lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAAYo3Bub_P6pNiyPJLrVY2JeBLeOE_1i_eaf+3HU=gcdO9c8RQ@mail.gmail.com>
Date: Tue, 24 Sep 2019 15:15:52 +1000
From: Atlassian <security@...assian.com>
To: bugtraq@...urityfocus.com
Subject: Bitbucket Server security advisory 2019-09-18

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This email refers to the advisory found at
https://confluence.atlassian.com/x/Czc4Og .


CVE ID:

* CVE-2019-15000.


Product: Bitbucket Server and Bitbucket Data Center.

Affected Bitbucket Server and Bitbucket Data Center product versions:

version < 5.16.10
6.0.0 <= version < 6.0.10
6.1.0 <= version < 6.1.8
6.2.0 <= version < 6.2.6
6.3.0 <= version < 6.3.5
6.4.0 <= version < 6.4.3
6.5.0 <= version < 6.5.2


Fixed Bitbucket Server and Bitbucket Data Center product versions:

* for 5.16.x, Bitbucket Server and Bitbucket Data Center 5.16.10 has been
released with a fix for this issue.
* for 6.0.x, Bitbucket Server and Bitbucket Data Center 6.0.10 has been released
with a fix for this issue.
* for 6.1.x, Bitbucket Server and Bitbucket Data Center 6.1.8 has been released
with a fix for this issue.
* for 6.2.x, Bitbucket Server and Bitbucket Data Center 6.2.6 has been released
with a fix for this issue.
* for 6.3.x, Bitbucket Server and Bitbucket Data Center 6.3.5 has been released
with a fix for this issue.
* for 6.4.x, Bitbucket Server and Bitbucket Data Center 6.4.3 has been released
with a fix for this issue.
* for 6.5.x, Bitbucket Server and Bitbucket Data Center 6.5.2 has been released
with a fix for this issue.


Summary:
This advisory discloses a critical severity security vulnerability. Versions of
Bitbucket Server and Bitbucket Data Center before 5.16.10 (the fixed version for
5.16.x), from version 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from
version 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from version 6.2.0
before 6.2.6 (the fixed version for 6.2.x), from version 6.3.0 before 6.3.5 (the
fixed version for 6.3.x), from version 6.4.0 before 6.4.3 (the fixed version for
6.4.x), and from version 6.5.0 before 6.5.2 (the fixed version for 6.5.x) are
affected by this vulnerability.



Customers who have upgraded Bitbucket Server and Bitbucket Data Center to
version 5.16.10 or 6.0.10 or 6.1.8 or 6.2.6 or 6.3.5 or 6.4.3 or 6.5.2 or 6.6.0
are not affected.

Customers who have downloaded and installed Bitbucket Server and Bitbucket Data
Center less than 5.16.10 (the fixed version for 5.16.x) or who have downloaded
and installed Bitbucket Server and Bitbucket Data Center >= 6.0.0 but less than
6.0.10 (the fixed version for 6.0.x) or who have downloaded and installed
Bitbucket Server and Bitbucket Data Center >= 6.1.0 but less than 6.1.8 (the
fixed version for 6.1.x) or who have downloaded and installed Bitbucket Server
and Bitbucket Data Center >= 6.2.0 but less than 6.2.6 (the fixed version for
6.2.x) or who have downloaded and installed Bitbucket Server and Bitbucket Data
Center >= 6.3.0 but less than 6.3.5 (the fixed version for 6.3.x) or who have
downloaded and installed Bitbucket Server and Bitbucket Data Center >= 6.4.0 but
less than 6.4.3 (the fixed version for 6.4.x) or who have downloaded and
installed Bitbucket Server and Bitbucket Data Center >= 6.5.0 but less than
6.5.2 (the fixed version for 6.5.x) please upgrade your Bitbucket Server and
Bitbucket Data Center installations immediately to fix this vulnerability.



Argument Injection - CVE-2019-15000

Severity:
Atlassian rates the severity level of this vulnerability as critical, according
to the scale published in our Atlassian severity levels. The scale allows us to
rank the severity as critical, high, moderate or low.
This is our assessment and you should evaluate its applicability to your own IT
environment.


Description:

Bitbucket Server and Bitbucket Data Center had an argument injection
vulnerability, allowing an attacker to inject additional arguments into Git
commands, which could lead to remote code execution. Remote attackers can
exploit this argument injection vulnerability if they are able to access a Git
repository in Bitbucket Server or Bitbucket Data Center. If public access is
enabled for a project or repository, then attackers are able to exploit this
issue anonymously.
Versions of Bitbucket Server and Bitbucket Data Center before 5.16.10 (the fixed
version for 5.16.x), from version 6.0.0 before 6.0.10 (the fixed version for
6.0.x), from version 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from
version 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from version 6.3.0
before 6.3.5 (the fixed version for 6.3.x), from version 6.4.0 before 6.4.3 (the
fixed version for 6.4.x), and from version 6.5.0 before 6.5.2 (the fixed version
for 6.5.x) are affected by this vulnerability. This issue can be tracked at:
https://jira.atlassian.com/browse/BSERV-11947 .



Fix:

To address this issue, we've released the following versions containing a fix:

* Bitbucket Server and Bitbucket Data Center version 5.16.10
* Bitbucket Server and Bitbucket Data Center version 6.0.10
* Bitbucket Server and Bitbucket Data Center version 6.1.8
* Bitbucket Server and Bitbucket Data Center version 6.2.6
* Bitbucket Server and Bitbucket Data Center version 6.3.5
* Bitbucket Server and Bitbucket Data Center version 6.4.3
* Bitbucket Server and Bitbucket Data Center version 6.5.2
* Bitbucket Server and Bitbucket Data Center version 6.6.0

Remediation:

Upgrade Bitbucket Server and Bitbucket Data Center to version 6.6.0 or higher.

The vulnerabilities and fix versions are described above. If affected, you
should upgrade to the latest version immediately.

If you are running Bitbucket Server and Bitbucket Data Center 5.16.x and cannot
upgrade to 6.6.0, upgrade to version 5.16.10.
If you are running Bitbucket Server and Bitbucket Data Center 6.0.x and cannot
upgrade to 6.6.0, upgrade to version 6.0.10.
If you are running Bitbucket Server and Bitbucket Data Center 6.1.x and cannot
upgrade to 6.6.0, upgrade to version 6.1.8.
If you are running Bitbucket Server and Bitbucket Data Center 6.2.x and cannot
upgrade to 6.6.0, upgrade to version 6.2.6.
If you are running Bitbucket Server and Bitbucket Data Center 6.3.x and cannot
upgrade to 6.6.0, upgrade to version 6.3.5.
If you are running Bitbucket Server and Bitbucket Data Center 6.4.x and cannot
upgrade to 6.6.0, upgrade to version 6.4.3.


For a full description of the latest version of Bitbucket Server and Bitbucket
Data Center, see
the release notes found at
https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Server+release+notes.
You can download the latest version of Bitbucket Server and Bitbucket Data
Center from the download centre found at
https://www.atlassian.com/software/bitbucket/download.



Support:
If you have questions or concerns regarding this advisory, please raise a
support request at https://support.atlassian.com/.


-----BEGIN PGP SIGNATURE-----

iQJLBAEBCgA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAl2JphEXHHNlY3VyaXR5
QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqDisw//fY/8VjmmW8oS31hWfdtfJCW/
EypUN6yLv9n/kytmAQJ28vE1KFE2UReZYK8FNTDZgsRo833Mq/kxnNM/w7rN2VKw
JmRw24j7QMdWs4976n0I4UYvHCwCiVhKd3RkYv3Y6fXrnDSTp4MS19fXfNYwYBdw
vW2Wf+6HlSvve28+1HmtMNH2YwzoSkinL3ijQlqh7/XbMQmsDUbj3ks+hYp9WD0T
Q2ca6PKSaf9hyTGGuPYb8WyxNo4puINXyFBuQJQNumW8MU9qM9i4zrnFF9YVSuon
rBUpOTuh+kusRECQVf34emMTdN1xbSQCJa7m2+nWMFOYN0xH7xnFGe6MCWNRxxcn
ZCXvZFlyE4/gHNw8RNEForbyMOh6Jg5AKUqRfHqwUe/zBLYVMiHFWisInFLI4Q2Z
fBwgTbzzfmunCCX9fvH8kxQ0Zd//TnFt5pYoEaRV5NsovO9qSAIWYUnOF8qzyC5B
U7s7RVDkPyn4NKXTucq+pYF815lu8Kw6IZiABFuDCJ/GD1pzBf0BngOxZzw74DBk
o81rX/jrHiMACBexmqAq2/KEjV3f1IRweTEMsmvMz9CPyvXmB71k8bAdcqQORRbx
7EkQGvTGFjIqrrJBnYB9fP3BPZPV20kdFdY9/oz4xdcto/UIt27QalK5zh+q4UyF
csEOVIb0aG9xPgO0C6g=
=no9b
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ