Debian Security Advisory

DSA-4263-1 cgit -- security update

Date Reported:
04 Aug 2018
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 905382.
In Mitre's CVE dictionary: CVE-2018-14912.
More information:

Jann Horn discovered a directory traversal vulnerability in cgit, a fast web frontend for git repositories written in C. A remote attacker can take advantage of this flaw to retrieve arbitrary files via a specially crafted request, when 'enable-http-clone=1' (default) is not turned off.

For the stable distribution (stretch), this problem has been fixed in version 1.1+git2.10.2-3+deb9u1.

We recommend that you upgrade your cgit packages.

For the detailed security status of cgit please refer to its security tracker page at: