Bug#905382: marked as done (cgit: CVE-2018-14912: directory traversal vulnerability)

[Debian Bug Tracking System]

Your message dated Tue, 14 Aug 2018 11:34:35 +0000
with message-id <e1fpxat-0004mq...@fasolo.debian.org>
and subject line Bug#905382: fixed in cgit 1.1+git2.10.2-3.1
has caused the Debian Bug report #905382,
regarding cgit: CVE-2018-14912: directory traversal vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
905382: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=905382
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: cgit
Version: 1.1+git2.10.2-3
Severity: grave
Tags: patch security upstream

Hi,

The following vulnerability was published for cgit.

CVE-2018-14912[0]:
| cgit_clone_objects in CGit before 1.2.1 has a directory traversal
| vulnerability when `enable-http-clone=1` is not turned off, as
| demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-14912
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14912
[1] https://bugs.chromium.org/p/project-zero/issues/detail?id=1627
[2] https://lists.zx2c4.com/pipermail/cgit/2018-August/004176.html
[3] 
https://git.zx2c4.com/cgit/commit/?id=53efaf30b50f095cad8c160488c74bba3e3b2680

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: cgit
Source-Version: 1.1+git2.10.2-3.1

We believe that the bug you reported is fixed in the latest version of
cgit, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 905...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated cgit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 04 Aug 2018 12:27:48 +0200
Source: cgit
Binary: cgit
Architecture: source
Version: 1.1+git2.10.2-3.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Cgit Packaging Team <pkg-cgit-de...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Description:
 cgit       - hyperfast web frontend for git repositories written in C
Closes: 905382
Changes:
 cgit (1.1+git2.10.2-3.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * clone: fix directory traversal (CVE-2018-14912) (Closes: #905382)
Checksums-Sha1:
 4f859fedc6715dda0bb537006c71df17eb0b5987 2289 cgit_1.1+git2.10.2-3.1.dsc
 37d74a9266a995c4fc53bd78a5affdf8d214e174 6118627 cgit_1.1+git2.10.2.orig.tar.gz
 916bf4c72cd1f89ff3c6f74b2bb7e68ca2d1a9a7 11472 
cgit_1.1+git2.10.2-3.1.debian.tar.xz
 08d8be6cbfbdd7a14469cfc2ae84dbadd72d3208 6316 
cgit_1.1+git2.10.2-3.1_source.buildinfo
Checksums-Sha256:
 d59d1e04f36b9a2dd4d0e50aecf3ae3a2dd90567e2445097d8054c7a8ceb501d 2289 
cgit_1.1+git2.10.2-3.1.dsc
 ca271d2cd188bd8a1d9a103c3d5e889ac67169bd2b9b554fbdaa98cf76e8a2bb 6118627 
cgit_1.1+git2.10.2.orig.tar.gz
 2963cce53544303897b42944c2cad2462ca7ef8a313f59b37c006a0cfa345e64 11472 
cgit_1.1+git2.10.2-3.1.debian.tar.xz
 67cc72acb6b9d165d7e95107f697bc45e562a795527b9070301104ef947b1fb2 6316 
cgit_1.1+git2.10.2-3.1_source.buildinfo
Files:
 6ba726e2571ab4b71e8e0456173edf05 2289 net extra cgit_1.1+git2.10.2-3.1.dsc
 ed3b45ecf5b8bc4afe92ace523548b26 6118627 net extra 
cgit_1.1+git2.10.2.orig.tar.gz
 5fa39b44d688687d94354e37b99c4bdc 11472 net extra 
cgit_1.1+git2.10.2-3.1.debian.tar.xz
 c89205fb4031b1024e6147428918a5f8 6316 net extra 
cgit_1.1+git2.10.2-3.1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAltlgrZfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E3ngP/0/5P+7cGLEhfN28Uz9mH3ClyKTKPn2l
/xt0cKsNpV2QpXaznk9aXhzrNLJsy23snomNnhkWg5yi6B4Nt42eUwxrh37WYrge
kdGIFqovdCAJGHAip0PLqPK5qxmLXtBTgNFDOasQ/RSaugZhzXa8p3Sns+cM12WA
GTfFdYdCujHm3Q4zRks3wYD3ollFjF8HJO7LYoG+ZFBw7SzAvIIlmRmTf+I5qMAQ
vZPaqquY+pMh337eTaWdReJ5k65cDoA5XVQTGN088HwtgXvS+fo/eioB+qh1SLn9
Mem6YS1q04Py87abr2j/Khc33RjCNrrpptW7BVnRp37syKtrzv+rSaAwWNCSmRH8
HpuNcNUezI4Z2BTEFWztw+x2r6h+hboq20OdLYlH95okILs87PK9pXDfT3Fxg5ky
TuFxICl1PTngPJp1XPu7DkHCm8MOncvFTxFMsARsRw91MtuoyKnjaZY4L2dT8Edm
8rEq8K8650q8KRu9ZAmojyBT8MQExybqVD5hAFiMv8kXTg+oRq2jSXaxKIBBHJsD
5L0r8ivtecL8xnCj0p4DO9KIzr5yoMkf5ADHXKfu1UYplV5PwZQy8mYr18WaiK8u
Dt17dEz7cuPYgs0kJAJOybWAfellzU9OxMXxSYvgj0CJvyjm34ew1dARTa2+yvHL
6cFRb3YtnYwo
=63r5
-----END PGP SIGNATURE-----

--- End Message ---