Fedora has issued an advisory on December 25: https://lists.fedoraproject.org/pipermail/package-announce/2014-January/125611.html The issue is fixed upstream in 3.5.3.1. It's unclear why we have a gitolite3 package that's actually an older version of gitolite 3.x than the gitolite package is. Maybe it could be obsoleted? Mageia 3 is also affected. Reproducible: Steps to Reproduce:
CC: (none) => boklm, dmorganec, mageiaBlocks: (none) => 11726Whiteboard: (none) => MGA3TOO
according to discussion here: https://groups.google.com/forum/#!topic/gitolite/Tu1sjaf7A4A/discussion which in particular states: "If you *are* affected, (i.e., you did a fresh install of gitolite between fa06a34 and v3.5.3), merely upgrading will NOT fix the problem, and you *must* do a one-time chmod fixup as described below. " the chmod fixup is noted in the workaround section (which is probably useful information to have put here...) " - EXISTING INSTALLS: if it affects you (see next section for details), you need to do a one-time 'chmod -R go-rwx' (or such) on ~/.gitolite.rc, ~/.gitolite, and ~/repositories/gitolite-admin.git " Finally, the commit that introduced this was fa06a34, which set the umask as early as possible and was committed on September 3 2013 (https://github.com/sitaramc/gitolite/commit/fa06a34) and as a result earlier versions are _NOT_ affected. Given that we provide : gitolite 3.5.1 that was released 2013-03-27 , it's not affected. gitolite3 3.04 that was released 2012-06-26, it's not affected. gitolite 3.3 that was released 2012-12-29, it's not affected. so we are not affected
Status: NEW => RESOLVEDCC: (none) => makowski.mageiaResolution: (none) => INVALID
(In reply to David Walser from comment #0) > It's unclear why we have a gitolite3 package that's actually an older > version of gitolite 3.x than the gitolite package is. Maybe it could be > obsoleted? gitolite3 is no longer present in Cauldron
D Morgan just removed gitolite3 from Cauldron. gitolite should probably obsolete it.
CC: boklm => (none)