Debian Bug report logs -
#924447
gitlab: CVE-2019-9170 CVE-2019-9171 CVE-2019-9172 CVE-2019-9174 CVE-2019-9175 CVE-2019-9176 CVE-2019-9178 CVE-2019-9179 CVE-2019-9217 CVE-2019-9219 CVE-2019-9220 CVE-2019-9221 CVE-2019-9222 CVE-2019-9223 CVE-2019-9224 CVE-2019-9225 CVE-2019-9485
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 13 Mar 2019 05:39:01 UTC
Severity: grave
Tags: security, upstream
Found in versions gitlab/11.8.0-1, gitlab/11.5.10+dfsg-1
Fixed in version gitlab/11.8.2-1
Done: Sruthi Chandran <srud@disroot.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#924447; Package src:gitlab.
(Wed, 13 Mar 2019 05:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Wed, 13 Mar 2019 05:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gitlab
Version: 11.5.10+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 11.8.0-1
Hi,
The following vulnerabilities were published for gitlab, filling for
tracking purpose.
CVE-2019-9170[0]:
IDOR milestone name information disclosure
CVE-2019-9171[1]:
Milestone name disclosure
CVE-2019-9172[2]:
Merge request information disclosure
CVE-2019-9174[3]:
Blind SSRF in prometheus integration
CVE-2019-9175[4]:
Burndown chart information disclosure
CVE-2019-9176[5]:
CSRF add Kubernetes cluster integration
CVE-2019-9178[6]:
Private merge request titles in public project information disclosure
CVE-2019-9179[7]:
Private namespace disclosure in email notification when issue is moved
CVE-2019-9217[8]:
NPM automatic package referencer
CVE-2019-9219[9]:
Issue board name disclosure
CVE-2019-9220[10]:
Issue DoS via Mermaid
CVE-2019-9221[11]:
Arbitrary file read via MergeRequestDiff
CVE-2019-9222[12]:
Path traversal snippet mover
CVE-2019-9223[13]:
Information disclosure repo existence
CVE-2019-9224[14]:
Milestone name disclosure
CVE-2019-9225[15]:
Issue board name disclosure
CVE-2019-9485[16]:
Privilege escalation impersonate user
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-9170
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9170
[1] https://security-tracker.debian.org/tracker/CVE-2019-9171
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9171
[2] https://security-tracker.debian.org/tracker/CVE-2019-9172
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9172
[3] https://security-tracker.debian.org/tracker/CVE-2019-9174
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9174
[4] https://security-tracker.debian.org/tracker/CVE-2019-9175
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9175
[5] https://security-tracker.debian.org/tracker/CVE-2019-9176
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9176
[6] https://security-tracker.debian.org/tracker/CVE-2019-9178
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9178
[7] https://security-tracker.debian.org/tracker/CVE-2019-9179
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9179
[8] https://security-tracker.debian.org/tracker/CVE-2019-9217
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9217
[9] https://security-tracker.debian.org/tracker/CVE-2019-9219
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9219
[10] https://security-tracker.debian.org/tracker/CVE-2019-9220
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9220
[11] https://security-tracker.debian.org/tracker/CVE-2019-9221
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9221
[12] https://security-tracker.debian.org/tracker/CVE-2019-9222
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9222
[13] https://security-tracker.debian.org/tracker/CVE-2019-9223
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9223
[14] https://security-tracker.debian.org/tracker/CVE-2019-9224
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9224
[15] https://security-tracker.debian.org/tracker/CVE-2019-9225
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9225
[16] https://security-tracker.debian.org/tracker/CVE-2019-9485
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9485
Regards,
Salvatore
Marked as found in versions gitlab/11.8.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Wed, 13 Mar 2019 05:39:04 GMT) (full text, mbox, link).
Reply sent
to Sruthi Chandran <srud@disroot.org>:
You have taken responsibility.
(Thu, 14 Mar 2019 12:51:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 14 Mar 2019 12:51:09 GMT) (full text, mbox, link).
Message #12 received at 924447-close@bugs.debian.org (full text, mbox, reply):
Source: gitlab
Source-Version: 11.8.2-1
We believe that the bug you reported is fixed in the latest version of
gitlab, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 924447@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sruthi Chandran <srud@disroot.org> (supplier of updated gitlab package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 14 Mar 2019 17:09:17 +0530
Source: gitlab
Binary: gitlab gitlab-common
Architecture: source
Version: 11.8.2-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Sruthi Chandran <srud@disroot.org>
Description:
gitlab - git powered software platform to collaborate on code (non-omnibus
gitlab-common - git powered software platform to collaborate on code (common)
Closes: 924447
Changes:
gitlab (11.8.2-1) experimental; urgency=medium
.
* New upstream version 11.8.2 (Closes: #924447) (Fixes: CVE-2019-9170,
CVE-2019-9171, CVE-2019-9172, CVE-2019-9174, CVE-2019-9175, CVE-2019-9176,
CVE-2019-9178, CVE-2019-9179, CVE-2019-9217, CVE-2019-9219, CVE-2019-9220,
CVE-2019-9221, CVE-2019-9222, CVE-2019-9223, CVE-2019-9224, CVE-2019-9225,
CVE-2019-9485)
* Refresh patches and remove 0120-remove-tracing-group.patch
* Embed opentracing, jaeger-client and thrift
Checksums-Sha1:
84490fdfa89de7c7ab33f098031a9081a423a697 2268 gitlab_11.8.2-1.dsc
ae43cfc7e2d54d8b9fc4565f8fec3cc752b962ba 47910676 gitlab_11.8.2.orig.tar.xz
cae6b77e870ded5d40289129d453e6d269de413a 1213552 gitlab_11.8.2-1.debian.tar.xz
0d926c2d15cbc30019b8c9790e15c2ef26abed31 11546 gitlab_11.8.2-1_source.buildinfo
Checksums-Sha256:
2f8f869057d44bdf7a67120f406cc04a45087f8038e89f3627af93ecb6519498 2268 gitlab_11.8.2-1.dsc
74a55b3cff510aad316b0d41f4205d8256e46e6dfec5b16c34f55267385c5601 47910676 gitlab_11.8.2.orig.tar.xz
86f296b6c1a41952341b8e8764062d539438e429a556d4e02f01dd65c326d90d 1213552 gitlab_11.8.2-1.debian.tar.xz
c56163caba2649fa0526909304f199ca965b86487c403f3e02c87eda5e8c996d 11546 gitlab_11.8.2-1_source.buildinfo
Files:
4c4cba55c6d7fa4ffb9d82922a24760a 2268 net optional gitlab_11.8.2-1.dsc
7c11b1ebcf4926a2a013e01372c78dfa 47910676 net optional gitlab_11.8.2.orig.tar.xz
4fc6fb26cb2d6cffa4a37e13c2fd84f3 1213552 net optional gitlab_11.8.2-1.debian.tar.xz
7cdb264713ee8e3c8ece839616bea054 11546 net optional gitlab_11.8.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEsclPZxif+sAmSPvz1N6yL8C5bhUFAlyKR2gACgkQ1N6yL8C5
bhVvpw/8D10/+A/PUe9Qq3A8J/p8f1J8pzpIYGOkzEXA4VPbMSslw75y81yFjBSM
DyI1iAYQIJ9wQTucdIueHJek6LsVF4uGs3Ja/jTamLtzpunfIvcf99OX6sXmV+QO
pA+7n7fSUV4Zkqz0B4AlzecMCPpIU6clw3x3YM0TubUn4vTcqmo6MhfMg3TjOm01
o5VoRCIMrbLj5CkscGs3anncXVvRWvrBiOQVp/orgh4nXNCSzBFWyRQhF0j/UGkb
MHh82F7Awvcl+p5OFf+bluMbvmApJyM8f2IECBsyEWv8NqJ4vgbu6HptXUH6LzGR
adz47XZEpoiPFY9F13y8ECz++2PJpMI6p+4Y/CJlIhC7KkzfDUlM1Vu/Lm5Ygyoe
15O/EryTKOopEWkpT6GpR/DL5hL1AkCbCYIcSJHIqXmHOde9A3kMvzFis3ZWhyZ6
Dfrc/73kZsUcd9cesLXVkY4wVsECN7Kg6cYfJTzjugtWhgpWM91Dg5/VNBlnHhcL
9VCHPxt3Y/Z+h4NBIKzHSwD0HV3YLbeINfZ/LywxN9Okym2mT/rkPEgzB+z4rTUd
IJU3hJlqe5Gn35q27idnhTTLnp/Ur2R+MyRaCT828YFlZ9ZaC5hWwSGeYGGt4J+y
ymYqEp0pNpHUNgkaLvLutnxTVIzDxsZqnNlW7cDY2YsieeTLlM8=
=DQwq
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 12 Apr 2019 07:26:42 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:53:05 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon