CVE-2018-20683

NameCVE-2018-20683
Descriptioncommands/rsync in Gitolite before 3.6.11, if .gitolite.rc enables rsync, mishandles the rsync command line, which allows attackers to have a "bad" impact by triggering use of an option other than -v, -n, -q, or -P.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs918849

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gitolite3 (PTS)jessie3.6.1-2+deb8u2vulnerable
stretch3.6.6-1vulnerable
buster, sid3.6.9-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gitolitesource(unstable)(unfixed)
gitolite3source(unstable)(unfixed)918849

Notes

[stretch] - gitolite3 <no-dsa> (Minor issue)
[jessie] - gitolite3 <no-dsa> (Minor issue)
https://github.com/sitaramc/gitolite/commit/5df2b817255ee919991da6c310239e08c8fcc1ae
https://groups.google.com/forum/#!topic/gitolite-announce/6xbjjmpLePQ

Search for package or bug name: Reporting problems