Yesterday it was announced that a critical vulnerability (http://seclists.org/oss-sec/2014/q3/649) has been discovered in GNU Bash. By exploiting the vulnerability a user can execute arbitrary commands on the server. While these commands may not run with root privileges it’s still a dangerous attack vector.
There are several ways to exploit the vulnerability, one of them is especially dangerous to Gitorious. Gitorious provides git repository access over ssh using “git” user that by default has its shell set to bash. It is thus possible for a user with Gitorious account who uploaded public key via Gitorious web interface to execute malicious commands on the server. We have patched gitorious.org yesterday to fix this vulnerability and we’re keeping an eye on git-over-ssh access on our servers. We’re contacting our Gitorious Enterprise Edition customers regarding this security issue. If you’re managing your own instance of Gitorious it is advised to upgrade bash package ASAP. -- -- To post to this group, send email to gitorious@googlegroups.com To unsubscribe from this group, send email to gitorious+unsubscr...@googlegroups.com --- You received this message because you are subscribed to the Google Groups "Gitorious" group. To unsubscribe from this group and stop receiving emails from it, send an email to gitorious+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
