—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.

Directory Traversal Schwachstelle in Gitolite

Gitolite beinhaltet eine Directory Traversal Schwachstelle bei der
Zugriffsbeschraenkung auf Admin Defined Commands (“ADC”). Ein
entfernter, authentifizierter Angreifer kann diese Schwachstelle
ausnutzen, um beliebige Befehle mit den Rechten des Gitolite-Servers
auszufuehren. Voraussetzung ist, dass ADCs durch Setzen von GL_ADC_PATH
in der entsprechenden Konfiguration aktiviert sind.

Betroffen sind die folgenden Software Pakete und Plattformen:

Paket gitolite

Fedora 15

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Matthias Braeck

– —
Matthias Braeck (Incident Response Team)

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen: https://www.cert.dfn.de/autowarn

– ——————————————————————————–
Fedora Update Notification
FEDORA-2011-1616
2011-02-16 14:19:01
– ——————————————————————————–

Name : gitolite
Product : Fedora 15
Version : 1.5.8
Release : 3.fc15
URL : http://github.com/sitaramc/gitolite
Summary : Highly flexible server for git directory version tracker
Description :
Gitolite allows a server to host many git repositories and provide access
to many developers, without having to give them real userids on the server.
The essential magic in doing this is ssh’s pubkey access and the authorized
keys file, and the inspiration was an older program called gitosis.

Gitolite can restrict who can read from (clone/fetch) or write to (push) a
repository. It can also restrict who can push to what branch or tag, which
is very important in a corporate environment. Gitolite can be installed
without requiring root permissions, and with no additional software than git
itself and perl. It also has several other neat features described below and
elsewhere in the doc/ directory.

– ——————————————————————————–
Update Information:

Dylan Alex Simon discovered and reported a directory traversal flaw in the way Gitolite restricted access to admin defined commands (“ADC”). An authenticated attacker could execute arbitrary code with privileges of Gitolite server user using specially crafted command name.

The flaw does not affect default Gitolite installations. Users who have enabled ADC in their configurations are advised to install the updated package which includes a fix to resolve the issue.
– ——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update gitolite’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
– ——————————————————————————–

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.9 (GNU/Linux)

iQEcBAEBAgAGBQJNb57KAAoJEJtyb8U7iGZB7WoH/jTrni71z+s2vipYXn/si2Uk
WqAyR05/u+dpAiyRPo2nLQj/PEI2rH1STPAahl8tQteMOuondN3oeuPy5aax7gkz
PLuW74MnMk7CBPzWBvlAb5RIyokKxgszpRT0wTHlV8AqQmgLbPj22leQv6I+bOGj
pTBskn8nKY5jOGEEapRrr8OOnRWx8V2Ipvreef890GXkeMNyO5CZJt7W64S1E7K+
Ir+JYxBLrT57j4MZtA7r7s4Xoo0lFNQnCI32obRJbQYadV+YbHi/xNCatGMHhR1B
JLEH8h87gdzLuCqoADhN0qCyld80d9inYWg/H9pCawRD/pZfK+A2vKSTMrcE8wc=
=qga2
—–END PGP SIGNATURE—–