MegaLinter still uses vulnerable git version in docker images

[vroad]

❯ docker run --rm --entrypoint='' oxsecurity/megalinter-terraform:v6 git --version
git version 2.36.3

MegaLinter should update git client to 2.39.1 to fix CVE-2022-41903

[nvuillam]

Fixed by #2312 :)
New version: 2.38.3

[vroad]

@nvuillam
First version that fixes RCE vulnerabilities is 2.39.1, not 2.38.3.

I just pulled v6 images from Docker Hub, they still uses vulnerable version.

❯ docker run --rm --entrypoint '' oxsecurity/megalinter:v6 git --version
git version 2.36.4

❯ docker run --rm --entrypoint='' oxsecurity/megalinter-terraform:v6 git --version
git version 2.36.4

[nvuillam]

You'll see the update in beta version, and in the next v6.x release

https://pkgs.alpinelinux.org/packages?name=git&branch=v3.17&repo=&arch=&maintainer=

2.38.3 is the latest version on alpine 3.17

[vroad]

Thanks, I misunderstood which version fixed the issue. 2.38.3 also fixes RCE vulnerabilities.

[nvuillam]

All good so :)

Thanks for reporting :)

[nvuillam]

All good so :)

Thanks for reporting :)