Dear Debian Security Team, I believe that cgit versions before 1.0 are affected by both CVE-2016-2315 and CVE-2016-2324. I did not include the latter when reporting this bug initially since it was not mentioned in the release announcement for cgit 1.0.
Regards, Peter
