OpenSuSE has issued an advisory today (June 22): http://lists.opensuse.org/opensuse-updates/2015-06/msg00045.html Unfortunately our cgit package also has a bundled git, version 2.0.1, which is also vulnerable to (albeit minor issue) CVE-2015-9390. I don't know if it can be unbundled (it would be nice), but it should be updated at least. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
It sadly can't be unbundled (at least not until git supports a libgit but I doubt that is likely as it would mean committing to API/ABI, neither of which are desirable from the upstream git maintainers perspective).
So cgit's bundled git needs to be patched as well? Or what's the status with this bug?
CC: (none) => mageia
(In reply to Sander Lepik from comment #2) > So cgit's bundled git needs to be patched as well? Or what's the status with > this bug? cgit's bundled git needs to be updated.
Well, it's still not moving forward :( It seems to be a leaf package, Colin, are you ready to upgrade it to the latest version, if David is OK with that? It doesn't seem like a good option to drop it if gitweb.mageia.org is using it.
All that needs to be done is updating the bundled git, but if Colin thinks cgit should also be updated, I have no problem with that.
Sorry for my lack of time off late! I'm generally in favour of moving up to the latest version of cgit if someone wants to do it! I'll keep the tab open and try and sort it out on Monday when I should have a few hours to catch up.
I've pushed: cgit-0.11.2-1.mga4.src.rpm resulting in cgit-0.11.2-1.mga4.x86_64.rpm (+debuginfo) and cgit-0.11.2-1.mga5.src.rpm resulting in cgit-0.11.2-1.mga5.x86_64.rpm (+debuginfo) (and to cauldron too) They are now able to be tested.
Assignee: mageia => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => MGA5TOO, MGA4TOO,
I've already done a basic test on my own server on mga5 http://colin.guthr.ie/git/ and it appears to be working fine.
CC: (none) => mageiaWhiteboard: MGA5TOO, MGA4TOO, => MGA5TOO, MGA4TOO, MGA5-64-OK
Version: Cauldron => 5Whiteboard: MGA5TOO, MGA4TOO, MGA5-64-OK => MGA4TOO, MGA5-64-OK
In VirtualBox, M4, KDE, 32-bit Package(s) under test: cgit default install of cgit [root@localhost wilcal]# urpmi cgit Package cgit-0.9.2-3.mga4.i586 is already installed http://localhost/ http://localhost/~wilcal/ http://192.168.1.140/~wilcal/ All work http://git/ http://localhost/git http://localhost/git/ http://localhost/~wilcal/git http://192.168.1.140/~wilcal/git/ None work. There is no previous procedure to get this to work. (In reply to Colin Guthrie from comment #8) > I've already done a basic test on my own server on mga5 > http://colin.guthr.ie/git/ and it appears to be working fine. Is there a simple one or two line procedure that gets this working Colin?
CC: (none) => wilcal.int
(In reply to William Kenney from comment #9) > http://git/ > http://localhost/git > http://localhost/git/ > http://localhost/~wilcal/git > http://192.168.1.140/~wilcal/git/ > None work. There is no previous procedure to get this to work. > > Is there a simple one or two line procedure that gets this > working Colin? Looking at the package, I see the default config is: cat /etc/httpd/conf/webapps.d/cgit.conf: Alias /cgit-data /usr/share/cgit ScriptAlias /cgit /var/www/cgi-bin/cgit So from this the URL to test should be http://localhost/cgit
In VirtualBox, M4, KDE, 32-bit Package(s) under test: cgit default install of cgit [root@localhost wilcal]# urpmi cgit Package cgit-0.9.2-3.mga4.i586 is already installed /etc/httpd/conf/webapps.d/cgit.conf: Alias /cgit-data /usr/share/cgit ScriptAlias /cgit /var/www/cgi-bin/cgit http://localhost/cgit gets the following webpage: Git repository browser a fast webinterface for the git dscm index No repositories found generated by cgit v0.9.2 at 2015-08-17 15:38:13 (GMT) I'd say that confirms that cgit got installed and is working. install cgit from updates_testing [root@localhost wilcal]# urpmi cgit Package cgit-0.11.2-1.mga4.i586 is already installed http://localhost/cgit gets the following webpage: Git repository browser a fast webinterface for the git dscm index No repositories found generated by cgit v0.11.2 at 2015-08-17 15:45:48 (GMT) I'd say that confirms that cgit got updated and is working. What you say Daivd? Good enough testing without having to become a cgit expert? Thanks Colin.
Works for me. Now we just need an advisory.
(In reply to David Walser from comment #12) > Works for me. Now we just need an advisory. Thanks David. I'll get the rest of'em later today.
Whiteboard: MGA4TOO, MGA5-64-OK => MGA4TOO, MGA4-32-OK, MGA5-64-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: cgit default install of cgit [root@localhost wilcal]# urpmi cgit Package cgit-0.9.2-3.mga4.x86_64 is already installed http://localhost/cgit gets the following webpage: cgit logo Git repository browser a fast webinterface for the git dscm index No repositories found generated by cgit v0.9.2 at 2015-08-18 00:15:56 (GMT) I'd say that confirms that cgit got installed and is working. install cgit from updates_testing [root@localhost wilcal]# urpmi cgit Package cgit-0.11.2-1.mga4.x86_64 is already installed Stop and restart cgit http://localhost/cgit gets the following webpage: cgit logo Git repository browser a fast webinterface for the git dscm index No repositories found generated by cgit v0.11.2 at 2015-08-18 00:23:18 (GMT) Confirms that cgit got updated and is working.
Whiteboard: MGA4TOO, MGA4-32-OK, MGA5-64-OK => MGA4TOO, MGA4-32-OK, MGA4-64-OK, MGA5-64-OK
In VirtualBox, M5, KDE, 32-bit Package(s) under test: cgit default install of cgit [root@localhost wilcal]# urpmi cgit Package cgit-0.10.2-4.mga5.i586 is already installed http://localhost/cgit gets the following webpage: cgit logo Git repository browser a fast webinterface for the git dscm index No repositories found generated by cgit v0.10.2 at 2015-08-18 00:43:45 (GMT) Confirms that cgit got installed and is working. install cgit from updates_testing [root@localhost wilcal]# urpmi cgit Package cgit-0.11.2-1.mga5.i586 is already installed Stop and restart cgit http://localhost/cgit gets the following webpage: cgit logo Git repository browser a fast webinterface for the git dscm index No repositories found generated by cgit v0.11.2 at 2015-08-18 00:49:30 (GMT) Confirms that cgit got updated and is working.
Whiteboard: MGA4TOO, MGA4-32-OK, MGA4-64-OK, MGA5-64-OK => MGA4TOO, MGA4-32-OK, MGA4-64-OK, MGA5-32-OK, MGA5-64-OK
This update works fine. Testing complete for MGA4 & MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
lacks advisory
CC: (none) => tmb
Colin is away for a couple of weeks, so no chance to get an advisory from him I guess. David, should we list all security bugs fixed in the updated git, or just say that the update git fixes various security bugs without listing them?
(In reply to Rémi Verschelde from comment #18) > Colin is away for a couple of weeks, so no chance to get an advisory from > him I guess. David, should we list all security bugs fixed in the updated > git, or just say that the update git fixes various security bugs without > listing them? The latter. We don't know which of the bugs are exposed through cgit anyway. If there's a changelog or release notes for the updated cgit, we should include that as a reference.
Advisory: ========= Updated cgit packages fixes security vulnerability cgit in Mageia 5 bundles git 2.0.1, the latter being subject to a minor security issue (CVE-2015-9390). The cgit package was updated to its latest upstream release, thus bringing the bundled git to the non-vulnerable version 2.3.2, which contains various bug fixes. References: - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390 - http://lists.zx2c4.com/pipermail/cgit/2015-March/002448.html
Actually the CVE is CVE-2014-9390, so I uploaded the advisory with the correct CVE number.
Whiteboard: MGA4TOO, MGA4-32-OK, MGA4-64-OK, MGA5-32-OK, MGA5-64-OK => MGA4TOO, MGA4-32-OK, MGA4-64-OK, MGA5-32-OK, MGA5-64-OK advisory
(In reply to Rémi Verschelde from comment #20) > Advisory: > ========= > > Updated cgit packages fixes security vulnerability > > cgit in Mageia 5 bundles git 2.0.1, the latter being subject to a minor > security issue (CVE-2015-9390). The cgit package was updated to its latest > upstream release, thus bringing the bundled git to the non-vulnerable > version 2.3.2, which contains various bug fixes. > > References: > - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9390 > - http://lists.zx2c4.com/pipermail/cgit/2015-March/002448.html Actually Colin added a patch from upstream to update the bundled git to 2.5.0. Otherwise, looks good.
(In reply to Rémi Verschelde from comment #21) > Actually the CVE is CVE-2014-9390, so I uploaded the advisory with the > correct CVE number. Ahh, nice catch. Thanks.
(In reply to David Walser from comment #22) > > Actually Colin added a patch from upstream to update the bundled git to > 2.5.0. Otherwise, looks good. Thanks, I fixed the advisory.
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0325.html
Status: NEW => RESOLVEDResolution: (none) => FIXED