Debian Bug report logs -
#893905
gitlab: CVE-2018-8801 CVE-2018-8971
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Fri, 23 Mar 2018 17:27:02 UTC
Severity: grave
Tags: security, upstream
Found in version gitlab/8.13.11+dfsg1-8
Fixed in versions gitlab/10.5.6+dfsg-1, gitlab/8.13.11+dfsg1-8+deb9u2
Done: Pirate Praveen <praveen@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#893905; Package gitlab.
(Fri, 23 Mar 2018 17:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Fri, 23 Mar 2018 17:27:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: gitlab
Severity: grave
Tags: security
Please see
https://about.gitlab.com/2018/03/20/critical-security-release-gitlab-10-dot-5-dot-6-released/
Cheers,
Moritz
Marked as found in versions gitlab/8.13.11+dfsg1-8.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 24 Mar 2018 19:57:05 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 24 Mar 2018 20:00:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#893905; Package gitlab.
(Sat, 24 Mar 2018 21:27:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Sat, 24 Mar 2018 21:27:07 GMT) (full text, mbox, link).
Message #14 received at 893905@bugs.debian.org (full text, mbox, reply):
Control: retitle -1 gitlab: CVE-2018-8801 CVE-2018-8971
Hi
On Fri, Mar 23, 2018 at 06:22:47PM +0100, Moritz Muehlenhoff wrote:
> Package: gitlab
> Severity: grave
> Tags: security
>
> Please see
> https://about.gitlab.com/2018/03/20/critical-security-release-gitlab-10-dot-5-dot-6-released/
The second issue has been assigned CVE-2018-8971 by MITRE.
Regards,
Salvatore
Changed Bug title to 'gitlab: CVE-2018-8801 CVE-2018-8971' from 'Two vulnerabilities (CVE-2018-8801 / one CVE-less)'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 893905-submit@bugs.debian.org.
(Sat, 24 Mar 2018 21:27:07 GMT) (full text, mbox, link).
Reply sent
to Pirate Praveen <praveen@debian.org>:
You have taken responsibility.
(Mon, 26 Mar 2018 11:39:08 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 26 Mar 2018 11:39:08 GMT) (full text, mbox, link).
Message #21 received at 893905-close@bugs.debian.org (full text, mbox, reply):
Source: gitlab
Source-Version: 10.5.6+dfsg-1
We believe that the bug you reported is fixed in the latest version of
gitlab, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 893905@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pirate Praveen <praveen@debian.org> (supplier of updated gitlab package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 26 Mar 2018 14:41:54 +0530
Source: gitlab
Binary: gitlab
Architecture: source
Version: 10.5.6+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Pirate Praveen <praveen@debian.org>
Description:
gitlab - git powered software platform to collaborate on code (non-omnibus
Closes: 893905
Changes:
gitlab (10.5.6+dfsg-1) unstable; urgency=medium
.
[ Dmitry Smirnov ]
* Tighten/version dependency ruby-net-ldap:
.
[ Pirate Praveen ]
* New upstream version 10.5.6 (Closes: #893905)
Fixes: CVE-2018-8801 CVE-2018-8971
* Tighten dependency on ruby-omniauth-auth0
Checksums-Sha1:
d0b2610c1c1ec07f64fe8cf2ac8153ecce368474 2523 gitlab_10.5.6+dfsg-1.dsc
94c9cf3230d385a69047bad13afd4cd69c9d4cc2 41959560 gitlab_10.5.6+dfsg.orig.tar.xz
8c6016c626322d5865d258311e5bb32c2e58edd3 62248 gitlab_10.5.6+dfsg-1.debian.tar.xz
fe8651d514c65a3e19916420547b1e3ff233d44d 8025 gitlab_10.5.6+dfsg-1_source.buildinfo
Checksums-Sha256:
81a84ef0c660d3210e2738171db0511020a34dd2ea26def16890147989675674 2523 gitlab_10.5.6+dfsg-1.dsc
0f53b77459a684196ae0d9e1af3e3a98edb3dcd4262748f675451387ce787a12 41959560 gitlab_10.5.6+dfsg.orig.tar.xz
f6d6c7d7bfdd9fcaf3fd3a744bc3693d42797f92f25e167fb8281b0293e357d1 62248 gitlab_10.5.6+dfsg-1.debian.tar.xz
12bbd340021a3aa71a1b8e1d2af8fe99de44b68b34d5b1b665fccd9146773c58 8025 gitlab_10.5.6+dfsg-1_source.buildinfo
Files:
e84e1860dcf4d44546f30fdc8ce64226 2523 contrib/net optional gitlab_10.5.6+dfsg-1.dsc
b6d4f0876eb5a97f0399614efb1a3fb1 41959560 contrib/net optional gitlab_10.5.6+dfsg.orig.tar.xz
3856023e786947a901796a1fbfbda8cf 62248 contrib/net optional gitlab_10.5.6+dfsg-1.debian.tar.xz
8a139cec1feabb98452b210bb28ecd9e 8025 contrib/net optional gitlab_10.5.6+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAlq41OQACgkQzh+cZ0US
wipPVA/+POH7nivIJZFMntlyic7kj3X8jkGXxraULufzgwOJnj2yqlkAcPCFYsvH
sG70BKsz8cLX7Z5G/QWurW0ym2twTNiaXCZ1eCM73tSIgZD5oIuP5crPgXEEbYhH
2YsLNHnEBc6MwKs+OEpLYMZmGyvBjm57GfrRdQxu3GSG9I9JB5cSJaZswsW80DAE
uMEGG2b9aCGKPwSCC4ib+XTDKobY8tY/UPaNT70B1suhQMG1wdwb7kFpdBz2JByZ
DhVPA9iXL+5V09hmv8mz8SqUKATj5K2U+h8/JFO/HdAfA3MDNgznXsu98NNZxpK6
3zqe4ZWCQF90MXGANkN98y7k0AD+0wdbtD7oiEIKvJ0wp5wol/Po+OIHLfAk+YSl
RqwzR10YdzYRukfkocrqcFAM5ZCpPP1cCtPkuzeVK9FpMGGolNIHY6QKsZCec7df
AyVu2/EiRsn1RnVFY2dSMuIk9fVYWa8Y+QEhY0zLRaXFKhHZRwIWXRphd0Wlz8kc
hKIygqBoIQW8DFDiaY3OSnJApA3meJuaXwQAmHLtIkZt1PTuO1K0EClz+em8iSOq
3XZdvlPgrFUncnEm7lPWmqvnVOtqVIzDVdFyJbgKksm0X6fK3TRvcU/tAg8So+x1
rQSXY2B5wofBF8Y82OA0hrJOHjF7sSh4qT4uvrrevSC4YWAv3/Q=
=98LH
-----END PGP SIGNATURE-----
Reply sent
to Pirate Praveen <praveen@debian.org>:
You have taken responsibility.
(Mon, 28 May 2018 21:21:06 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 28 May 2018 21:21:07 GMT) (full text, mbox, link).
Message #26 received at 893905-close@bugs.debian.org (full text, mbox, reply):
Source: gitlab
Source-Version: 8.13.11+dfsg1-8+deb9u2
We believe that the bug you reported is fixed in the latest version of
gitlab, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 893905@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pirate Praveen <praveen@debian.org> (supplier of updated gitlab package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 27 Mar 2018 14:38:53 +0530
Source: gitlab
Binary: gitlab
Architecture: source all
Version: 8.13.11+dfsg1-8+deb9u2
Distribution: stretch-security
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Pirate Praveen <praveen@debian.org>
Description:
gitlab - git powered software platform to collaborate on code (non-omnibus
Closes: 888508 893905
Changes:
gitlab (8.13.11+dfsg1-8+deb9u2) stretch-security; urgency=medium
.
* Fixes CVE-2018-8971 (Closes: #893905)
* Fixes CVE-2017-0920 (Closes: #888508)
Checksums-Sha1:
e0d3a414ae5577da5e456eaa01162e43444eae91 2569 gitlab_8.13.11+dfsg1-8+deb9u2.dsc
e50e86b6e67daa64224d2e9be2ef762da577bff2 27931813 gitlab_8.13.11+dfsg1.orig.tar.gz
79625ef89f5edb375cca0d3ba1645244d570d548 59288 gitlab_8.13.11+dfsg1-8+deb9u2.debian.tar.xz
79d87657e013d19c340b73a98c39d6cafed7aa53 26368266 gitlab_8.13.11+dfsg1-8+deb9u2_all.deb
72e111ca6d9757ea8be472e4b7d5dd9a2efeb503 8886 gitlab_8.13.11+dfsg1-8+deb9u2_amd64.buildinfo
Checksums-Sha256:
3cd160bb6cef243d17e551d5666eef376d23c11230c0069f55c2b79a9f2ecc0d 2569 gitlab_8.13.11+dfsg1-8+deb9u2.dsc
714862e0211f50b07bc064d2a9059e3d650351b5ea12ff03ee3f154dc8a9071c 27931813 gitlab_8.13.11+dfsg1.orig.tar.gz
0e5b1d541e440d37391d462541433eac20483578034599a664eb074f3c21f145 59288 gitlab_8.13.11+dfsg1-8+deb9u2.debian.tar.xz
c9521c08dfef5be0cef1def0c030653afdea2b6938fb488fa1040e6a26511163 26368266 gitlab_8.13.11+dfsg1-8+deb9u2_all.deb
e2321422138003231c3d74ba981f34f5da05c68d848461c1843c8e51dda9c9ea 8886 gitlab_8.13.11+dfsg1-8+deb9u2_amd64.buildinfo
Files:
e2726830387a26ad39b822b274a6316f 2569 ruby optional gitlab_8.13.11+dfsg1-8+deb9u2.dsc
2ac0a5e5ce01500d7ac797005efda0e0 27931813 ruby optional gitlab_8.13.11+dfsg1.orig.tar.gz
a238aff5dfcf623b8cfa747499122731 59288 ruby optional gitlab_8.13.11+dfsg1-8+deb9u2.debian.tar.xz
4edaa7ba9bfd63052f2579bcb9edc0b1 26368266 ruby optional gitlab_8.13.11+dfsg1-8+deb9u2_all.deb
156984a781c17df49416af64c1857cd3 8886 ruby optional gitlab_8.13.11+dfsg1-8+deb9u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAlsAYukACgkQzh+cZ0US
wipdaxAAhD+6z/0UjIvVA1qZ2K4we2B046dllp5Z4ZdqA5kI5Wxg2PuI5aU2CBg3
BMn/OGTXHk0VZSR+s8jJDRZwgqbBeLWy9rfqado+Eg2eKfFSh9+3FWpM3Wsu2vOr
N+nwfPR0omWhivUlju0jSko6fTw/4DlkHHqGrKfVC2FWID/NJfHguCqHRlv8CDeR
JYxlGuQ659pY3gZJ1fnJK3VtyXTrZfCH2Na8OrRL5S4D1Kz9y/keAiczqBl4BPRZ
4mZ3nAi4JifY/Uizfz4Ff99s6rgrQN8i4iw2CAhTqq085yC5NNI5N59KLIffffaS
AbVKJ625iF8gAHa4q2D/uavytjbMBKtVur60jhgnmV4f5/nw4MYWr+Mf43ivp9b/
xavt/NdME3tj9qRc9KUeKyc6gI95s/bZArgVPnNCbjT/fpnsJyMoKLGtEqLyS21A
+/r2aob8T0L+ixU+tGkRNY9W2YNBX82YUt7NVhv4XPTvZJW9pQcSnIm/lkkkHbFd
7/Cuw7lg2WYGognabf3lIqfhpKURnxYSg9J1HzejnsSo+IeUY0IfAtbfyJ1UhzQx
hnhsPd+gZ0HauII0EqDPLMb/PX+8Eoc4Ru0I3IDfF0JRYojt3plush5RL8TBCDT4
lOv568pBcIWXG2p93g8HYVzVLWCqBWh/SxZI9HwAo5lVEWc6jfc=
=Yb4C
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 15 Jul 2018 07:25:25 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:32:25 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon