Summary: | [MAINTAINER] devel/gitolite: update to 3.1,1 | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Jonathan Chu <milki> | ||||||
Component: | Individual Port(s) | Assignee: | Steve Wills <swills> | ||||||
Status: | Closed FIXED | ||||||||
Severity: | Affects Only Me | CC: | tdb | ||||||
Priority: | Normal | ||||||||
Version: | Latest | ||||||||
Hardware: | Any | ||||||||
OS: | Any | ||||||||
Attachments: |
|
Description
Jonathan Chu
2012-10-10 08:00:00 UTC
Responsible Changed From-To: freebsd-ports-bugs->swills swills@ wants his PRs (via the GNATS Auto Assign Tool) On 10 October 2012 02:52, milki <milki@rescomp.berkeley.edu> wrote: > >>Number: 172565 >>Category: ports >>Synopsis: [MAINTAINER] devel/gitolite: update to 3.1,1 >>Confidential: no >>Severity: non-critical >>Priority: low >>Responsible: freebsd-ports-bugs >>State: open >>Quarter: >>Keywords: >>Date-Required: >>Class: maintainer-update >>Submitter-Id: current-users >>Arrival-Date: Wed Oct 10 07:00:00 UTC 2012 >>Closed-Date: >>Last-Modified: >>Originator: milki >>Release: FreeBSD 8.3-RELEASE-p3 amd64 >>Organization: > cibo >>Environment: > System: FreeBSD cibo.ircmylife.com 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 #0: Tue Jun 12 00:39:29 UTC 2012 >>Description: > - Update to 3.1,1 > > Changes: > https://github.com/sitaramc/gitolite/compare/v3.04...v3.1 > https://raw.github.com/sitaramc/gitolite/51ab768e2a121eac48fa82bb41ef121f44082e64/CHANGELOG > > tdb: Please host the distfile > > 3.01-3.04 path traversal vulnerability advisory > eadler has submitted a CVE-ID request > > Generated with FreeBSD Port Tools 0.99_6 (mode: update, diff: ports) >>How-To-Repeat: >>Fix: > > --- gitolite-3.1,1.patch begins here --- > diff -ruN --exclude=CVS /usr/ports/devel/gitolite/Makefile ./Makefile > --- /usr/ports/devel/gitolite/Makefile 2012-08-05 12:36:46.000000000 -0700 > +++ ./Makefile 2012-10-09 23:48:12.000000000 -0700 > @@ -6,7 +6,8 @@ > # > > PORTNAME= gitolite > -PORTVERSION= 3.04 > +PORTVERSION= 3.1 > +PORTEPOCH= 1 > CATEGORIES= devel > MASTER_SITES= http://milki.github.com/${PORTNAME}/ \ > LOCAL/tdb > diff -ruN --exclude=CVS /usr/ports/devel/gitolite/distinfo ./distinfo > --- /usr/ports/devel/gitolite/distinfo 2012-08-05 12:36:46.000000000 -0700 > +++ ./distinfo 2012-10-09 21:17:59.000000000 -0700 > @@ -1,2 +1,2 @@ > -SHA256 (gitolite-3.04.tar.gz) = 900dd144ddfa88cc21fadfef7652799ead78c1be52304506994307c448e6b618 > -SIZE (gitolite-3.04.tar.gz) = 114010 > +SHA256 (gitolite-3.1.tar.gz) = 36fc270c29e980f7217c203656373d1c44f73035fe18053163301cd10a4e0f04 > +SIZE (gitolite-3.1.tar.gz) = 119322 > diff -ruN --exclude=CVS /usr/ports/devel/gitolite/pkg-plist ./pkg-plist > --- /usr/ports/devel/gitolite/pkg-plist 2012-08-05 12:36:46.000000000 -0700 > +++ ./pkg-plist 2012-10-09 21:27:01.000000000 -0700 > @@ -19,6 +19,7 @@ > %%SITE_PERL%%/Gitolite/Triggers/RepoUmask.pm > %%SITE_PERL%%/Gitolite/Triggers/Shell.pm > %%SITE_PERL%%/Gitolite/Triggers/Writable.pm > +%%SITE_PERL%%/Gitolite/Triggers/RefexExpr.pm > libexec/gitolite/VERSION > libexec/gitolite/VREF/COUNT > libexec/gitolite/VREF/EMAIL-CHECK > @@ -28,6 +29,8 @@ > libexec/gitolite/VREF/VOTES > libexec/gitolite/VREF/lock > libexec/gitolite/VREF/partial-copy > +libexec/gitolite/VREF/refex-expr > +libexec/gitolite/check-g2-compat > libexec/gitolite/commands/D > libexec/gitolite/commands/access > libexec/gitolite/commands/creator > @@ -43,26 +46,28 @@ > libexec/gitolite/commands/perms > libexec/gitolite/commands/print-default-rc > libexec/gitolite/commands/push > +libexec/gitolite/commands/rsync > libexec/gitolite/commands/sshkeys-lint > libexec/gitolite/commands/sskm > libexec/gitolite/commands/sudo > libexec/gitolite/commands/svnserve > libexec/gitolite/commands/symbolic-ref > +libexec/gitolite/commands/who-pushed > libexec/gitolite/commands/writable > -libexec/gitolite/check-g2-compat > libexec/gitolite/convert-gitosis-conf > libexec/gitolite/gitolite > libexec/gitolite/gitolite-shell > libexec/gitolite/syntactic-sugar/continuation-lines > libexec/gitolite/syntactic-sugar/keysubdirs-as-groups > libexec/gitolite/triggers/partial-copy > -libexec/gitolite/triggers/upstream > libexec/gitolite/triggers/post-compile/ssh-authkeys > libexec/gitolite/triggers/post-compile/ssh-authkeys-shell-users > +libexec/gitolite/triggers/post-compile/update-description-file > libexec/gitolite/triggers/post-compile/update-git-configs > libexec/gitolite/triggers/post-compile/update-git-daemon-access-list > libexec/gitolite/triggers/post-compile/update-gitweb-access-list > libexec/gitolite/triggers/renice > +libexec/gitolite/triggers/upstream > @dirrm %%SITE_PERL%%/Gitolite/Conf > @dirrm %%SITE_PERL%%/Gitolite/Hooks > @dirrm %%SITE_PERL%%/Gitolite/Test > --- gitolite-3.1,1.patch ends here --- > --- vuxml.patch begins here --- > diff -ruN --exclude=CVS /usr/ports/devel/gitolite/vuxml.patch ./vuxml.patch > --- /usr/ports/devel/gitolite/vuxml.patch 1969-12-31 16:00:00.000000000 -0800 > +++ ./vuxml.patch 2012-10-09 23:47:39.000000000 -0700 > @@ -0,0 +1,44 @@ > +Index: vuln.xml > +=================================================================== > +--- vuln.xml (revision 305628) > ++++ vuln.xml (working copy) > +@@ -51,6 +51,39 @@ > + > + --> > + <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> > ++ <vuln vid="f94befcd-1289-11e2-a25e-525400272390"> > ++ <topic>gitolite - path traversal vulnerability</topic> > ++ <affects> > ++ <package> > ++ <name>gitolite</name> > ++ <range><ge>3.01</ge><le>3.04</le></range> > ++ </package> > ++ </affects> > ++ <description> > ++ <body xmlns="http://www.w3.org/1999/xhtml"> > ++ <p>Sitaram Chamarty reports:</p> > ++ <blockquote cite="https://groups.google.com/forum/#!topic/gitolite/K9SnQNhCQ-0/discussion"> > ++ <p>I'm sorry to say there is a potential path traversal vulnerability in > ++ v3. Thanks to Stephane Chazelas for finding it and alerting me.</p> > ++ <p>Can it affect you? This can only affect you if you are using wild > ++ card repos, *and* at least one of your patterns allows the string > ++ "../" to match multiple times.</p> > ++ <p>How badly can it affect you? A malicious user who *also* has the > ++ ability to create arbitrary files in, say, /tmp (e.g., he has his own > ++ userid on the same box), can compromise the entire "git" user. > ++ Otherwise the worst he can do is create arbitrary repos in /tmp.</p> > ++ </blockquote> > ++ </body> > ++ </description> > ++ <references> > ++ <mlist msgid="CAMK1S_jotna+d_X2C-+es-M28i1aUBcsNeiXxwJ63EshQ8ht6w@mail.gmail.com">https://groups.google.com/forum/#!topic/gitolite/K9SnQNhCQ-0/discussion</mlist> > ++ </references> > ++ <dates> > ++ <discovery>2012-10-09</discovery> > ++ <entry>2012-10-10</entry> > ++ </dates> > ++ </vuln> > ++ > + <vuln vid="e6161b65-1187-11e2-afe3-00262d5ed8ee"> > + <topic>chromium -- multiple vulnerabilities</topic> > + <affects> VuXML is correct, the chromium parts shouldn't change though ;) Since 'milki' submitted the PR the issues has gotten a CVE, so please add <cvename>CVE-2012-4506</cvename> above the mlist. -- Eitan Adler State Changed From-To: open->closed Committed. Thanks! |