Bug 24843

Summary: cgit new DoS security issue
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: cgit-1.2.1-3.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-05-20 04:06:21 CEST 
A security issue was reported in cgit, with an upstream response here:
https://www.openwall.com/lists/oss-security/2019/05/19/3

It says to expect a patch tomorrow.
Comment 1 Thomas Backlund 2019-05-20 23:10:26 CEST 
Fixed in Cauldron in cgit 1.2.1-4


Packages for Mga6:

SRPMS:
cgit-0.12-3.2.mga6.src.rpm

i586:
cgit-0.12-3.2.mga6.i586.rpm

x86_64:
cgit-0.12-3.2.mga6.x86_64.rpm




the fixed package is also installed on Mageia gitweb host

CC: (none) => tmb
Version: Cauldron => 6
Assignee: bugsquad => qa-bugs

Thomas Backlund 2019-06-21 02:50:29 CEST

Whiteboard: (none) => MGA6-64-OK

Comment 2 Thomas Backlund 2019-07-02 17:17:59 CEST 
Validating since its been running for over a month on Mageia infra.


Advisory:
type: security
subject: Updated cgit packages fix security vulnerability
src:
  6:
   core:
     - cgit-0.12-3.2.mga6
description: |
  A specially crafted URL in can potentially cause cgit to excessively use
  CPU and network resources, resulting in a Denial-of-Service.

  This update resolves that issue 
references:
 - https://bugs.mageia.org/show_bug.cgi?id=24843

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2019-07-02 19:06:56 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0203.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED