Your message dated Sat, 04 Aug 2018 20:36:20 +0000
with message-id <e1fm3hg-000eh9...@fasolo.debian.org>
and subject line Bug#905382: fixed in cgit 1.1+git2.10.2-3+deb9u1
has caused the Debian Bug report #905382,
regarding cgit: CVE-2018-14912: directory traversal vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
905382: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905382
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: cgit
Version: 1.1+git2.10.2-3
Severity: grave
Tags: patch security upstream
Hi,
The following vulnerability was published for cgit.
CVE-2018-14912[0]:
| cgit_clone_objects in CGit before 1.2.1 has a directory traversal
| vulnerability when `enable-http-clone=1` is not turned off, as
| demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-14912
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14912
[1] https://bugs.chromium.org/p/project-zero/issues/detail?id=1627
[2] https://lists.zx2c4.com/pipermail/cgit/2018-August/004176.html
[3]
https://git.zx2c4.com/cgit/commit/?id=53efaf30b50f095cad8c160488c74bba3e3b2680
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: cgit
Source-Version: 1.1+git2.10.2-3+deb9u1
We believe that the bug you reported is fixed in the latest version of
cgit, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 905...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated cgit package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 04 Aug 2018 12:27:48 +0200
Source: cgit
Binary: cgit
Architecture: source
Version: 1.1+git2.10.2-3+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Cgit Packaging Team <pkg-cgit-de...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Description:
cgit - hyperfast web frontend for git repositories written in C
Closes: 905382
Changes:
cgit (1.1+git2.10.2-3+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* clone: fix directory traversal (CVE-2018-14912) (Closes: #905382)
Checksums-Sha1:
4203d69518c3134d9ec001c04d894a8fad3a190f 2309 cgit_1.1+git2.10.2-3+deb9u1.dsc
37d74a9266a995c4fc53bd78a5affdf8d214e174 6118627 cgit_1.1+git2.10.2.orig.tar.gz
2c5292295fcc0f1e081e7812d569fa271e1bc8d2 11508
cgit_1.1+git2.10.2-3+deb9u1.debian.tar.xz
abfe9a68f32f856ef369c5cb0d684fc57a471e1f 6336
cgit_1.1+git2.10.2-3+deb9u1_source.buildinfo
Checksums-Sha256:
12b6b10a306ba9e624187527d58ec89ea4e05f890f6baa5dde76facd7a617686 2309
cgit_1.1+git2.10.2-3+deb9u1.dsc
ca271d2cd188bd8a1d9a103c3d5e889ac67169bd2b9b554fbdaa98cf76e8a2bb 6118627
cgit_1.1+git2.10.2.orig.tar.gz
2768eec1f9bc23d762276ce45732bd844ee7835893d898be06094606506cd8c0 11508
cgit_1.1+git2.10.2-3+deb9u1.debian.tar.xz
d8ae5a5a7f8a5906e6c0c284746c38cde48bd192a5fa03db165c99b98dd085b9 6336
cgit_1.1+git2.10.2-3+deb9u1_source.buildinfo
Files:
6f4fff92c5c61c461e0517fcf970c174 2309 net extra cgit_1.1+git2.10.2-3+deb9u1.dsc
ed3b45ecf5b8bc4afe92ace523548b26 6118627 net extra
cgit_1.1+git2.10.2.orig.tar.gz
a422ce22211961179d0efabafad6d3d4 11508 net extra
cgit_1.1+git2.10.2-3+deb9u1.debian.tar.xz
33bee95b83bdef0fd324458ed715b09b 6336 net extra
cgit_1.1+git2.10.2-3+deb9u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltlgdVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EBj0P/2leun7OtMItU3pJ6fjLERudAwCapM4C
gvMqMc7W0HF9TXZucK9MIn8m8rmiK+Nt7vETk7r9jfkmpgKAAjF8yErh1D/7jD62
ctOOWQQ2+brq5T0RaQ4F6gajeuBSVdmgg8CPiwR7tETQNpLsyMxqJOUBghugiSE3
0ywA2zeS8Mlhc92FsnCJ+A52Ryp/MxgZQFB1c4djaoNGVGlBA4EScX6m39TbnVzD
VPFlk7B2ZliWANT5eMO+GXMk0wjR3+f/GGGRFzIuoPbBuGLJvJE+oxjxuenmmKm/
0u6/mnhlguqBuvSUUyLE3hVblRF3FHFOpiv3eQbIWUota5b5bvdOX9mRtX1/9/Br
xrVtXm9xUag7VF0dM0VXt568IsGXO0EHyePUclknorM1yH9xiJuXBL+mjy5SFaaZ
Nfzj9Z1n6rBZiNCSjo4pEjT6KS2FbwMbqY3t18JrRWDQv9vLev4fD2qDTgJRyISU
DlGp/vgWe0m0wemA9taHY/DH39wiL9iXMvlgwvwIOZedR3xBtGI62OSiSoc+1fqy
qRKI+g4phUeZtBL0ypuS8JlydWx8oD+iljsexAox2zn0J2bbe6f7KIkIcB6rTcIe
pC44nMpgXctKx8JaeIL0UJ959QsvSjDGfaAZ7y4ErU44qFE1wAshlaaQd1XRPfr6
Rpj/3OIIoYyb
=05E0
-----END PGP SIGNATURE-----
--- End Message ---
