[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Fossil-SCM patch fixes RCE in all historic versions
From: Salvatore Bonaccorso <carnil () debian ! org>
Date: 2020-08-25 13:38:47
Message-ID: 20200825133847.GA1566487 () eldamar ! local
[Download RAW message or body]
Hi,
On Thu, Aug 20, 2020 at 11:15:41AM -0400, Richard Hipp wrote:
> Researcher Max Justicz discovered a potential RCE and other
> vulnerabilities in the Fossil distributed version control system.
> (https://fossil-scm.org/) Patches to address these issues are now
> available for download. Package maintainers who bundle Fossil are
> encouraged to update their packages without unnecessary delay.
>
> All vulnerabilities require a pre-existing trust relationship between
> the victim and the attacker. In other words, the attacker must be
> either a site administrator, or someone with check-in privileges on
> the project. There are no known vulnerabilities to servers from web
> users entering tickets or forum messages or wiki or doing other
> on-line operations. The attacks require the ability to push, at
> least, and the most serious RCE problem requires the ability to
> configure a server in malicious ways. If you are unable to upgrade to
> one of the patched versions of Fossil, then you are encouraged at
> least to know well the people from whom you clone or pull.
>
> Precompiled binaries and source tarballs for the patched versions of
> Fossil are available on the Fossil download page
> (http://fossil-scm.org/fossil/uv/download.html). However, the dozens
> of check-ins that went into generating these patches, and the tickets
> that describe the specifics of the vulnerabilities, will be embargoed
> for a few days.
>
> See the thread on the Fossil Forum
> (https://fossil-scm.org/forum/info/a05ae3ce7760daf6) for follow up
> information or to communicate directly with the Fossil developers.
FWIW, the RCE issue has been assigned CVE-2020-24614 by MITRE.
Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic