Date: Sat, 22 Jul 2017 19:04:35 +0200 From: Patrick Uiterwijk <puiterwijk@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: pagure: private repositories accessible through ssh On Sat, Jul 22, 2017 at 2:20 PM, Stefan Bühler <stbuehler@...httpd.net> wrote: > Hi, > > pagure , a git-centered forge, supports private repositories : > >> PRIVATE_PROJECTS >> ~~~~~~~~~~~~~~~~ >> >> This configuration key allows you to host private repositories. These >> repositories are visible only to the creator of the repository and to >> the users who are given access to the repository. No information is >> leaked about the private repository which means redis doesn't have the >> access to the repository and even fedmsg doesn't get any >> notifications. >> >> Defaults to: ``False`` > > But the gitolite config, which is used to configure SSH-access, allows > "@..." users to access all repositories - private or not. > > I proposed the attached patch upstream in . This issue has been assigned CVE-2017-1002151. > > After patching you should ensure gitolite.conf gets regenerated from > scratch. > > cheers, > Stefan > > : https://pagure.io/pagure > : https://pagure.io/pagure/blob/master/f/doc/configuration.rst > : https://pagure.io/pagure/pull-request/2426 Patrick
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ