A directory traversal vulnerability was discovered in cgit prior to 1.2.1. The issue dates back to cgit-0.8 (commit https://git.zx2c4.com/cgit/commit/?id=02a545e63), from 2008. When enable-http-clone is enabled (as it is by default), it is trivial to retrieve any file readable by the webserver account. For example, with cgit serving a repository in /var/lib/git, the following URL can be used to read /etc/passwd: http://localhost/cgit/git.git/objects/?path=../../../../../etc/passwd Setting enable-http-clone=0 in /etc/cgitrc can be used to mitigate the issue. Note: the cgit cache must be manually cleared or the 5 minute TTL must expire regardless of whether the above mitigation is used or the patched packages are deployed. This issue was reported by Jann Horn. References: https://lists.zx2c4.com/pipermail/cgit/2018-August/004176.html Upstream Patch: https://git.zx2c4.com/cgit/commit/?id=53efaf30b Updates for all Fedora and EPEL releases were created earlier today, prior to the assignment of the CVE: F27: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a407b85547 F28: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a5a7f83e1b EL6: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-40277073c5 EL7: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-38987c542e