Debian has issued an advisory on August 4:
Mageia 5 and Mageia 6 are also affected.
Assigning to all packagers collectively, since the registered maintainer for this package, Colin, is likely unavailable.
Also CC'ing cjw, who once rebuilt this package.
cjw, mageia, marja11Assignee:
Fedora has issued an advisory for this today (August 14):
Cauldron fixed in: cgit-0.12-5.mga7
Fixed mga6 packages:
confirmed fix working on x86_64
Advisory, added to svn:
subject: Updated cgit packages fix security vulnerability
Jann Horn discovered a directory traversal vulnerability in cgit, a fast
web frontend for git repositories written in C. A remote attacker can take
advantage of this flaw to retrieve arbitrary files via a specially crafted
request, when 'enable-http-clone=1' (default) is not turned off.
Works on mga infra, and tested on 32bit vm...
An update for this issue has been pushed to the Mageia Updates repository.