Debian Bug report logs -
#926482
gitlab: CVE-2018-5158 CVE-2019-10109 CVE-2019-10110 CVE-2019-10111 CVE-2019-10113 CVE-2019-10115 CVE-2019-10116 CVE-2019-10640
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 5 Apr 2019 21:42:01 UTC
Severity: grave
Tags: security, upstream
Found in version gitlab/11.8.3-1
Fixed in version gitlab/11.8.6+dfsg-1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
:
Bug#926482
; Package src:gitlab
.
(Fri, 05 Apr 2019 21:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
.
(Fri, 05 Apr 2019 21:42:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gitlab
Version: 11.8.3-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerabilities were published for gitlab, fixed
upstream in the 11.9.4, 11.8.6, and 11.7.10 releases.
CVE-2018-5158[0]:
| The PDF viewer does not sufficiently sanitize PostScript calculator
| functions, allowing malicious JavaScript to be injected through a
| crafted PDF file. This JavaScript can then be run with the permissions
| of the PDF viewer by its worker. This vulnerability affects Firefox
| ESR < 52.8 and Firefox < 60.
CVE-2019-10109[1]:
EXIF geolocation data not stripped from uploaded images
CVE-2019-10110[2]:
Improper authorization control "move issue"
CVE-2019-10111[3]:
Persistent XSS at merge request resolve conflicts
CVE-2019-10113[4]:
DoS potential on project languages page
CVE-2019-10115[5]:
Guest users of private projects have access to releases
CVE-2019-10116[6]:
Related branches visible in issues for guests
CVE-2019-10640[7]:
DoS potential for regex in CI/CD refs
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-5158
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5158
[1] https://security-tracker.debian.org/tracker/CVE-2019-10109
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10109
[2] https://security-tracker.debian.org/tracker/CVE-2019-10110
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10110
[3] https://security-tracker.debian.org/tracker/CVE-2019-10111
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10111
[4] https://security-tracker.debian.org/tracker/CVE-2019-10113
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10113
[5] https://security-tracker.debian.org/tracker/CVE-2019-10115
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10115
[6] https://security-tracker.debian.org/tracker/CVE-2019-10116
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10116
[7] https://security-tracker.debian.org/tracker/CVE-2019-10640
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10640
[8] https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/
Regards,
Salvatore
Marked as fixed in versions gitlab/11.8.6+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 19 Apr 2019 14:00:04 GMT) (full text, mbox, link).
Marked Bug as done
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 19 Apr 2019 14:00:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Fri, 19 Apr 2019 14:00:05 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#926482.
(Fri, 19 Apr 2019 14:00:07 GMT) (full text, mbox, link).
Message #14 received at 926482-submitter@bugs.debian.org (full text, mbox, reply):
close 926482 11.8.6+dfsg-1
thanks
Issues were fixed via the 11.8.6+dfsg-1
https://tracker.debian.org/news/1038471/accepted-gitlab-1186dfsg-1-source-all-into-unstable/
but no bug closer was added. Closing manually.
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 18 May 2019 07:27:08 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:04:40 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.