Control: tag -1 unreproducible Luke Kenneth Casson Leighton <l...@lkcl.net> writes: > > i have used gitolite3 for many years, this is the first time i have ever > had a major bug, and it involved a username with an underscore in it. > ssh to the server reported "hello user" not "hello user_xxxx", and > COMPLETELY the wrong repository was granted write access. > > this is an extremely serious security issue.
0) I could not duplicate the problem with the version in stable or testing/unstable. I did notice that due to ssh-agent caching, it was easy to use more keys than I wanted, so make sure to verify which key you are using with ssh -v. 1) Security support for stretch (current oldstable) ended more than a year ago. That means that any further uploads of that version would be via the LTS team [1]. 2) It would be useful to know if you can duplicate the problem in current stable. If you can, a bit more information about how to duplicate the problem would help (you can send it to me privately if you are worried about publicizing a vulnerability). [1]: https://wiki.debian.org/LTS
signature.asc
Description: PGP signature
