Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.OPENSUSE-2018-1118.NASL
HistoryOct 09, 2018 - 12:00 a.m.

openSUSE Security Update : gitolite (openSUSE-2018-1118)

2018-10-0900:00:00
This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
10

5.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

47.9%

JSON

This update for gitolite fixes the following issues :

Gitolite was updated to 3.6.9 :

  • CVE-2018-16976: prevent racy access to repos in process of migration to gitolite (boo#1108272)

  • ‘info’ learns new ‘-p’ option to show only physical repos (as opposed to wild repos)

The update to 3.6.8 contains :

  • fix bug when deleting all hooks for a repo

  • allow trailing slashes in repo names

  • make pre-receive hook driver bail on non-zero exit of a pre-receive hook

  • allow templates in gitolite.conf (new feature)

  • various optimiations

The update to 3.6.7 contains :

  • allow repo-specific hooks to be organised into subdirectories, and allow the multi-hook driver to be placed in some other location of your choice

  • allow simple test code to be embedded within the gitolite.conf file; see contrib/utils/testconf for how.
    (This goes on the client side, not on the server)

  • allow syslog ‘facility’ to be changed, from the default of ‘local0’

  • allow syslog ‘facility’ to be changed, from the default of replaced with a space separated list of members

The update to 3.6.6 contains :

  • simple but important fix for a future perl deprecation (perl will be removing ‘.’ from @INC in 5.24)

  • ‘perms’ now requires a ‘-c’ to activate batch mode (should not affect interactive use but check your scripts perhaps?)

  • gitolite setup now accepts a ‘-m’ option to supply a custom message (useful when it is used by a script)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2018-1118.
#
# The text description of this plugin is (C) SUSE LLC.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(117978);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");

  script_cve_id("CVE-2018-16976");

  script_name(english:"openSUSE Security Update : gitolite (openSUSE-2018-1118)");
  script_summary(english:"Check for the openSUSE-2018-1118 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update for gitolite fixes the following issues :

Gitolite was updated to 3.6.9 :

  - CVE-2018-16976: prevent racy access to repos in process
    of migration to gitolite (boo#1108272)

  - 'info' learns new '-p' option to show only physical
    repos (as opposed to wild repos)

The update to 3.6.8 contains :

  - fix bug when deleting *all* hooks for a repo

  - allow trailing slashes in repo names

  - make pre-receive hook driver bail on non-zero exit of a
    pre-receive hook

  - allow templates in gitolite.conf (new feature)

  - various optimiations

The update to 3.6.7 contains :

  - allow repo-specific hooks to be organised into
    subdirectories, and allow the multi-hook driver to be
    placed in some other location of your choice

  - allow simple test code to be embedded within the
    gitolite.conf file; see contrib/utils/testconf for how.
    (This goes on the client side, not on the server)

  - allow syslog 'facility' to be changed, from the default
    of 'local0'

  - allow syslog 'facility' to be changed, from the default
    of replaced with a space separated list of members

The update to 3.6.6 contains :

  - simple but important fix for a future perl deprecation
    (perl will be removing '.' from @INC in 5.24)

  - 'perms' now requires a '-c' to activate batch mode
    (should not affect interactive use but check your
    scripts perhaps?)

  - gitolite setup now accepts a '-m' option to supply a
    custom message (useful when it is used by a script)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1108272"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected gitolite package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:gitolite");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");

  script_set_attribute(attribute:"patch_publication_date", value:"2018/10/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/09");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE15\.0|SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0 / 42.3", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);



flag = 0;

if ( rpm_check(release:"SUSE15.0", reference:"gitolite-3.6.9-lp150.2.3.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"gitolite-3.6.9-4.3.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gitolite");
}
VendorProductVersionCPE
novellopensusegitolitep-cpe:/a:novell:opensuse:gitolite
novellopensuse15.0cpe:/o:novell:opensuse:15.0
novellopensuse42.3cpe:/o:novell:opensuse:42.3

Related

openvas 4
amazon 1
suse 1
nessus 5
fedora 3
cvelist 1
prion 1
osv 1
cve 1
debiancve 1
ubuntucve 1
mageia 1
nvd 1
openvas
openvas
Fedora Update for gitolite3 FEDORA-2018-dc060c6f2a
2018-09-22 00:00:00
Mageia: Security Advisory (MGASA-2018-0434)
2022-01-28 00:00:00
openSUSE: Security Advisory for gitolite (openSUSE-SU-2018:3035-1)
2018-10-06 00:00:00
amazon
amazon
Important: gitolite3
2018-10-17 22:01:00
suse
suse
Security update for gitolite (moderate)
2018-10-05 21:10:02
nessus
nessus
Fedora 28 : 1:gitolite3 (2018-dc060c6f2a)
2019-01-03 00:00:00
Fedora 29 : 1:gitolite3 (2018-d0bac4ff3b)
2019-01-03 00:00:00
Amazon Linux AMI : gitolite3 (ALAS-2018-1092)
2018-10-19 00:00:00
fedora
fedora
[SECURITY] Fedora 28 Update: gitolite3-3.6.9-1.fc28
2018-09-21 07:42:35
[SECURITY] Fedora 27 Update: gitolite3-3.6.9-1.fc27
2018-09-22 19:46:30
[SECURITY] Fedora 29 Update: gitolite3-3.6.9-1.fc29
2018-09-21 05:45:34
cvelist
cvelist
CVE-2018-16976
2022-10-03 16:22:12
prion
prion
Design/Logic Flaw
2018-09-12 22:29:00
osv
osv
CVE-2018-16976
2018-09-12 22:29:00
cve
cve
CVE-2018-16976
2022-10-03 16:22:12
debiancve
debiancve
CVE-2018-16976
2022-10-03 16:22:12
ubuntucve
ubuntucve
CVE-2018-16976
2018-09-12 00:00:00
mageia
mageia
Updated gitolite packages fix security vulnerability
2018-11-03 14:55:18
nvd
nvd
CVE-2018-16976
2018-09-12 22:29:00

5.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:P/A:N

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

0.001 Low

EPSS

Percentile

47.9%

JSON
Related for OPENSUSE-2018-1118.NASL
openvas4amazon1suse1nessus5fedora3cvelist1prion1osv1cve1debiancve1ubuntucve1mageia1nvd1