[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 22 Jul 2017 19:04:35 +0200
From: Patrick Uiterwijk <puiterwijk@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: pagure: private repositories accessible through ssh
On Sat, Jul 22, 2017 at 2:20 PM, Stefan Bühler <stbuehler@...httpd.net> wrote:
> Hi,
>
> pagure [1], a git-centered forge, supports private repositories [2]:
>
>> PRIVATE_PROJECTS
>> ~~~~~~~~~~~~~~~~
>>
>> This configuration key allows you to host private repositories. These
>> repositories are visible only to the creator of the repository and to
>> the users who are given access to the repository. No information is
>> leaked about the private repository which means redis doesn't have the
>> access to the repository and even fedmsg doesn't get any
>> notifications.
>>
>> Defaults to: ``False``
>
> But the gitolite config, which is used to configure SSH-access, allows
> "@all" users to access all repositories - private or not.
>
> I proposed the attached patch upstream in [3].
This issue has been assigned CVE-2017-1002151.
>
> After patching you should ensure gitolite.conf gets regenerated from
> scratch.
>
> cheers,
> Stefan
>
> [1]: https://pagure.io/pagure
> [2]: https://pagure.io/pagure/blob/master/f/doc/configuration.rst
> [3]: https://pagure.io/pagure/pull-request/2426
Patrick
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
