Candidate: CVE-2018-20683
PublicDate: 2019-01-10 01:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20683
 https://github.com/sitaramc/gitolite/commit/5df2b817255ee919991da6c310239e08c8fcc1ae
 https://groups.google.com/forum/#!topic/gitolite-announce/6xbjjmpLePQ
 https://bugs.debian.org/918849
 https://github.com/sitaramc/gitolite/blob/master/CHANGELOG
Description:
 commands/rsync in Gitolite before 3.6.11, if .gitolite.rc enables rsync,
 mishandles the rsync command line, which allows attackers to have a "bad"
 impact by triggering use of an option other than -v, -n, -q, or -P.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918849
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H [8.1 HIGH]


Patches_gitolite3:
upstream_gitolite3: needs-triage
precise/esm_gitolite3: DNE
trusty_gitolite3: ignored (reached end-of-life)
trusty/esm_gitolite3: DNE (trusty was needs-triage)
xenial_gitolite3: ignored (end of standard support, was needs-triage)
bionic_gitolite3: needs-triage
cosmic_gitolite3: ignored (reached end-of-life)
disco_gitolite3: not-affected (3.6.11-2)
eoan_gitolite3: not-affected (3.6.11-2)
focal_gitolite3: not-affected (3.6.11-2)
groovy_gitolite3: not-affected (3.6.11-2)
hirsute_gitolite3: not-affected (3.6.11-2)
impish_gitolite3: not-affected (3.6.11-2)
jammy_gitolite3: not-affected (3.6.11-2)
devel_gitolite3: not-affected (3.6.11-2)

Patches_gitolite:
upstream_gitolite: needs-triage
precise/esm_gitolite: DNE
trusty_gitolite: ignored (reached end-of-life)
trusty/esm_gitolite: DNE (trusty was needs-triage)
xenial_gitolite: DNE
bionic_gitolite: DNE
cosmic_gitolite: DNE
disco_gitolite: DNE
eoan_gitolite: DNE
focal_gitolite: DNE
groovy_gitolite: DNE
hirsute_gitolite: DNE
impish_gitolite: DNE
jammy_gitolite: DNE
devel_gitolite: DNE