diff -Nru gitolite3-3.6.9/CHANGELOG gitolite3-3.6.11/CHANGELOG
--- gitolite3-3.6.9/CHANGELOG	2018-09-15 15:23:20.000000000 +0000
+++ gitolite3-3.6.11/CHANGELOG	2019-01-08 09:28:59.000000000 +0000
@@ -1,3 +1,9 @@
+2019-01-08  v3.6.11 fix security issue in 'rsync' (bundle helper); see commit
+                    5df2b81 for more
+
+2018-09-30  v3.6.10 fix up boo-boo caused by previous release; see mails on
+                    list for details
+
 2018-08-07  v3.6.9  prevent racy access to repos in process of migration to
                     gitolite
 
diff -Nru gitolite3-3.6.9/contrib/utils/testconf gitolite3-3.6.11/contrib/utils/testconf
--- gitolite3-3.6.9/contrib/utils/testconf	2018-09-15 15:23:20.000000000 +0000
+++ gitolite3-3.6.11/contrib/utils/testconf	2019-01-08 09:28:59.000000000 +0000
@@ -72,6 +72,14 @@
 # which will give you a much nicer output.  The only issue is if you have
 # include files, you will need to put that in the file whose name is sorted
 # first!
+#
+# Using a non-default ".gitolite.rc"
+# ==================================
+#
+# If your conf needs a non-default `~/.gitolite.rc`, copy the file you need as
+# "testconf.gitolite.rc" in the root directory of the gitolite-admin clone
+# where you are running "testconf".  (Whether you commit this file to the
+# gitolite-admin repo, or keep it local/untracked, is your call).
 
 # ----------------------------------------------------------------------
 od=$PWD
@@ -106,6 +114,9 @@
 mkdir -p         $testconf/.gitolite/conf
 cp -a $od/conf/* $testconf/.gitolite/conf/
 
+# copy rc from $od, if it exists
+[ -f $od/testconf.gitolite.rc ] && cp $od/testconf.gitolite.rc $testconf/.gitolite.rc
+
 # compile+
 
 gitolite compile
diff -Nru gitolite3-3.6.9/debian/changelog gitolite3-3.6.11/debian/changelog
--- gitolite3-3.6.9/debian/changelog	2019-01-25 17:10:30.000000000 +0000
+++ gitolite3-3.6.11/debian/changelog	2019-01-25 12:32:05.000000000 +0000
@@ -1,3 +1,19 @@
+gitolite3 (3.6.11-2) unstable; urgency=medium
+
+  * Point Vcs-* to salsa
+
+ -- David Bremner <bremner@debian.org>  Fri, 25 Jan 2019 08:32:05 -0400
+
+gitolite3 (3.6.11-1) unstable; urgency=medium
+
+  * Bug fix: "CVE-2018-20683: security issue in optional bundle helper
+    ('rsync' command)", thanks to Salvatore Bonaccorso
+    (Closes: #918849).
+  * Convert to source format 3.0 (quilt).
+  * Bump debhelper compat to 9
+
+ -- David Bremner <bremner@debian.org>  Fri, 25 Jan 2019 08:15:17 -0400
+
 gitolite3 (3.6.9-1) unstable; urgency=high
 
   * New upstream version
diff -Nru gitolite3-3.6.9/debian/compat gitolite3-3.6.11/debian/compat
--- gitolite3-3.6.9/debian/compat	2019-01-25 17:10:30.000000000 +0000
+++ gitolite3-3.6.11/debian/compat	2019-01-25 12:32:05.000000000 +0000
@@ -1 +1 @@
-7
+9
diff -Nru gitolite3-3.6.9/debian/control gitolite3-3.6.11/debian/control
--- gitolite3-3.6.9/debian/control	2019-01-25 17:10:30.000000000 +0000
+++ gitolite3-3.6.11/debian/control	2019-01-25 12:32:05.000000000 +0000
@@ -3,12 +3,12 @@
 Priority: optional
 Maintainer: David Bremner <bremner@debian.org>
 Uploaders: Rhonda D'Vine <rhonda@debian.org>
-Build-Depends: quilt, debhelper
+Build-Depends: debhelper
 Build-Depends-Indep: po-debconf
 Standards-Version: 3.9.6
 Homepage: http://github.com/sitaramc/gitolite
-Vcs-Browser: http://git.deb.at/w/pkg/gitolite.git
-Vcs-Git: git://git.deb.at/pkg/gitolite.git
+Vcs-Browser: https://salsa.debian.org/gitolite-team/gitolite3
+Vcs-Git: https://salsa.debian.org/gitolite-team/gitolite3.git
 
 Package: gitolite3
 Architecture: all
diff -Nru gitolite3-3.6.9/debian/patches/fix-paths gitolite3-3.6.11/debian/patches/fix-paths
--- gitolite3-3.6.9/debian/patches/fix-paths	2019-01-25 17:10:30.000000000 +0000
+++ gitolite3-3.6.11/debian/patches/fix-paths	2019-01-25 12:32:05.000000000 +0000
@@ -1,4 +1,3 @@
-From b5f0db0a589f29774f24d44fa38beff5b4dd7192 Mon Sep 17 00:00:00 2001
 From: David Bremner <bremner@debian.org>
 Date: Sat, 20 Apr 2013 15:34:13 -0300
 Subject: [PATCH] override install paths.
@@ -7,12 +6,12 @@
 
      http://gitolite.com/gitolite/install.html
 ---
- src/gitolite       |    2 +-
- src/gitolite-shell |    2 +-
+ src/gitolite       | 2 +-
+ src/gitolite-shell | 2 +-
  2 files changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/src/gitolite b/src/gitolite
-index 2498737..f929858 100755
+index c11e047..4fc9f7f 100755
 --- a/src/gitolite
 +++ b/src/gitolite
 @@ -35,7 +35,7 @@ written.
@@ -25,7 +24,7 @@
  use lib $ENV{GL_LIBDIR};
  use Gitolite::Rc;
 diff --git a/src/gitolite-shell b/src/gitolite-shell
-index a3ec321..02e365a 100755
+index 072e0ff..322137e 100755
 --- a/src/gitolite-shell
 +++ b/src/gitolite-shell
 @@ -5,7 +5,7 @@
@@ -37,6 +36,3 @@
  BEGIN { $ENV{GL_LIBDIR} = "$ENV{GL_BINDIR}/lib"; }
  use lib $ENV{GL_LIBDIR};
  
--- 
-1.7.10.4
-
diff -Nru gitolite3-3.6.9/debian/rules gitolite3-3.6.11/debian/rules
--- gitolite3-3.6.9/debian/rules	2019-01-25 17:10:30.000000000 +0000
+++ gitolite3-3.6.11/debian/rules	2019-01-25 12:32:05.000000000 +0000
@@ -14,9 +14,7 @@
 
 GL_VERSION = $(shell dpkg-parsechangelog | sed -n -e 's/^Version: \(.*\)/\1 (Debian)/p')
 
-include /usr/share/quilt/quilt.make
-
-clean: unpatch
+clean:
 	$(checkdir)
 	$(checkroot)
 
@@ -30,7 +28,7 @@
 debian/gitolite.1: debian/gitolite-man.pod
 	pod2man --center='User Commands' --release="$(GL_VERSION)" $< > $@
 
-install: patch debian/gitolite.1
+install: debian/gitolite.1
 	$(checkdir)
 	$(checkroot)
 
diff -Nru gitolite3-3.6.9/debian/source/format gitolite3-3.6.11/debian/source/format
--- gitolite3-3.6.9/debian/source/format	1970-01-01 00:00:00.000000000 +0000
+++ gitolite3-3.6.11/debian/source/format	2019-01-25 12:32:05.000000000 +0000
@@ -0,0 +1 @@
+3.0 (quilt)
diff -Nru gitolite3-3.6.9/README.markdown gitolite3-3.6.11/README.markdown
--- gitolite3-3.6.9/README.markdown	2018-09-15 15:23:20.000000000 +0000
+++ gitolite3-3.6.11/README.markdown	2019-01-08 09:28:59.000000000 +0000
@@ -213,7 +213,7 @@
 
 # contact and support
 
-Please see <http://gitolite.com/gitolite/#contact> for mailing list and IRC
+Please see <http://gitolite.com/gitolite/#contactsupport> for mailing list and IRC
 info.
 
 # license
diff -Nru gitolite3-3.6.9/src/commands/rsync gitolite3-3.6.11/src/commands/rsync
--- gitolite3-3.6.9/src/commands/rsync	2018-09-15 15:23:20.000000000 +0000
+++ gitolite3-3.6.11/src/commands/rsync	2019-01-08 09:28:59.000000000 +0000
@@ -28,11 +28,6 @@
 
     (2) Add 'rsync' to the ENABLE list in the rc file
 
-
-GENERIC RSYNC SUPPORT
-
-    TBD
-
 =cut
 
 =for usage
@@ -43,7 +38,7 @@
     Admins: see src/commands/rsync for setup instructions
 
     Users:
-        rsync -P git@host:repo.bundle .
+        rsync git@host:repo.bundle .
             # downloads a file called "<basename of repo>.bundle"; repeat as
             # needed till the whole thing is downloaded
         git clone repo.bundle repo
@@ -51,9 +46,8 @@
         git remote set-url origin git@host:repo
         git fetch origin    # and maybe git pull, etc. to freshen the clone
 
-GENERIC RSYNC SUPPORT
-
-    TBD
+    NOTE on options to the rsync command: you are only allowed to use the
+    "-v", "-n", "-q", and "-P" options.
 
 =cut
 
@@ -62,9 +56,9 @@
 # rsync driver program.  Several things can be done later, but for now it
 # drives just the 'bundle' transfer.
 
-if ( $ENV{SSH_ORIGINAL_COMMAND} =~ /^rsync --server --sender (-[-\w=.]+ )+\. (\S+)\.bundle$/ ) {
+if ( $ENV{SSH_ORIGINAL_COMMAND} =~ /^rsync --server --sender (?:-[vn]*(?:e\d*\.\w*)? )?\. (\S+)\.bundle$/ ) {
 
-    my $repo = $2;
+    my $repo = $1;
     $repo =~ s/\.git$//;
 
     # all errors have the same message to avoid leaking info
@@ -81,7 +75,7 @@
     exit 0;
 }
 
-_warn "invalid rsync command '$ENV{SSH_ORIGINAL_COMMAND}'";
+_warn "Sorry, you are only allowed to use the '-v', '-n', '-q', and '-P' options.";
 usage();
 
 # ----------------------------------------------------------------------
diff -Nru gitolite3-3.6.9/src/gitolite-shell gitolite3-3.6.11/src/gitolite-shell
--- gitolite3-3.6.9/src/gitolite-shell	2018-09-15 15:23:20.000000000 +0000
+++ gitolite3-3.6.11/src/gitolite-shell	2019-01-08 09:28:59.000000000 +0000
@@ -113,13 +113,6 @@
     $ENV{GL_REPO} = $repo;
     my $aa = ( $verb =~ 'upload' ? 'R' : 'W' );
 
-    # catch rare race when moving repos into gitolite control
-    _die "$aa any $repo $user DENIED by fallthru" .
-            "\n(or you mis-spelled the reponame)"
-        unless update_hook_present($repo);
-    # this error message is exactly the same as that from elsewhere in the
-    # code, for the usual reasons (avoid leaking information)
-
     # set up env vars from options set for this repo
     env_options($repo);
 
diff -Nru gitolite3-3.6.9/src/lib/Gitolite/Common.pm gitolite3-3.6.11/src/lib/Gitolite/Common.pm
--- gitolite3-3.6.9/src/lib/Gitolite/Common.pm	2018-09-15 15:23:20.000000000 +0000
+++ gitolite3-3.6.11/src/lib/Gitolite/Common.pm	2019-01-08 09:28:59.000000000 +0000
@@ -239,8 +239,6 @@
             $repo =~ s(^\./)();
             next if $repo =~ m(/$);
                 # tolerate non-bare repos within ~/repositories but silently ignore them
-            next unless update_hook_present($repo);
-                # ignore repos that don't yet have the update hook
             push @phy_repos, $repo;
         }
         trace( 3, scalar(@phy_repos) . " physical repos found" );
diff -Nru gitolite3-3.6.9/src/lib/Gitolite/Conf/Load.pm gitolite3-3.6.11/src/lib/Gitolite/Conf/Load.pm
--- gitolite3-3.6.9/src/lib/Gitolite/Conf/Load.pm	2018-09-15 15:23:20.000000000 +0000
+++ gitolite3-3.6.11/src/lib/Gitolite/Conf/Load.pm	2019-01-08 09:28:59.000000000 +0000
@@ -73,6 +73,7 @@
     trace( 2, $repo, $user, $aa, $ref );
     _die "invalid user '$user'" if not( $user and $user =~ $USERNAME_PATT );
     sanity($repo);
+    return "$aa any $repo $user DENIED by fallthru" unless update_hook_present($repo);
 
     my @rules;
     my $deny_rules;