| Summary: | gitolite new security issue CVE-2018-16976 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, bruno, herman.viaene, marja11, ngompa13, shlomif, sysadmin-bugs, tmb |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK | ||
| Source RPM: | gitolite-3.6.7-2.mga7.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2018-10-13 00:37:05 CEST
David Walser
2018-10-13 00:37:21 CEST
CC:
(none) =>
ngompa13, shlomif Assigning to the registered maintainer. Assignee:
bugsquad =>
shlomif Fedora has issued an advisory for this on September 21: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FW77TT3SZUDFVK3UYO6WNT7GFUHWXDUO/ gitolite 3.6.10 uploaded in cauldron and mga6 Status:
NEW =>
ASSIGNED Advisory: ======================== Updated gitolite package fixes security vulnerability: Gitolite before 3.6.9 does not (in certain configurations involving @all or a regex) properly restrict access to a Git repository that is in the process of being migrated until the full set of migration steps has been completed. This can allow valid users to obtain unintended access (CVE-2018-16976). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16976 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FW77TT3SZUDFVK3UYO6WNT7GFUHWXDUO/ ======================== Updated packages in core/updates_testing: ======================== gitolite-3.6.10-1.mga6 from gitolite-3.6.10-1.mga6.src.rpm Severity:
normal =>
major MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Found http://www.bigfastblog.com/gitolite-installation-step-by-step to try to setup gitolite in the laptop itself. This implies skipping all steps of clone and install commands so at CLI at gitolite user: $ ssh-keygen -t rsa -f gitolitekey Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in gitolitekey. Your public key has been saved in gitolitekey.pub. etc..... $ gitolite setup -pk gitolitekey.pub Initialized empty Git repository in /var/lib/gitolite/repositories/gitolite-admin.git/ Initialized empty Git repository in /var/lib/gitolite/repositories/testing.git/ I did not venture any further than checking all files are there AFAICS, I am far from fluent at git. Just tried three other commands $ gitolite list-users @all gitolitekey $ gitolite list-repos gitolite-admin testing $ gitolite query-rc -a ACCESS_1=ARRAY(0x86cb248) COMMAND=ARRAY(0x86e33a0) COMMANDS=HASH(0x86c10a0) ENABLE=ARRAY(0x86c1830) GIT_CONFIG_KEYS= GL_ADMIN_BASE=/var/lib/gitolite/.gitolite GL_BINDIR=/usr/share/gitolite GL_LIBDIR=/usr/share/gitolite/lib GL_LOGFILE=/var/lib/gitolite/.gitolite/logs/gitolite-2018-10.log GL_REPO_BASE=/var/lib/gitolite/repositories GL_TID=394 LOG_EXTRA=1 LOG_TEMPLATE=/var/lib/gitolite/.gitolite/logs/gitolite-%y-%m.log POST_COMPILE=ARRAY(0x86e3320) POST_CREATE=ARRAY(0x86e3350) ROLES=HASH(0x86c16a0) UMASK=63 All looks reasonable to me. CC:
(none) =>
herman.viaene Validating. Advisory in Comment 4. Keywords:
(none) =>
validated_update
Thomas Backlund
2018-11-03 11:50:32 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0434.html Resolution:
(none) =>
FIXED |