Bug 24843 - cgit new DoS security issue
Summary: cgit new DoS security issue
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-05-20 04:06 CEST by David Walser
Modified: 2019-07-02 19:06 CEST (History)
2 users (show)

See Also:
Source RPM: cgit-1.2.1-3.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-05-20 04:06:21 CEST
A security issue was reported in cgit, with an upstream response here:
https://www.openwall.com/lists/oss-security/2019/05/19/3

It says to expect a patch tomorrow.
Comment 1 Thomas Backlund 2019-05-20 23:10:26 CEST
Fixed in Cauldron in cgit 1.2.1-4


Packages for Mga6:

SRPMS:
cgit-0.12-3.2.mga6.src.rpm

i586:
cgit-0.12-3.2.mga6.i586.rpm

x86_64:
cgit-0.12-3.2.mga6.x86_64.rpm




the fixed package is also installed on Mageia gitweb host

CC: (none) => tmb
Version: Cauldron => 6
Assignee: bugsquad => qa-bugs

Thomas Backlund 2019-06-21 02:50:29 CEST

Whiteboard: (none) => MGA6-64-OK

Comment 2 Thomas Backlund 2019-07-02 17:17:59 CEST
Validating since its been running for over a month on Mageia infra.


Advisory:
type: security
subject: Updated cgit packages fix security vulnerability
src:
  6:
   core:
     - cgit-0.12-3.2.mga6
description: |
  A specially crafted URL in can potentially cause cgit to excessively use
  CPU and network resources, resulting in a Denial-of-Service.

  This update resolves that issue 
references:
 - https://bugs.mageia.org/show_bug.cgi?id=24843

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 3 Mageia Robot 2019-07-02 19:06:56 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0203.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.