From URL: "2019-01-08 v3.6.11 fix security issue in 'rsync' (bundle helper); see commit 5df2b81 for more" The relevant commit: https://github.com/sitaramc/gitolite/commit/5df2b817255ee919991da6c310239e08c8fcc1ae Not quite sure what the impact is, but it seems to be code injection? Fix is in 3.6.11. gitolite is bumped, but gitolite-gentoo is not. Seems there's tags in the upstream (our) repository, though.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0a586ba2938241f100eebe58bb8b102bb9044081 commit 0a586ba2938241f100eebe58bb8b102bb9044081 Author: Robin H. Johnson <robbat2@gentoo.org> AuthorDate: 2022-07-16 23:44:15 +0000 Commit: Robin H. Johnson <robbat2@gentoo.org> CommitDate: 2022-07-16 23:44:43 +0000 dev-vcs/gitolite-gentoo: backport v3.6.11 security fix Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> Closes: https://bugs.gentoo.org/show_bug.cgi?id=858470 dev-vcs/gitolite-gentoo/Manifest | 1 + .../gitolite-gentoo-3.6.6.1-r3.ebuild | 111 +++++++++++++++++++++ 2 files changed, 112 insertions(+)
Please cleanup. Robin, any input about the impact?
Impact: was not enabled by default. Required enabling two separate flags, in different files ("rsync" in gitolite.rc, and then "option bundle = 1" in the gitolite-admin per-repo config; note that the original commit message only had the rsync part, and missed the bundle=1) Gentoo infra was not impacted because "option bundle = 1" was only enabled very briefly in a single repo. cleanup is done
Oh, seems gitolite was handled in bug 689794. gitolite-gentoo is good now. Thanks Robin, all done!