From mboxrd@z Thu Jan  1 00:00:00 1970
From: cgit at cryptocrack.de (Lukas Fleischer)
Date: Mon, 29 Sep 2014 22:32:23 +0200
Subject: Integration with Bugzilla?
In-Reply-To: <5429A5F8.1050504@hupie.com>
References: <CAJFz9PrLjtcx=ne5S42PdgE7ggp_crP7vdaM=BvOvO+N5iqR3w@mail.gmail.com>
 <5429A06C.30707@hupie.com> <20140929183049.1785.85360@typhoon.lan>
 <5429A5F8.1050504@hupie.com>
Message-ID: <20140929203223.2104.57735@typhoon.lan>

On Mon, 29 Sep 2014 at 20:33:28, Ferry Huberts wrote:
> [...]
> my server is guaranteed to have bash, so no need to change it.
> but thanks for the hint anyway :-)
> 

I am not (only) talking about portability here. My main concern is the
current spate of bash vulnerabilities. As John pointed out earlier [1],
these can be used to remotely exploit any cgit setup that uses a bash
filter. We currently have at least five CVEs, some of which are very
critical. So if you really want to use bash, you should at least closely
follow the developments and always update your bash binary when there's
a new security patch.

> also, this script is a very minor modification of the script that's in 
> the source tree.
> 
> -- 
> Ferry Huberts
> 

[1] http://lists.zx2c4.com/pipermail/cgit/2014-September/002236.html