Your message dated Fri, 12 Feb 2016 06:33:56 +0000
with message-id <[email protected]>
and subject line Bug#812411: fixed in cgit 0.11.2.git2.3.2-1.1
has caused the Debian Bug report #812411,
regarding cgit: CVE-2016-1899 CVE-2016-1900 CVE-2016-1901
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
812411: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812411
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: cgit
Version: 0.10.2.git2.0.1-3
Severity: important
Tags: security upstream patch fixed-upstream

Hi,

the following vulnerabilities were published for cgit.

CVE-2016-1899[0]:
| CRLF injection vulnerability in the ui-blob handler in CGit before
| 0.12 allows remote attackers to inject arbitrary HTTP headers and
| conduct HTTP response splitting attacks or cross-site scripting (XSS)
| attacks via CRLF sequences in the mimetype parameter, as demonstrated
| by a request to blob/cgit.c.

CVE-2016-1900[1]:
| CRLF injection vulnerability in the cgit_print_http_headers function
| in ui-shared.c in CGit before 0.12 allows remote attackers with
| permission to write to a repository to inject arbitrary HTTP headers
| and conduct HTTP response splitting attacks or cross-site scripting
| (XSS) attacks via newline characters in a filename.

CVE-2016-1901[2]:
| Integer overflow in the authenticate_post function in CGit before 0.12
| allows remote attackers to have unspecified impact via a large value
| in the Content-Length HTTP header, which triggers a buffer overflow.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-1899
[1] https://security-tracker.debian.org/tracker/CVE-2016-1900
[2] https://security-tracker.debian.org/tracker/CVE-2016-1901

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: cgit
Source-Version: 0.11.2.git2.3.2-1.1

We believe that the bug you reported is fixed in the latest version of
cgit, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated cgit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 27 Jan 2016 20:54:12 +0100
Source: cgit
Binary: cgit
Architecture: source
Version: 0.11.2.git2.3.2-1.1
Distribution: unstable
Urgency: medium
Maintainer: Alexander Wirt <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 812411
Description: 
 cgit       - hyperfast web frontend for git repositories written in C
Changes:
 cgit (0.11.2.git2.3.2-1.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2016-1899: Reflected XSS and header injection in mimetype query
     string (Closes: #812411)
   * CVE-2016-1900: Stored cross site scripting and header injection in
     filename parameter (Closes: #812411)
   * CVE-2016-1901: Integer overflow resulting in buffer overflow
     (Closes: #812411)
Checksums-Sha1: 
 f5d9cd6be972bf1a5c56b866fc8e59f20a322e56 1847 cgit_0.11.2.git2.3.2-1.1.dsc
 f9733e84899aadfcfb941231304afe6fc1d37edf 11600 
cgit_0.11.2.git2.3.2-1.1.debian.tar.xz
Checksums-Sha256: 
 ad502bb1d3afe57d7553ef4c8c46ec317a0f5f8d032ba278bfc210bbf5addfb0 1847 
cgit_0.11.2.git2.3.2-1.1.dsc
 ec17cde4d4bf039c93f1f68d2c42305c24d3dc2afd0c195743fab8114aa49e7f 11600 
cgit_0.11.2.git2.3.2-1.1.debian.tar.xz
Files: 
 4c998878c49118401bcddc4e408b56c8 1847 net extra cgit_0.11.2.git2.3.2-1.1.dsc
 e4997c40d3834bc680df8c408a9b69a5 11600 net extra 
cgit_0.11.2.git2.3.2-1.1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWtt2fAAoJEAVMuPMTQ89EqG0P/2ZlyMK7cZVwL3qMDcnfIlOi
jlDiiWd7cP3yPAVWdGZgqjr60wD4S4f6BBnxommRxXAowrI+XBR4UidvnDIx9ODm
rud9dGBpGZHU3iz/xFaCc4MY4TDEJfCEn4WF11L16Hi0qHE4atic4fRdZrWxuWic
Q9cvh6TRz3zwFrdsD3gfAu0ncQiXT1BRE+tm/QPFH3HY+dpOCsWLRVewk7a3fiCJ
/kRkO0eeYul9Xjy2w3Ek/zmf/V+5PfVVdwcrcG0lQvklu23HzmD4BdIBmkVYHCNd
cg++SZJEZrrDofv914QnbxZLl5NiF2Hh3Z/3WEXztW/uhYhAt/LgW/E6ydiLd2qz
fPkRpItYEV+MxKGtkFEcQ8q4aJ6yLUDJ64unCSvy/4EVjgDarHmd7uJlXR4arxqA
gOLQvrrhPgivk+lAbOF88nNE1UdETVKaQ9GIkPJimZd1j3pZBoJND1DVkj0zeA70
19pRL3sk7QAD0nyiwfC+zAMqSb0SxaBCKvOwLTKniHdF1lQVAQtv1PWPcT6Wx0MM
Pn4MdxXY0xN96+J+7PzJVX/+dFUzhkZXLVydvS3wEgeDn72gfPL+t4CZKSz/2lbD
MttYd75XrYNk2ND5vJx1F0UCxgevLerZdpgSFGCxqf/h67HSnNIJOKMVkQO53LMU
5VI/ku69NMthNzOh3cZE
=H+qW
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to