ports/172565: [MAINTAINER] devel/gitolite: update to 3.1,1
milki
milki at rescomp.berkeley.edu
Wed Oct 10 07:00:00 UTC 2012
>Number: 172565
>Category: ports
>Synopsis: [MAINTAINER] devel/gitolite: update to 3.1,1
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Wed Oct 10 07:00:00 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: milki
>Release: FreeBSD 8.3-RELEASE-p3 amd64
>Organization:
cibo
>Environment:
System: FreeBSD cibo.ircmylife.com 8.3-RELEASE-p3 FreeBSD 8.3-RELEASE-p3 #0: Tue Jun 12 00:39:29 UTC 2012
>Description:
- Update to 3.1,1
Changes:
https://github.com/sitaramc/gitolite/compare/v3.04...v3.1
https://raw.github.com/sitaramc/gitolite/51ab768e2a121eac48fa82bb41ef121f44082e64/CHANGELOG
tdb: Please host the distfile
3.01-3.04 path traversal vulnerability advisory
eadler has submitted a CVE-ID request
Generated with FreeBSD Port Tools 0.99_6 (mode: update, diff: ports)
>How-To-Repeat:
>Fix:
--- gitolite-3.1,1.patch begins here ---
diff -ruN --exclude=CVS /usr/ports/devel/gitolite/Makefile ./Makefile
--- /usr/ports/devel/gitolite/Makefile 2012-08-05 12:36:46.000000000 -0700
+++ ./Makefile 2012-10-09 23:48:12.000000000 -0700
@@ -6,7 +6,8 @@
#
PORTNAME= gitolite
-PORTVERSION= 3.04
+PORTVERSION= 3.1
+PORTEPOCH= 1
CATEGORIES= devel
MASTER_SITES= http://milki.github.com/${PORTNAME}/ \
LOCAL/tdb
diff -ruN --exclude=CVS /usr/ports/devel/gitolite/distinfo ./distinfo
--- /usr/ports/devel/gitolite/distinfo 2012-08-05 12:36:46.000000000 -0700
+++ ./distinfo 2012-10-09 21:17:59.000000000 -0700
@@ -1,2 +1,2 @@
-SHA256 (gitolite-3.04.tar.gz) = 900dd144ddfa88cc21fadfef7652799ead78c1be52304506994307c448e6b618
-SIZE (gitolite-3.04.tar.gz) = 114010
+SHA256 (gitolite-3.1.tar.gz) = 36fc270c29e980f7217c203656373d1c44f73035fe18053163301cd10a4e0f04
+SIZE (gitolite-3.1.tar.gz) = 119322
diff -ruN --exclude=CVS /usr/ports/devel/gitolite/pkg-plist ./pkg-plist
--- /usr/ports/devel/gitolite/pkg-plist 2012-08-05 12:36:46.000000000 -0700
+++ ./pkg-plist 2012-10-09 21:27:01.000000000 -0700
@@ -19,6 +19,7 @@
%%SITE_PERL%%/Gitolite/Triggers/RepoUmask.pm
%%SITE_PERL%%/Gitolite/Triggers/Shell.pm
%%SITE_PERL%%/Gitolite/Triggers/Writable.pm
+%%SITE_PERL%%/Gitolite/Triggers/RefexExpr.pm
libexec/gitolite/VERSION
libexec/gitolite/VREF/COUNT
libexec/gitolite/VREF/EMAIL-CHECK
@@ -28,6 +29,8 @@
libexec/gitolite/VREF/VOTES
libexec/gitolite/VREF/lock
libexec/gitolite/VREF/partial-copy
+libexec/gitolite/VREF/refex-expr
+libexec/gitolite/check-g2-compat
libexec/gitolite/commands/D
libexec/gitolite/commands/access
libexec/gitolite/commands/creator
@@ -43,26 +46,28 @@
libexec/gitolite/commands/perms
libexec/gitolite/commands/print-default-rc
libexec/gitolite/commands/push
+libexec/gitolite/commands/rsync
libexec/gitolite/commands/sshkeys-lint
libexec/gitolite/commands/sskm
libexec/gitolite/commands/sudo
libexec/gitolite/commands/svnserve
libexec/gitolite/commands/symbolic-ref
+libexec/gitolite/commands/who-pushed
libexec/gitolite/commands/writable
-libexec/gitolite/check-g2-compat
libexec/gitolite/convert-gitosis-conf
libexec/gitolite/gitolite
libexec/gitolite/gitolite-shell
libexec/gitolite/syntactic-sugar/continuation-lines
libexec/gitolite/syntactic-sugar/keysubdirs-as-groups
libexec/gitolite/triggers/partial-copy
-libexec/gitolite/triggers/upstream
libexec/gitolite/triggers/post-compile/ssh-authkeys
libexec/gitolite/triggers/post-compile/ssh-authkeys-shell-users
+libexec/gitolite/triggers/post-compile/update-description-file
libexec/gitolite/triggers/post-compile/update-git-configs
libexec/gitolite/triggers/post-compile/update-git-daemon-access-list
libexec/gitolite/triggers/post-compile/update-gitweb-access-list
libexec/gitolite/triggers/renice
+libexec/gitolite/triggers/upstream
@dirrm %%SITE_PERL%%/Gitolite/Conf
@dirrm %%SITE_PERL%%/Gitolite/Hooks
@dirrm %%SITE_PERL%%/Gitolite/Test
--- gitolite-3.1,1.patch ends here ---
--- vuxml.patch begins here ---
diff -ruN --exclude=CVS /usr/ports/devel/gitolite/vuxml.patch ./vuxml.patch
--- /usr/ports/devel/gitolite/vuxml.patch 1969-12-31 16:00:00.000000000 -0800
+++ ./vuxml.patch 2012-10-09 23:47:39.000000000 -0700
@@ -0,0 +1,44 @@
+Index: vuln.xml
+===================================================================
+--- vuln.xml (revision 305628)
++++ vuln.xml (working copy)
+@@ -51,6 +51,39 @@
+
+ -->
+ <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
++ <vuln vid="f94befcd-1289-11e2-a25e-525400272390">
++ <topic>gitolite - path traversal vulnerability</topic>
++ <affects>
++ <package>
++ <name>gitolite</name>
++ <range><ge>3.01</ge><le>3.04</le></range>
++ </package>
++ </affects>
++ <description>
++ <body xmlns="http://www.w3.org/1999/xhtml">
++ <p>Sitaram Chamarty reports:</p>
++ <blockquote cite="https://groups.google.com/forum/#!topic/gitolite/K9SnQNhCQ-0/discussion">
++ <p>I'm sorry to say there is a potential path traversal vulnerability in
++ v3. Thanks to Stephane Chazelas for finding it and alerting me.</p>
++ <p>Can it affect you? This can only affect you if you are using wild
++ card repos, *and* at least one of your patterns allows the string
++ "../" to match multiple times.</p>
++ <p>How badly can it affect you? A malicious user who *also* has the
++ ability to create arbitrary files in, say, /tmp (e.g., he has his own
++ userid on the same box), can compromise the entire "git" user.
++ Otherwise the worst he can do is create arbitrary repos in /tmp.</p>
++ </blockquote>
++ </body>
++ </description>
++ <references>
++ <mlist msgid="CAMK1S_jotna+d_X2C-+es-M28i1aUBcsNeiXxwJ63EshQ8ht6w at mail.gmail.com">https://groups.google.com/forum/#!topic/gitolite/K9SnQNhCQ-0/discussion</mlist>
++ </references>
++ <dates>
++ <discovery>2012-10-09</discovery>
++ <entry>2012-10-10</entry>
++ </dates>
++ </vuln>
++
+ <vuln vid="e6161b65-1187-11e2-afe3-00262d5ed8ee">
+ <topic>chromium -- multiple vulnerabilities</topic>
+ <affects>
--- vuxml.patch ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list