm --entrypoint '' oxsecurity/megalinter:v6 git --version
git version 2.36.4

❯ docker run --rm --entrypoint='' oxsecurity/megalinter-terraform:v6 git --version
git version 2.36.4

nvuillam · 2023-02-07T05:25:06Z

You'll see the update in beta version, and in the next v6.x release

2.38.3 is the latest version on alpine 3.17

vroad · 2023-02-07T06:17:39Z

Thanks, I misunderstood which version fixed the issue. 2.38.3 also fixes RCE vulnerabilities.

nvuillam · 2023-02-07T06:28:39Z

All good so :)

Thanks for reporting :)

nvuillam · 2023-02-07T06:28:44Z

All good so :)

Thanks for reporting :)

nvuillam closed this as completed Feb 6, 2023

Provide feedback