Submitted by helpmin on Thu, 05/19/2011 - 04:42
Included version is 1.6, but should be updated to 1.7.5.1
Status:
Closed (works as designed)
Web Hosting and Cloud Computing Control Panels
Included version is 1.6, but should be updated to 1.7.5.1
Comments
Submitted by JamieCameron on Thu, 05/19/2011 - 13:46 Comment #1
I looked into this, but it turned out that the 1.7 version requires commands like
git-rev-listthat are not part of all Git packages, and so wouldn't work on many Linux distros. So I will need to stick with 1.6 for now..Submitted by helpmin on Thu, 05/19/2011 - 17:53 Comment #2
But then you should switch at least to version 1.6.6.3 ... because of security issues in older versions?
There have been 36 v1.6 releases after the version that you included.
Submitted by helpmin on Thu, 05/19/2011 - 17:57 Comment #3
Actually gitweb v1.7 also had some security fixes. I am not sure whether they were also fixed in v1.6? Probably not.
Here is an example
http://securitytracker.com/id/1024918
Submitted by JamieCameron on Thu, 05/19/2011 - 19:15 Comment #4
That's annoying .. I'd love to support the newer version, but on many systems it doesn't work :-(
However, if your system has gitweb installed from a package, Virtualmin will use it instead of the version we package.
Submitted by helpmin on Thu, 05/19/2011 - 19:27 Comment #5
Just curious, what system doesn't it work on? Even then, wouldn't be better to make this problem part of the installation instructions?
I think including an outdated version that contains security issues sounds very "hackish" to me :-)
I am not sure whether virtualmin really picks the new gitweb.cgi version. This is why noticed the version issue.
Submitted by JamieCameron on Thu, 05/19/2011 - 23:29 Comment #6
Ubuntu 8.04 and CentOS 5 for example have git, but not git-rev-list . So if I was to go to gitweb 1.7, on those systems it wouldn't work at all ..
Where is gitweb.cgi on your system? The issue may be that Virtualmin is copying it from the wrong location ..
Submitted by helpmin on Fri, 05/20/2011 - 00:08 Comment #7
There is no git on Centos 5.6 (or even though I am on Centos I missed it?). See also distrowatch. There doesn't seem to be git on Centos 4 and Ubuntu 8 either? See also distrowatch. Debian 5 only has Git 1.5 That means somebody has to install git from an external source anyway?
Ubuntu 10, Redhat 6, Debian 6 have git 1.7.
Not sure why you need to go this route?
Submitted by JamieCameron on Fri, 05/20/2011 - 00:26 Comment #8
I figured out a simple solution for this - as long as the user is running git 1.7 or later, Virtualmin will use the newer version of gitweb. That way the users who do have a git with the right commands will git the more secure and up to date version ..
Submitted by helpmin on Fri, 05/20/2011 - 00:33 Comment #9
Sure, but really a bit surprised why you want to support users that didn't install the right version by including an outdated and insecure gitweb version. But you can close this ticket, since I have a workaround anyway.