Hello community, here is the log from the commit of package gitolite for openSUSE:Factory checked in at 2019-01-21 10:53:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/gitolite (Old) and /work/SRC/openSUSE:Factory/.gitolite.new.28833 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gitolite" Mon Jan 21 10:53:45 2019 rev:8 rq:665994 version:3.6.11 Changes: -------- --- /work/SRC/openSUSE:Factory/gitolite/gitolite.changes 2018-09-15 15:41:07.660793547 +0200 +++ /work/SRC/openSUSE:Factory/.gitolite.new.28833/gitolite.changes 2019-01-21 10:54:13.935737474 +0100 @@ -1,0 +2,9 @@ +Mon Jan 14 14:47:53 UTC 2019 - [email protected] + +- update to 3.6.11 + - fix for boo#1121570 (CVE-2018-20683) + security issue in 'rsync' (bundle helper); see commit 5df2b81 for more +- update to 3.6.10 + - fix up boo-boo caused by previous release; see mails on list for details + +------------------------------------------------------------------- Old: ---- gitolite-3.6.9.tar.gz New: ---- gitolite-3.6.11.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ gitolite.spec ++++++ --- /var/tmp/diff_new_pack.WaAssl/_old 2019-01-21 10:54:14.479736818 +0100 +++ /var/tmp/diff_new_pack.WaAssl/_new 2019-01-21 10:54:14.483736813 +0100 @@ -1,7 +1,7 @@ # # spec file for package gitolite # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,14 +12,14 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # %define gitolite_homedir /srv/gitolite %define git_user git Name: gitolite -Version: 3.6.9 +Version: 3.6.11 Release: 0 Summary: Server for git directory version tracker License: GPL-2.0-or-later ++++++ gitolite-3.6.9.tar.gz -> gitolite-3.6.11.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitolite-3.6.9/CHANGELOG new/gitolite-3.6.11/CHANGELOG --- old/gitolite-3.6.9/CHANGELOG 2018-09-08 12:41:49.000000000 +0200 +++ new/gitolite-3.6.11/CHANGELOG 2019-01-08 10:28:59.000000000 +0100 @@ -1,3 +1,9 @@ +2019-01-08 v3.6.11 fix security issue in 'rsync' (bundle helper); see commit + 5df2b81 for more + +2018-09-30 v3.6.10 fix up boo-boo caused by previous release; see mails on + list for details + 2018-08-07 v3.6.9 prevent racy access to repos in process of migration to gitolite diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitolite-3.6.9/README.markdown new/gitolite-3.6.11/README.markdown --- old/gitolite-3.6.9/README.markdown 2018-09-08 12:41:49.000000000 +0200 +++ new/gitolite-3.6.11/README.markdown 2019-01-08 10:28:59.000000000 +0100 @@ -213,7 +213,7 @@ # contact and support -Please see <http://gitolite.com/gitolite/#contact> for mailing list and IRC +Please see <http://gitolite.com/gitolite/#contactsupport> for mailing list and IRC info. # license diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitolite-3.6.9/contrib/utils/testconf new/gitolite-3.6.11/contrib/utils/testconf --- old/gitolite-3.6.9/contrib/utils/testconf 2018-09-08 12:41:49.000000000 +0200 +++ new/gitolite-3.6.11/contrib/utils/testconf 2019-01-08 10:28:59.000000000 +0100 @@ -72,6 +72,14 @@ # which will give you a much nicer output. The only issue is if you have # include files, you will need to put that in the file whose name is sorted # first! +# +# Using a non-default ".gitolite.rc" +# ================================== +# +# If your conf needs a non-default `~/.gitolite.rc`, copy the file you need as +# "testconf.gitolite.rc" in the root directory of the gitolite-admin clone +# where you are running "testconf". (Whether you commit this file to the +# gitolite-admin repo, or keep it local/untracked, is your call). # ---------------------------------------------------------------------- od=$PWD @@ -106,6 +114,9 @@ mkdir -p $testconf/.gitolite/conf cp -a $od/conf/* $testconf/.gitolite/conf/ +# copy rc from $od, if it exists +[ -f $od/testconf.gitolite.rc ] && cp $od/testconf.gitolite.rc $testconf/.gitolite.rc + # compile+ gitolite compile diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitolite-3.6.9/src/commands/rsync new/gitolite-3.6.11/src/commands/rsync --- old/gitolite-3.6.9/src/commands/rsync 2018-09-08 12:41:49.000000000 +0200 +++ new/gitolite-3.6.11/src/commands/rsync 2019-01-08 10:28:59.000000000 +0100 @@ -28,11 +28,6 @@ (2) Add 'rsync' to the ENABLE list in the rc file - -GENERIC RSYNC SUPPORT - - TBD - =cut =for usage @@ -43,7 +38,7 @@ Admins: see src/commands/rsync for setup instructions Users: - rsync -P git@host:repo.bundle . + rsync git@host:repo.bundle . # downloads a file called "<basename of repo>.bundle"; repeat as # needed till the whole thing is downloaded git clone repo.bundle repo @@ -51,9 +46,8 @@ git remote set-url origin git@host:repo git fetch origin # and maybe git pull, etc. to freshen the clone -GENERIC RSYNC SUPPORT - - TBD + NOTE on options to the rsync command: you are only allowed to use the + "-v", "-n", "-q", and "-P" options. =cut @@ -62,9 +56,9 @@ # rsync driver program. Several things can be done later, but for now it # drives just the 'bundle' transfer. -if ( $ENV{SSH_ORIGINAL_COMMAND} =~ /^rsync --server --sender (-[-\w=.]+ )+\. (\S+)\.bundle$/ ) { +if ( $ENV{SSH_ORIGINAL_COMMAND} =~ /^rsync --server --sender (?:-[vn]*(?:e\d*\.\w*)? )?\. (\S+)\.bundle$/ ) { - my $repo = $2; + my $repo = $1; $repo =~ s/\.git$//; # all errors have the same message to avoid leaking info @@ -81,7 +75,7 @@ exit 0; } -_warn "invalid rsync command '$ENV{SSH_ORIGINAL_COMMAND}'"; +_warn "Sorry, you are only allowed to use the '-v', '-n', '-q', and '-P' options."; usage(); # ---------------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitolite-3.6.9/src/gitolite-shell new/gitolite-3.6.11/src/gitolite-shell --- old/gitolite-3.6.9/src/gitolite-shell 2018-09-08 12:41:49.000000000 +0200 +++ new/gitolite-3.6.11/src/gitolite-shell 2019-01-08 10:28:59.000000000 +0100 @@ -113,13 +113,6 @@ $ENV{GL_REPO} = $repo; my $aa = ( $verb =~ 'upload' ? 'R' : 'W' ); - # catch rare race when moving repos into gitolite control - _die "$aa any $repo $user DENIED by fallthru" . - "\n(or you mis-spelled the reponame)" - unless update_hook_present($repo); - # this error message is exactly the same as that from elsewhere in the - # code, for the usual reasons (avoid leaking information) - # set up env vars from options set for this repo env_options($repo); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitolite-3.6.9/src/lib/Gitolite/Common.pm new/gitolite-3.6.11/src/lib/Gitolite/Common.pm --- old/gitolite-3.6.9/src/lib/Gitolite/Common.pm 2018-09-08 12:41:49.000000000 +0200 +++ new/gitolite-3.6.11/src/lib/Gitolite/Common.pm 2019-01-08 10:28:59.000000000 +0100 @@ -239,8 +239,6 @@ $repo =~ s(^\./)(); next if $repo =~ m(/$); # tolerate non-bare repos within ~/repositories but silently ignore them - next unless update_hook_present($repo); - # ignore repos that don't yet have the update hook push @phy_repos, $repo; } trace( 3, scalar(@phy_repos) . " physical repos found" ); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/gitolite-3.6.9/src/lib/Gitolite/Conf/Load.pm new/gitolite-3.6.11/src/lib/Gitolite/Conf/Load.pm --- old/gitolite-3.6.9/src/lib/Gitolite/Conf/Load.pm 2018-09-08 12:41:49.000000000 +0200 +++ new/gitolite-3.6.11/src/lib/Gitolite/Conf/Load.pm 2019-01-08 10:28:59.000000000 +0100 @@ -73,6 +73,7 @@ trace( 2, $repo, $user, $aa, $ref ); _die "invalid user '$user'" if not( $user and $user =~ $USERNAME_PATT ); sanity($repo); + return "$aa any $repo $user DENIED by fallthru" unless update_hook_present($repo); my @rules; my $deny_rules;
