SB2019012320 - Input validation error in gitolite (Alpine package)
Published: January 23, 2019
Security Bulletin ID
SB2019012320
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2018-20683)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
commands/rsync in Gitolite before 3.6.11, if .gitolite.rc enables rsync, mishandles the rsync command line, which allows attackers to have a "bad" impact by triggering use of an option other than -v, -n, -q, or -P.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=f25e14ee22d86c3e6c36a14ccd40390559f51cb9
- https://git.alpinelinux.org/aports/commit/?id=67f3e45bd49581c9d21308a73dd85f972a57e24c
- https://git.alpinelinux.org/aports/commit/?id=87c443db8dd4907c90a4b6077c6d61946fc30816
- https://git.alpinelinux.org/aports/commit/?id=bac739997662850414a0424662a0241c9d49adbf
- https://git.alpinelinux.org/aports/commit/?id=fe8fcf4a19eb9ab3bbe62be030fef8f8db5ccbb1