ESB-2018.2258 - [UNIX/Linux][Debian] cgit: Access confidential data - Remote/unauthenticated 2018-08-06

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2258
                           cgit security update
                               6 August 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           cgit
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-14912  

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4263

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running cgit check for an updated version of the software for their
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4263-1                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
August 04, 2018                       https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : cgit
CVE ID         : CVE-2018-14912
Debian Bug     : 905382

Jann Horn discovered a directory traversal vulnerability in cgit, a fast
web frontend for git repositories written in C. A remote attacker can
take advantage of this flaw to retrieve arbitrary files via a specially
crafted request, when 'enable-http-clone=1' (default) is not turned off.

For the stable distribution (stretch), this problem has been fixed in
version 1.1+git2.10.2-3+deb9u1.

We recommend that you upgrade your cgit packages.

For the detailed security status of cgit please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/cgit

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltllZdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RH4RAAkS7HwXwIGsqhqrHJFfkz2spXztT5744PI5ssZ6XBYnJ1SfcxXQB7QMe/
yiuzhy9OL3Hk4PIxwbHSh6tZnQhsTGYEPGRC35RM1yUh2uCJlnkhtxWYNvKREjKV
Fh4ILihTZ8CcxilA4sXJ7r6WsBgAr0tJEPTPs94SzX9QiOa3krBsdvqYzhkoqx8T
xvhMWxDz1GlogwrntObq4BTkrI1WRVwDCH8gkcn3ZgRUK9o44z+g7exQO++4Wepv
ERDwEpPXxKg++QPYEoRiiaDtG+Ny901sakORJ4R2RmtOoOrfOuIUFFPj6kfk8q8b
IWMVkZu8Q6YhZ/E0/a14zP9elsPmyoK1Vv+UnTkAJDzIVWv+Lqe9a2xZHwQQGKXh
0MJZw5i/527sHGP8Br98ubMhWR8mKBa1d68gE5ZC8cX4UA4Vyp1azoA6E31zdc7I
iRW2uU9axIpzJNoLdSdyJcL9ab57mkwrMsY37ihTXHAnF/ufqid+BlegPVTeM6j2
7DhZkZ7xqdZfnhm3pPthakAE/I3KRhqSGzYlf/ADDaIXA97/MNOBljzxOE0qvO2M
EVWyoBxWiu3UPe/41fv0f8If8+y4eZ9BLpG90UdQ2WTT5odE3o92+GR5ICXSNme4
8it1K6IrxU9W/RZ9dzV+ldpkcj2/gy8aS1dp1L/z5qMAJ1U/jaU=
=5WPv
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW2eT2WaOgq3Tt24GAQjZNw/9F6rhu1uB+Ik1JL6hpcgrai3fPjX/fpC+
hpLSTwdrK7Olnxp8KNQZXF1Yoobmnx2IJKgs/u/e6Af7L2tk8pLRGNsKmaakUVf7
zSfU/J8qFd9faZuYwvjmGX6qCVgUxIe+8s7Q/Lb26nJvFydSpeGRQqg4f1fC9g7u
6mCCK4+0+ZE6BNkXTWeUnW40cZ42GzfDYav5XsgSWhVbF0qa8draiX9XKg8AK8VS
cCzeAhViMhAZlrfuw/Jer74KwIDVoOZZa7ns7Fu7Yqg2GbjKVRQvSvsiPHtI0pm7
TI4tkx/awj4UmxZSKyaAjoxAMhkTDo7xGkb/bqeiSE9vkwsANAS8zmeibL6S0q0Z
P6203l7NI5uQG5YxpfovvDnbzKM87finnDYKc8fplPD4LU6MBpx46drupAob5lIa
6v2aR/3f0Q18SNJFC5ytf5Ve7zws0dJCijKW4MrVUlik5g0Jg8fhkXUSeF3A2WUr
neE16OGxelsZ84IH3CGsvev4B2qcQwnKLJzygu8c7+OvvSKpac1pbXFmJ0ZHp8zw
epOvbGEBfrtNMG0ofRe/E47Kvg+2muIirv8JtdiBPfJtTrmnoM4UsuSTztAPatfD
J2sw5KeGpQWRUWJ+xQcPO2bIYX1130lCCiGPeuLJ/4alwI2CpjHaBvEql+4hlb00
tMscyN3gHs0=
=b0IC
-----END PGP SIGNATURE-----

« Back to bulletins