← Back to team overview

group.of.nepali.translators team mailing list archive

  1. group.of.nepali.translators team
  2. Mailing list archive
  3. Message #25521

[Bug 1787021] Re: Directory traversal vulnerability

  Thread PreviousDate PreviousThread Next 
This bug was fixed in the package cgit - 1.1+git2.10.2-3ubuntu0.1

---------------
cgit (1.1+git2.10.2-3ubuntu0.1) bionic-security; urgency=high

  * SECURITY UPDATE: Directory traversal vulnerability.
    - d/p/clone-fix-directory-traversal.patch:
      This fixes a directory traversal vulnerability in CGit
      before 1.2.1 when `enable-http-clone=1` is not turned off,
      as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request.
    - CVE-2018-14912 (LP: #1787021)

 -- Unit 193 <unit193@xxxxxxxxxx>  Tue, 14 Aug 2018 15:57:15 -0400

** Changed in: cgit (Ubuntu Bionic)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1787021

Title:
  Directory traversal vulnerability

Status in cgit package in Ubuntu:
  Fix Released
Status in cgit source package in Xenial:
  New
Status in cgit source package in Bionic:
  Fix Released

Bug description:
  Howdy,

  The CVE says: "cgit_clone_objects in CGit before 1.2.1 has a directory
  traversal vulnerability when `enable-http-clone=1` is not turned off,
  as demonstrated by a cgit/cgit.cgi/git/objects/?path=../ request."

  This has been fixed upstream with
  https://git.zx2c4.com/cgit/commit/?id=53efaf30b50f095cad8c160488c74bba3e3b2680

  This was fixed in Debian unstable:
  https://tracker.debian.org/news/979737/accepted-cgit-11git2102-31
  -source-into-unstable/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cgit/+bug/1787021/+subscriptions
  Thread PreviousDate PreviousThread Next