Package: gitolite3 Version: 3.6.6-1 Severity: important Tags: upstream Dear Maintainer,
i have used gitolite3 for many years, this is the first time i have ever had a major bug, and it involved a username with an underscore in it. ssh to the server reported "hello user" not "hello user_xxxx", and COMPLETELY the wrong repository was granted write access. this is an extremely serious security issue. -- System Information: Debian Release: 9.12 APT prefers stable APT policy: (500, 'stable'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-12-amd64 (SMP w/1 CPU core) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages gitolite3 depends on: ii adduser 3.115 ii debconf [debconf-2.0] 1.5.61 ii git [git-core] 1:2.29.2-1~bpo10+1 ii libjson-perl 2.90-1 ii openssh-client 1:7.4p1-11.0nosystemd1 ii openssh-server [ssh-server] 1:7.4p1-11.0nosystemd1 ii perl 5.28.1-6 gitolite3 recommends no packages. Versions of packages gitolite3 suggests: pn git-daemon-sysvinit <none> ii gitweb 1:2.29.2-1~bpo10+1 -- debconf information excluded
