Three CVEs have been assigned for security issues fixed in cgit 0.12: http://openwall.com/lists/oss-security/2016/01/14/6 Mageia 5 is also affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO
I'm just going to update to cgit 0.12 unless anyone shouts otherwise.
OpenSuSE has issued an advisory for this today (January 22): http://lists.opensuse.org/opensuse-updates/2016-01/msg00067.html They also updated to 0.12, so that seems to be the best course of action.
Updated packages uploaded for Mageia 5 and Cauldron by Colin. Advisory: ======================== Updated cgit package fixes security vulnerabilities: Reflected Cross Site Scripting and Header Injection in Mimetype Query String in cgit before 0.12 (CVE-2016-1899). Stored Cross Site Scripting and Header Injection in Filename Parameter in cgit before 0.12 (CVE-2016-1900). Integer Overflow resulting in Buffer Overflow in cgit before 0.12 (CVE-2016-1901). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1899 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1900 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1901 http://lists.opensuse.org/opensuse-updates/2016-01/msg00067.html ======================== Updated packages in core/updates_testing: ======================== cgit-0.12-1.mga5 from cgit-0.12-1.mga5.src.rpm
Version: Cauldron => 5CC: (none) => mageiaAssignee: mageia => qa-bugsWhiteboard: MGA5TOO => (none)
URL: (none) => http://lwn.net/Vulnerabilities/673018/
In VirtualBox, M4, KDE, 32-bit Package(s) under test: cgit default install of cgit [root@localhost wilcal]# urpmi cgit Package cgit-0.11.2-1.mga5.i586 is already installed http://localhost/cgit gets the following webpage: cgit logo Git repository browser a fast webinterface for the git dscm index No repositories found generated by cgit v0.11.2 at 2016-02-02 17:26:08 (GMT) I'd say that confirms that cgit got installed and is working. install cgit from updates_testing Reboot system [root@localhost wilcal]# urpmi cgit Package cgit-0.12-1.mga5.i586 is already installed http://localhost/cgit gets the following webpage: cgit logo Git repository browser a fast webinterface for the git dscm index No repositories found generated by cgit v0.12 at 2016-02-02 17:32:52 (GMT) cgit got updated and is working.
CC: (none) => wilcal.intWhiteboard: (none) => MGA5-32-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: cgit default install of cgit [root@localhost wilcal]# urpmi cgit Package cgit-0.11.2-1.mga5.x86_64 is already installed http://localhost/cgit gets the following webpage: cgit logo Git repository browser a fast webinterface for the git dscm index No repositories found generated by cgit v0.11.2 at 2016-02-02 17:45:11 (GMT) Confirms that cgit got installed and is working. install cgit from updates_testing Reboot system [root@localhost wilcal]# urpmi cgit Package cgit-0.12-1.mga5.x86_64 is already installed http://localhost/cgit gets the following webpage: cgit logo Git repository browser a fast webinterface for the git dscm index No repositories found generated by cgit v0.12 at 2016-02-02 17:32:52 (GMT) cgit got updated and is working.
Whiteboard: MGA5-32-OK => MGA5-32-OK MGA5-64-OK
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0047.html
Status: NEW => RESOLVEDResolution: (none) => FIXED