oss-sec mailing list archives
Re: pagure: private repositories accessible through ssh
From: Patrick Uiterwijk <puiterwijk () redhat com>
Date: Sat, 22 Jul 2017 19:04:35 +0200
On Sat, Jul 22, 2017 at 2:20 PM, Stefan Bühler <stbuehler () lighttpd net> wrote:
Hi, pagure [1], a git-centered forge, supports private repositories [2]:PRIVATE_PROJECTS ~~~~~~~~~~~~~~~~ This configuration key allows you to host private repositories. These repositories are visible only to the creator of the repository and to the users who are given access to the repository. No information is leaked about the private repository which means redis doesn't have the access to the repository and even fedmsg doesn't get any notifications. Defaults to: ``False``But the gitolite config, which is used to configure SSH-access, allows "@all" users to access all repositories - private or not. I proposed the attached patch upstream in [3].
This issue has been assigned CVE-2017-1002151.
After patching you should ensure gitolite.conf gets regenerated from scratch. cheers, Stefan [1]: https://pagure.io/pagure [2]: https://pagure.io/pagure/blob/master/f/doc/configuration.rst [3]: https://pagure.io/pagure/pull-request/2426
Patrick
Current thread:
- pagure: private repositories accessible through ssh Stefan Bühler (Jul 22)
- Re: pagure: private repositories accessible through ssh Patrick Uiterwijk (Jul 22)