CVE-2018-10857: Some uses of git-annex were vulnerable to a private data exposure and exfiltration attack. It could expose the content of files located outside the git-annex repository, or content from a private web server on localhost or the LAN. Joey Hess discovered this attack. CVE-2018-10859: A malicious server for a special remote could trick git-annex into decrypting a file that was encrypted to the user's gpg key. This attack could be used to expose encrypted data that was never stored in git-annex. Daniel Dent discovered this attack in collaboration with Joey Hess. git-annex version 6.20180626 fixes these problems. Gentoo Security Scout Florian Schuhmacher
CVE-2018-10857: Patch: http://source.git-annex.branchable.com/?p=source.git;a=commit;h=4315bb9e421f2c643e517d8982c6c35b1909c78b CVE-2018-10859: Patch: http://source.git-annex.branchable.com/?p=source.git;a=commit;h=67c06f51219475a185f3444635eaf07b2abed731 Patch: http://source.git-annex.branchable.com/?p=source.git;a=commit;h=b657242f5d946efae4cc77e8aef95dd2a306cd6b
@maintainer(s): ping
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=928f50920afc24e8b5783ac59a41cb6b6a4358aa commit 928f50920afc24e8b5783ac59a41cb6b6a4358aa Author: Jack Todaro <solpeth@posteo.org> AuthorDate: 2020-07-30 00:46:15 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2020-08-01 08:02:12 +0000 dev-vcs/git-annex: bump up to 8.20200617 Bug: https://bugs.gentoo.org/659288 Package-Manager: Portage-3.0.1, Repoman-2.3.23 Signed-off-by: Jack Todaro <solpeth@posteo.org> Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> dev-vcs/git-annex/Manifest | 1 + dev-vcs/git-annex/git-annex-8.20200617.ebuild | 160 ++++++++++++++++++++++++++ dev-vcs/git-annex/metadata.xml | 3 + 3 files changed, 164 insertions(+)
Thanks! Please cleanup when ready.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a7af25e0ef157fc58c8d99541013f8bae68adddd commit a7af25e0ef157fc58c8d99541013f8bae68adddd Author: Jack Todaro <solpeth@posteo.org> AuthorDate: 2020-08-03 20:28:49 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2020-08-03 22:58:17 +0000 dev-vcs/git-annex: remove old Bug: https://bugs.gentoo.org/659288 Package-Manager: Portage-3.0.1, Repoman-2.3.23 Signed-off-by: Jack Todaro <solpeth@posteo.org> Closes: https://github.com/gentoo/gentoo/pull/16987 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> dev-vcs/git-annex/Manifest | 1 - .../files/git-annex-6.20160114-QC-2.8.2.patch | 16 -- .../files/git-annex-6.20161210-directory-1.3.patch | 9 -- .../files/git-annex-6.20170101-crypto-api.patch | 8 - dev-vcs/git-annex/git-annex-6.20170818-r1.ebuild | 161 --------------------- dev-vcs/git-annex/metadata.xml | 2 - 6 files changed, 197 deletions(-)
(In reply to Sam James from comment #4) > Thanks! Please cleanup when ready. You're welcome! Are we able to now mark this as resolved? Clean up was performed in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a7af25e0ef157fc58c8d99541013f8bae68adddd
(In reply to Jack Todaro from comment #6) > (In reply to Sam James from comment #4) > > Thanks! Please cleanup when ready. > You're welcome! Are we able to now mark this as resolved? Clean up was > performed in > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=a7af25e0ef157fc58c8d99541013f8bae68adddd Yep, all done! :) ~ package, so no glsa, closing.
