Security Information / 2018 / Security Information -- DSA-4263-1 cgit

Debian Security Advisory

DSA-4263-1 cgit -- security update

Date Reported:

04 Aug 2018

Affected Packages:

cgit

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 905382.
In Mitre's CVE dictionary: CVE-2018-14912.

More information:

Jann Horn discovered a directory traversal vulnerability in cgit, a fast web frontend for git repositories written in C. A remote attacker can take advantage of this flaw to retrieve arbitrary files via a specially crafted request, when 'enable-http-clone=1' (default) is not turned off.

For the stable distribution (stretch), this problem has been fixed in version 1.1+git2.10.2-3+deb9u1.

We recommend that you upgrade your cgit packages.

For the detailed security status of cgit please refer to its security tracker page at: https://security-tracker.debian.org/tracker/cgit