Debian has issued an advisory on August 4: https://www.debian.org/security/2018/dsa-4263 Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since the registered maintainer for this package, Colin, is likely unavailable. Also CC'ing cjw, who once rebuilt this package.
CC: (none) => cjw, mageia, marja11Assignee: bugsquad => pkg-bugs
Fedora has issued an advisory for this today (August 14): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AJGHSPWQTKGAQBXOKAFW5SB4TPIEFITP/
Cauldron fixed in: cgit-0.12-5.mga7 Fixed mga6 packages: SRPM: cgit-0.12-3.1.mga6.src.rpm i586: cgit-0.12-3.1.mga6.i586.rpm x86_64: cgit-0.12-3.1.mga6.x86_64.rpm
Version: Cauldron => 6Severity: normal => criticalPriority: Normal => HighAssignee: pkg-bugs => qa-bugsStatus: NEW => ASSIGNEDCC: (none) => tmbWhiteboard: MGA6TOO => (none)
confirmed fix working on x86_64
Whiteboard: (none) => MGA6-64-OK
Advisory, added to svn: type: security subject: Updated cgit packages fix security vulnerability CVE: - CVE-2018-14912 src: 6: core: - cgit-0.12-3.1.mga6 description: | Jann Horn discovered a directory traversal vulnerability in cgit, a fast web frontend for git repositories written in C. A remote attacker can take advantage of this flaw to retrieve arbitrary files via a specially crafted request, when 'enable-http-clone=1' (default) is not turned off. references: - https://bugs.mageia.org/show_bug.cgi?id=23398 - https://www.debian.org/security/2018/dsa-4263
Keywords: (none) => advisory
Works on mga infra, and tested on 32bit vm... validating
Keywords: (none) => validated_updateWhiteboard: MGA6-64-OK => mga6-64-ok, mga6-32-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0351.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED