Security fix for Gerrit – Please update your TeamForge Git Integration if you use branch based permissions

This week, we learned about a security problem in core Gerrit related to read related branch based permissions. The original issue can be found here.

If you do not use branch based read permission on your Gerrit server, you are not affected at all. The default repo categories configured with TeamForge do not use those, so as long you do not have any repositories using the custom repository category, there is no issue at all. If you are using the custom repository category and have configured read branch based permisisons, it is possible under certain conditions ( iff the atacker knows a SHA-1 of a commit that is normally not available to him) to get access to protected commits with a modified git client. This access is only possible for users who have at least access to some branch of this repository, so in the worst case, to TF project members you should only have partial read access (in no case to the outside world or non project members).

In order to fix this issue, you would have to upgrade our Gerrit integration to the newest version 7.1.2:
yum update ctf-git-integration

For further questions, please contact your CollabNet contact or comment on this blog post.

Best, Johannes

Johannes Nicolai

Johannes Nicolai is CollabNet’s Development Manager leading all Git and Gerrit related development efforts. Furthermore, he is responsible for CollabNet Connect /synch, CollabNet’s platform to integrate TeamForge with third party ALM platforms. Johannes holds a Master of Science in IT Systems Engineering from Hasso Plattner Institut Potsdam and is a Certified Scrum Master. Before joining CollabNet five years ago, he was doing consulting on user centric design, developing cryptographic software and architecting SAP integrations. He is an Open Source enthusiast and contributes to many projects (check out https://www.ohloh.net/accounts/10619 for details).

Posted in Git, TeamForge

Leave a Reply

Your email address will not be published. Required fields are marked *

*