group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1787021] Re: Directory traversal vulnerability

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Steve Beattie <sbeattie@xxxxxxxxxx>
Date: Wed, 15 Aug 2018 23:36:10 -0000
Reply-to: Bug 1787021 <1787021@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: cgit (Ubuntu)
       Status: New => In Progress

** Also affects: cgit (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: cgit (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Changed in: cgit (Ubuntu)
       Status: In Progress => Fix Released

** Changed in: cgit (Ubuntu Bionic)
       Status: New => In Progress

** Changed in: cgit (Ubuntu Bionic)
     Assignee: (unassigned) => Steve Beattie (sbeattie)

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1787021

Title:
  Directory traversal vulnerability

Status in cgit package in Ubuntu:
  Fix Released
Status in cgit source package in Xenial:
  New
Status in cgit source package in Bionic:
  In Progress

Bug description:
  Howdy,

  The CVE says: "cgit_clone_objects in CGit before 1.2.1 has a directory
  traversal vulnerability when `enable-http-clone=1` is not turned off,
  as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request."

  This has been fixed upstream with
  https://git.zx2c4.com/cgit/commit/?id=53efaf30b50f095cad8c160488c74bba3e3b2680

  This was fixed in Debian unstable:
  https://tracker.debian.org/news/979737/accepted-cgit-11git2102-31
  -source-into-unstable/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cgit/+bug/1787021/+subscriptions