Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 22 Jul 2017 19:04:35 +0200
From: Patrick Uiterwijk <puiterwijk@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: pagure: private repositories accessible through ssh

On Sat, Jul 22, 2017 at 2:20 PM, Stefan B├╝hler <stbuehler@...httpd.net> wrote:
> Hi,
>
> pagure [1], a git-centered forge, supports private repositories [2]:
>
>> PRIVATE_PROJECTS
>> ~~~~~~~~~~~~~~~~
>>
>> This configuration key allows you to host private repositories. These
>> repositories are visible only to the creator of the repository and to
>> the users who are given access to the repository.  No information is
>> leaked about the private repository which means redis doesn't have the
>> access to the repository and even fedmsg doesn't get any
>> notifications.
>>
>> Defaults to: ``False``
>
> But the gitolite config, which is used to configure SSH-access, allows
> "@..." users to access all repositories - private or not.
>
> I proposed the attached patch upstream in [3].

This issue has been assigned CVE-2017-1002151.

>
> After patching you should ensure gitolite.conf gets regenerated from
> scratch.
>
> cheers,
> Stefan
>
> [1]: https://pagure.io/pagure
> [2]: https://pagure.io/pagure/blob/master/f/doc/configuration.rst
> [3]: https://pagure.io/pagure/pull-request/2426

Patrick

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ