Debian Bug report logs -
#933785
gitlab: CVE-2019-5470 CVE-2019-5469 CVE-2019-5468 CVE-2019-5466 CVE-2019-5465 CVE-2019-5464 CVE-2019-5463 CVE-2019-5462 CVE-2019-5461
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#933785; Package src:gitlab.
(Sat, 03 Aug 2019 13:45:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Sat, 03 Aug 2019 13:45:10 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gitlab
Version: 11.8.10+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerabilities were published for gitlab, see [9].
CVE-2019-5470[0]:
Information Disclosure Vulnerability Feedback
CVE-2019-5469[1]:
Arbitrary File Upload via Import Project Archive
CVE-2019-5468[2]:
User Revokation Bypass with Mattermost Integration
CVE-2019-5466[3]:
IDOR Label Name Enumeration
CVE-2019-5465[4]:
Information Disclosure New Issue ID
CVE-2019-5464[5]:
SSRF Mitigation Bypass
CVE-2019-5463[6]:
Build Status Disclosure
CVE-2019-5462[7]:
Trigger Token Impersonation
CVE-2019-5461[8]:
GitHub Integration SSRF
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-5470
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5470
[1] https://security-tracker.debian.org/tracker/CVE-2019-5469
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5469
[2] https://security-tracker.debian.org/tracker/CVE-2019-5468
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5468
[3] https://security-tracker.debian.org/tracker/CVE-2019-5466
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5466
[4] https://security-tracker.debian.org/tracker/CVE-2019-5465
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5465
[5] https://security-tracker.debian.org/tracker/CVE-2019-5464
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5464
[6] https://security-tracker.debian.org/tracker/CVE-2019-5463
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5463
[7] https://security-tracker.debian.org/tracker/CVE-2019-5462
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5462
[8] https://security-tracker.debian.org/tracker/CVE-2019-5461
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5461
[9] https://about.gitlab.com/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/
Please adjust the affected versions in the BTS as needed.
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Aug 4 09:34:18 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon