Summary: | <dev-vcs/fossil-2.11.1: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | rafaelmartins, titanofold |
Priority: | Normal | Flags: | nattka:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.fossil-scm.org/home/info/e8c6cd2ced4b7562 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: |
dev-vcs/fossil-2.11.1
|
Runtime testing required: | No |
Bug Depends on: | 732236 | ||
Bug Blocks: |
Description
Sam James
2020-06-09 14:26:32 UTC
"Security: Fossil now assumes that the schema of every database it opens has been tampered with by an adversary and takes extra precautions to ensure that such tampering is harmless. Security: Fossil now puts the Content-Security-Policy in the HTTP reply header, in addition to also leaving it in the HTML <head> section, so that it is always available, even if a custom skin overrides the HTML <head> and omits the CSP in the process." (In reply to Sam James (sec padawan) from comment #1) > "Security: Fossil now assumes that the schema of every database it opens has > been tampered with by an adversary and takes extra precautions to ensure > that such tampering is harmless. > > Security: Fossil now puts the Content-Security-Policy in the HTTP reply > header, in addition to also leaving it in the HTML <head> section, so that > it is always available, even if a custom skin overrides the HTML <head> and > omits the CSP in the process." Whoops! Ignore this, I think. (In reply to Sam James (sec padawan) from comment #0) > Details when available. > > @maintainer(s), please bump to 2.11.1. This is the bit that was fixed: Make the "fossil git export" command more restrictive about characters that it allows in tag names.... [sanitize] each argument and make it part of an "echo" command run by the shell. https://www.fossil-scm.org/home/info/c9a592dde7fe493f (In reply to Sam James (sec padawan) from comment #2) > (In reply to Sam James (sec padawan) from comment #1) > > "Security: Fossil now assumes that the schema of every database it opens has > > been tampered with by an adversary and takes extra precautions to ensure > > that such tampering is harmless. > > > > Security: Fossil now puts the Content-Security-Policy in the HTTP reply > > header, in addition to also leaving it in the HTML <head> section, so that > > it is always available, even if a custom skin overrides the HTML <head> and > > omits the CSP in the process." > > Whoops! Ignore this, I think. You're right on ignoring this bit...kind of. 2.11 is a fix for those two items. While >=2.11.1 is a fix for the git export command. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=855990ab005418102e3f8329b0808483805dd820 commit 855990ab005418102e3f8329b0808483805dd820 Author: Aaron W. Swenson <titanofold@gentoo.org> AuthorDate: 2020-07-09 01:44:01 +0000 Commit: Aaron W. Swenson <titanofold@gentoo.org> CommitDate: 2020-07-09 01:44:09 +0000 dev-vcs/fossil: Bump to 2.11.1 Security fix: Make the "fossil git export" command more restrictive about characters that it allows in tag names. Bug: https://bugs.gentoo.org/727664 Package-Manager: Portage-2.3.99, Repoman-2.3.23 Signed-off-by: Aaron W. Swenson <titanofold@gentoo.org> dev-vcs/fossil/Manifest | 1 + dev-vcs/fossil/fossil-2.11.1.ebuild | 72 +++++++++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+) Please stabilize the following target: dev-vcs/fossil-2.11.1 ~amd64 ~arm ~ppc ~ppc64 ~x86 ppc64 stable arm stable amd64 stable ppc stable x86 stable. Maintainer(s), please cleanup. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a4b83278335c05731b96be3f374894b0332171cf commit a4b83278335c05731b96be3f374894b0332171cf Author: Rafael Martins <rafaelmartins@gentoo.org> AuthorDate: 2020-07-26 17:44:35 +0000 Commit: Rafael Martins <rafaelmartins@gentoo.org> CommitDate: 2020-07-26 17:44:40 +0000 dev-vcs/fossil: cleanup vulnerable versions Bug: https://bugs.gentoo.org/727664 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Rafael Martins <rafaelmartins@gentoo.org> dev-vcs/fossil/Manifest | 4 -- dev-vcs/fossil/fossil-2.10-r1.ebuild | 72 ------------------------------------ dev-vcs/fossil/fossil-2.10.ebuild | 57 ---------------------------- dev-vcs/fossil/fossil-2.11.ebuild | 72 ------------------------------------ dev-vcs/fossil/fossil-2.8.ebuild | 57 ---------------------------- dev-vcs/fossil/fossil-2.9.ebuild | 57 ---------------------------- 6 files changed, 319 deletions(-) |