openSUSE has issued an advisory on October 5: https://lists.opensuse.org/opensuse-updates/2018-10/msg00019.html The issue is fixed upstream in 3.6.9. Mageia 6 is also affected.
CC: (none) => ngompa13, shlomifWhiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
Assignee: bugsquad => shlomifCC: (none) => marja11
Fedora has issued an advisory for this on September 21: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FW77TT3SZUDFVK3UYO6WNT7GFUHWXDUO/
gitolite 3.6.10 uploaded in cauldron and mga6
Status: NEW => ASSIGNEDCC: (none) => brunoAssignee: shlomif => qa-bugsVersion: Cauldron => 6Whiteboard: MGA6TOO => (none)
Advisory: ======================== Updated gitolite package fixes security vulnerability: Gitolite before 3.6.9 does not (in certain configurations involving @all or a regex) properly restrict access to a Git repository that is in the process of being migrated until the full set of migration steps has been completed. This can allow valid users to obtain unintended access (CVE-2018-16976). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16976 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FW77TT3SZUDFVK3UYO6WNT7GFUHWXDUO/ ======================== Updated packages in core/updates_testing: ======================== gitolite-3.6.10-1.mga6 from gitolite-3.6.10-1.mga6.src.rpm
Severity: normal => major
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Found http://www.bigfastblog.com/gitolite-installation-step-by-step to try to setup gitolite in the laptop itself. This implies skipping all steps of clone and install commands so at CLI at gitolite user: $ ssh-keygen -t rsa -f gitolitekey Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in gitolitekey. Your public key has been saved in gitolitekey.pub. etc..... $ gitolite setup -pk gitolitekey.pub Initialized empty Git repository in /var/lib/gitolite/repositories/gitolite-admin.git/ Initialized empty Git repository in /var/lib/gitolite/repositories/testing.git/ I did not venture any further than checking all files are there AFAICS, I am far from fluent at git. Just tried three other commands $ gitolite list-users @all gitolitekey $ gitolite list-repos gitolite-admin testing $ gitolite query-rc -a ACCESS_1=ARRAY(0x86cb248) COMMAND=ARRAY(0x86e33a0) COMMANDS=HASH(0x86c10a0) ENABLE=ARRAY(0x86c1830) GIT_CONFIG_KEYS= GL_ADMIN_BASE=/var/lib/gitolite/.gitolite GL_BINDIR=/usr/share/gitolite GL_LIBDIR=/usr/share/gitolite/lib GL_LOGFILE=/var/lib/gitolite/.gitolite/logs/gitolite-2018-10.log GL_REPO_BASE=/var/lib/gitolite/repositories GL_TID=394 LOG_EXTRA=1 LOG_TEMPLATE=/var/lib/gitolite/.gitolite/logs/gitolite-%y-%m.log POST_COMPILE=ARRAY(0x86e3320) POST_CREATE=ARRAY(0x86e3350) ROLES=HASH(0x86c16a0) UMASK=63 All looks reasonable to me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0434.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED