Date: Tue, 9 Oct 2012 23:52:31 -0700 (PDT) From: milki <milki@rescomp.berkeley.edu> To: FreeBSD-gnats-submit@FreeBSD.org Cc: tdb@FreeBSD.org Subject: ports/172565: [MAINTAINER] devel/gitolite: update to 3.1,1 Message-ID: <201210100652.q9A6qV7a084716@cibo.ircmylife.com> Resent-Message-ID: <201210100700.q9A700qi030644@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 172565 >Category: ports >Synopsis: [MAINTAINER] devel/gitolite: update to 3.1,1 >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Wed Oct 10 07:00:00 UTC 2012 >Closed-Date: >Last-Modified: >Originator: milki >Release: FreeBSD 8.3-RELEASE-p3 amd64 >Organization: cibo >Environment: System: FreeBSD cibo.ircmylife.com 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 #0: Tue Jun 12 00:39:29 UTC 2012 >Description: - Update to 3.1,1 Changes: https://github.com/sitaramc/gitolite/compare/v3.04...v3.1 https://raw.github.com/sitaramc/gitolite/51ab768e2a121eac48fa82bb41ef121f44082e64/CHANGELOG tdb: Please host the distfile 3.01-3.04 path traversal vulnerability advisory eadler has submitted a CVE-ID request Generated with FreeBSD Port Tools 0.99_6 (mode: update, diff: ports) >How-To-Repeat: >Fix: --- gitolite-3.1,1.patch begins here --- diff -ruN --exclude=CVS /usr/ports/devel/gitolite/Makefile ./Makefile --- /usr/ports/devel/gitolite/Makefile 2012-08-05 12:36:46.000000000 -0700 +++ ./Makefile 2012-10-09 23:48:12.000000000 -0700 @@ -6,7 +6,8 @@ # PORTNAME= gitolite -PORTVERSION= 3.04 +PORTVERSION= 3.1 +PORTEPOCH= 1 CATEGORIES= devel MASTER_SITES= http://milki.github.com/${PORTNAME}/ \ LOCAL/tdb diff -ruN --exclude=CVS /usr/ports/devel/gitolite/distinfo ./distinfo --- /usr/ports/devel/gitolite/distinfo 2012-08-05 12:36:46.000000000 -0700 +++ ./distinfo 2012-10-09 21:17:59.000000000 -0700 @@ -1,2 +1,2 @@ -SHA256 (gitolite-3.04.tar.gz) = 900dd144ddfa88cc21fadfef7652799ead78c1be52304506994307c448e6b618 -SIZE (gitolite-3.04.tar.gz) = 114010 +SHA256 (gitolite-3.1.tar.gz) = 36fc270c29e980f7217c203656373d1c44f73035fe18053163301cd10a4e0f04 +SIZE (gitolite-3.1.tar.gz) = 119322 diff -ruN --exclude=CVS /usr/ports/devel/gitolite/pkg-plist ./pkg-plist --- /usr/ports/devel/gitolite/pkg-plist 2012-08-05 12:36:46.000000000 -0700 +++ ./pkg-plist 2012-10-09 21:27:01.000000000 -0700 @@ -19,6 +19,7 @@ %%SITE_PERL%%/Gitolite/Triggers/RepoUmask.pm %%SITE_PERL%%/Gitolite/Triggers/Shell.pm %%SITE_PERL%%/Gitolite/Triggers/Writable.pm +%%SITE_PERL%%/Gitolite/Triggers/RefexExpr.pm libexec/gitolite/VERSION libexec/gitolite/VREF/COUNT libexec/gitolite/VREF/EMAIL-CHECK @@ -28,6 +29,8 @@ libexec/gitolite/VREF/VOTES libexec/gitolite/VREF/lock libexec/gitolite/VREF/partial-copy +libexec/gitolite/VREF/refex-expr +libexec/gitolite/check-g2-compat libexec/gitolite/commands/D libexec/gitolite/commands/access libexec/gitolite/commands/creator @@ -43,26 +46,28 @@ libexec/gitolite/commands/perms libexec/gitolite/commands/print-default-rc libexec/gitolite/commands/push +libexec/gitolite/commands/rsync libexec/gitolite/commands/sshkeys-lint libexec/gitolite/commands/sskm libexec/gitolite/commands/sudo libexec/gitolite/commands/svnserve libexec/gitolite/commands/symbolic-ref +libexec/gitolite/commands/who-pushed libexec/gitolite/commands/writable -libexec/gitolite/check-g2-compat libexec/gitolite/convert-gitosis-conf libexec/gitolite/gitolite libexec/gitolite/gitolite-shell libexec/gitolite/syntactic-sugar/continuation-lines libexec/gitolite/syntactic-sugar/keysubdirs-as-groups libexec/gitolite/triggers/partial-copy -libexec/gitolite/triggers/upstream libexec/gitolite/triggers/post-compile/ssh-authkeys libexec/gitolite/triggers/post-compile/ssh-authkeys-shell-users +libexec/gitolite/triggers/post-compile/update-description-file libexec/gitolite/triggers/post-compile/update-git-configs libexec/gitolite/triggers/post-compile/update-git-daemon-access-list libexec/gitolite/triggers/post-compile/update-gitweb-access-list libexec/gitolite/triggers/renice +libexec/gitolite/triggers/upstream @dirrm %%SITE_PERL%%/Gitolite/Conf @dirrm %%SITE_PERL%%/Gitolite/Hooks @dirrm %%SITE_PERL%%/Gitolite/Test --- gitolite-3.1,1.patch ends here --- --- vuxml.patch begins here --- diff -ruN --exclude=CVS /usr/ports/devel/gitolite/vuxml.patch ./vuxml.patch --- /usr/ports/devel/gitolite/vuxml.patch 1969-12-31 16:00:00.000000000 -0800 +++ ./vuxml.patch 2012-10-09 23:47:39.000000000 -0700 @@ -0,0 +1,44 @@ +Index: vuln.xml +=================================================================== +--- vuln.xml (revision 305628) ++++ vuln.xml (working copy) +@@ -51,6 +51,39 @@ + + --> + <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; ++ <vuln vid="f94befcd-1289-11e2-a25e-525400272390"> ++ <topic>gitolite - path traversal vulnerability</topic> ++ <affects> ++ <package> ++ <name>gitolite</name> ++ <range><ge>3.01</ge><le>3.04</le></range> ++ </package> ++ </affects> ++ <description> ++ <body xmlns="http://www.w3.org/1999/xhtml">; ++ <p>Sitaram Chamarty reports:</p> ++ <blockquote cite="https://groups.google.com/forum/#!topic/gitolite/K9SnQNhCQ-0/discussion">; ++ <p>I'm sorry to say there is a potential path traversal vulnerability in ++ v3. Thanks to Stephane Chazelas for finding it and alerting me.</p> ++ <p>Can it affect you? This can only affect you if you are using wild ++ card repos, *and* at least one of your patterns allows the string ++ "../" to match multiple times.</p> ++ <p>How badly can it affect you? A malicious user who *also* has the ++ ability to create arbitrary files in, say, /tmp (e.g., he has his own ++ userid on the same box), can compromise the entire "git" user. ++ Otherwise the worst he can do is create arbitrary repos in /tmp.</p> ++ </blockquote> ++ </body> ++ </description> ++ <references> ++ <mlist msgid="CAMK1S_jotna+d_X2C-+es-M28i1aUBcsNeiXxwJ63EshQ8ht6w@mail.gmail.com">https://groups.google.com/forum/#!topic/gitolite/K9SnQNhCQ-0/discussion</mlist>; ++ </references> ++ <dates> ++ <discovery>2012-10-09</discovery> ++ <entry>2012-10-10</entry> ++ </dates> ++ </vuln> ++ + <vuln vid="e6161b65-1187-11e2-afe3-00262d5ed8ee"> + <topic>chromium -- multiple vulnerabilities</topic> + <affects> --- vuxml.patch ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201210100652.q9A6qV7a084716>