[SECURITY] Security vulnerabilities in Gerrit 2.9 and later

205 views

Skip to first unread message

David Pursehouse

unread,

Jan 10, 2019, 10:45:13 PM1/10/19

to Repo and Gerrit Discussion

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

Security vulnerabilities have been found in Gerrit. Releases are already

available to fix them.

Separate release announcements will follow for each of the releases, but

in the meantime please see below for summaries of the issues and fixed

versions.

* Vulnerability in git-upload-pack in protocol v0 bidirectional transports.

Issue: https://bugs.chromium.org/p/gerrit/issues/detail?id=10262

Summary: AdvertiseRefsHook was not called for git-upload-pack in protocol

v0 bidirectional transports, meaning that wants aren't validated and a

user can fetch anything that is pointed to by any ref (using fetch-by-sha1),

as long as they can guess the object name.

Affected Versions: At least 2.9 and later. Possibly also earlier, but we

don't support those any more.

Confidentiality Impact: Partial

Integrity Impact: None

Availability Impact: None

Access Complexity: High

Authentication: Multiple

Gained Access: None

Fixed Versions: 2.9.5, 2.10.8. 2.11.12, 2.12.9. 2.13.12, 2.14.18, 2.15.8, 2.16.3

* Vulnerability in OAuth and OpenID auth schemes.

Issue: https://bugs.chromium.org/p/gerrit/issues/detail?id=10242

Summary: When multiple authentication providers are in use, a user's account

can be taken over by creating an account on a different provider with exactly

the same username as the existing Gerrit account.

Affected versions: 2.14.7 and later.

Confidentiality Impact: Partial

Integrity Impact:Partial

Availability Impact: Partial

Access Complexity: Low

Authentication: None

Gained Access: Potential to gain administrator privilege

Fixed versions: 2.14.18, 2.15.8, 2.16.3

-----BEGIN PGP SIGNATURE-----

Comment: GPGTools - https://gpgtools.org

iQIzBAEBCgAdFiEECnaesFM5uTvdiZXtDDr2ZJ/8IQIFAlw3/6UACgkQDDr2ZJ/8

IQLyeBAAxL6kcz6bMdy3JvMxFCPV8nbsxEnSGJNSQeOAbDHOzdfNM10uXF1OxAXF

VOeVrNfr5W97660wjI03kCy1hyR2aEbHOxKiicLusZWmIb733HVpZr92iaK2L85e

qhmKvn0tViYbaC8bkoCgMAcLQ0xhAm3A6MQbsOXv3c8Br+FuwH3V/btSN/ygSNd8

60b9/grT7no4tgpYW9AuCs3l4vl8oGplmZBbyD0eU53AyjesGdMesE6gC4PXOD7D

ymXhQ/CBQ4pYN3JA2QuTm369gVsiC6sAmE7zmFruXIVMZ4pa0zBdVPBA67ZE+e2M

s3iXPDqVNiZwn55CfidGj5Jr8qJPTSpZUos0x/s0+YVpm3ZLP53vy9oeVfg4Ow/e

f/Lbgs0xD7ngQOaw1ZY+1KafAkWRpnGliIqbmrNSJC+V4f/um2O5oQ9TnwXZkbsM

q095Axq13AOvfrOyobsWCf79vb2VnhThhiRoAJC/Ie6PL+Cun01VayawlV0MFWwf

WS3TPMCSbiV9CbAYJA1K9hOqHfPLr27K+ZIcqa94zTEVLOkWnq0w/c6XhVCasrfv

wLQMxDu74zxUVlQbO18f1b7zQgwNQWU6lZ02kjBEYP0io5qcpt5CVtZN9D27Ztje

0bnga2g82oX636VTWEXuuSxdjthK76A0cLgFkvwrTi0m/fMRGSc=

=XgJz

-----END PGP SIGNATURE-----

Reply all

Reply to author

Forward

0 new messages