Debian Security Advisory
DSA-4263-1 cgit -- security update
- Date Reported:
- 04 Aug 2018
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 905382.
In Mitre's CVE dictionary: CVE-2018-14912.
- More information:
Jann Horn discovered a directory traversal vulnerability in cgit, a fast web frontend for git repositories written in C. A remote attacker can take advantage of this flaw to retrieve arbitrary files via a specially crafted request, when 'enable-http-clone=1' (default) is not turned off.
For the stable distribution (stretch), this problem has been fixed in version 1.1+git2.10.2-3+deb9u1.
We recommend that you upgrade your cgit packages.
For the detailed security status of cgit please refer to its security tracker page at: https://security-tracker.debian.org/tracker/cgit