Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

gitlab: CVE-2018-19359: Unauthorized service template creation

Related Vulnerabilities: CVE-2018-19359  

Source

Debian Bug report logs - #914166
gitlab: CVE-2018-19359: Unauthorized service template creation

version graph

Package: src:gitlab; Maintainer for src:gitlab is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 20 Nov 2018 05:33:02 UTC

Severity: grave

Tags: security, upstream

Found in version gitlab/10.8.7+dfsg-1

Fixed in version gitlab/11.3.10+dfsg-1

Done: Pirate Praveen <praveen@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#914166; Package src:gitlab. (Tue, 20 Nov 2018 05:33:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Tue, 20 Nov 2018 05:33:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gitlab: CVE-2018-19359: Unauthorized service template creation
Date: Tue, 20 Nov 2018 06:31:17 +0100
Source: gitlab
Version: 10.8.7+dfsg-1
Severity: grave
Tags: security upstream

Hi,

The following vulnerability was published for gitlab.

CVE-2018-19359[0]:
Unauthorized service template creation

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-19359
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19359
[1] https://about.gitlab.com/2018/11/19/critical-security-release-gitlab-11-dot-4-dot-6-released/

Regards,
Salvatore

Reply sent to Pirate Praveen <praveen@debian.org>:
You have taken responsibility. (Wed, 21 Nov 2018 06:51:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 21 Nov 2018 06:51:03 GMT) (full text, mbox, link).

Message #10 received at 914166-close@bugs.debian.org (full text, mbox, reply):

From: Pirate Praveen <praveen@debian.org>
To: 914166-close@bugs.debian.org
Subject: Bug#914166: fixed in gitlab 11.3.10+dfsg-1
Date: Wed, 21 Nov 2018 06:49:40 +0000
Source: gitlab
Source-Version: 11.3.10+dfsg-1

We believe that the bug you reported is fixed in the latest version of
gitlab, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 914166@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pirate Praveen <praveen@debian.org> (supplier of updated gitlab package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 21 Nov 2018 11:49:29 +0530
Source: gitlab
Binary: gitlab gitlab-common
Architecture: source all
Version: 11.3.10+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Pirate Praveen <praveen@debian.org>
Description:
 gitlab     - git powered software platform to collaborate on code (non-omnibus
 gitlab-common - git powered software platform to collaborate on code (common)
Closes: 914166
Changes:
 gitlab (11.3.10+dfsg-1) experimental; urgency=medium
 .
   * New upstream version 11.3.10+dfsg (Closes: #914166) (Fixes: CVE-2018-19359)
   * Relax ruby-js-regex version
   * Tighten dependencies (update minimum versions)
Checksums-Sha1:
 47e1bd5f286eda21f75632a0ed9e608655d4ffaa 2552 gitlab_11.3.10+dfsg-1.dsc
 90a1195a4cd9a8cb489ec1f8c03b24e57cc9184d 38760492 gitlab_11.3.10+dfsg.orig.tar.xz
 f013289c99c2f14919c2344a9c1eb1ae726ddb97 65240 gitlab_11.3.10+dfsg-1.debian.tar.xz
 3f51e680b2b4873e61285572470ddb48abd6497b 134236 gitlab-common_11.3.10+dfsg-1_all.deb
 6f422f08e977ebdf40856858ee31a5b3befcd19a 39254508 gitlab_11.3.10+dfsg-1_all.deb
 945684a626737ec998bfabe39086d7039e12b44f 9164 gitlab_11.3.10+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 2803be93a8ef34c3c399765a6a9f07b68c4a7f7c0f1c00b94a788237fbe3cd49 2552 gitlab_11.3.10+dfsg-1.dsc
 a733382f8bdd155a55db99dd142573517ce55ea79366e7f766c652879bce0ab0 38760492 gitlab_11.3.10+dfsg.orig.tar.xz
 13a7f4ffbe855d168184f0596aa546f60e9f8fabe9b910944042f10d30741454 65240 gitlab_11.3.10+dfsg-1.debian.tar.xz
 52ed75557097afacccc84440e6bea495bade4ef1552b8dd8f2c450924e04e9f5 134236 gitlab-common_11.3.10+dfsg-1_all.deb
 1511023d1e181021a2022fc70b1d3d184f9ae2e11718f358267982fc21c4001b 39254508 gitlab_11.3.10+dfsg-1_all.deb
 e5ad9fe5626ef910191e7a105fe03bc27b8ef7d3dd25c58ac97f0b71860f69eb 9164 gitlab_11.3.10+dfsg-1_amd64.buildinfo
Files:
 b278712c82e8900dd6d98720ca015e11 2552 contrib/net optional gitlab_11.3.10+dfsg-1.dsc
 c4ad863439ca020f81e6e16a1d3bee36 38760492 contrib/net optional gitlab_11.3.10+dfsg.orig.tar.xz
 5c9e3e94103aee406853a6d4b92f90f4 65240 contrib/net optional gitlab_11.3.10+dfsg-1.debian.tar.xz
 2d9f913ec13438fd9441131406283c3b 134236 contrib/net optional gitlab-common_11.3.10+dfsg-1_all.deb
 110bda391eade1adcb8625959094bf0e 39254508 contrib/net optional gitlab_11.3.10+dfsg-1_all.deb
 ca2995ea37250b676b8fce339f018673 9164 contrib/net optional gitlab_11.3.10+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE/OFtr184QaN6dPMgC3aSB2Kmt4UFAlv0/KYACgkQC3aSB2Km
t4U+IQ//dBmagFlqMuFK+rpgZBYfbuTDBFdPJxHRw132zwrCtKsTpARRbjzzCjdo
qIzftxA8oku0b+9QDvR/+F6GmMXpi8GXALepyrRUxK5FgcthTPFXxubYxApvIlpq
VpaRkhqDW9oUXesR0oiYCxcHKljWjDfsKYyInU2FJy29NCIaJeKs5+xLGmVrxtS4
RVrIETMDQaZx37VnABz6y2UhOx/ydcHatjTCAViDViMVMrOEfeuTeR6YMMLH15iJ
B13bbdNm8hrYKw7r0Q2xIYGTvOmRDGtwHwwqiGE3qgAyh4PyKeUa2P0KiySpwalK
VsLHB+o6dGKgC64wcDd7PYhcoCy5+7tlH7DUYBsXEjWVJX7G0dZsaZGaY7btba8J
9+CgEbcj77nivDJOimT0GQ/PZnzW/hdkTpjuq8QxJhmXsFARLoSnNl+6dbZR/XKK
tycqZOxtpdHcj73aISABDbZwOcZe08vu4h9GSMPkE2fgu6PZ0vuao9rd930wpjEP
OkZnYiS9bIXAhmoU7QIZAOiLq1coVIN392wI22vy3w/oNIPW0d04Q5r10Sd4BEL8
xAOT+KcLpWdEPpgotBEpvnBJxG+AAUCXy91mSiHrJnQKYEQkg2oZXsg5At8xNNkW
fAygibJo6J949ywMrXjdSGfRoW7itrw+AERNdhbDmxGNU7qG7cQ=
=yzp2
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 20 Dec 2018 07:36:58 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:48:02 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started