Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

gitlab: several security issues fixed by latest version (including CVE-2016-4340)

Related Vulnerabilities: CVE-2016-4340   cve-2016-4340  

Source

Debian Bug report logs - #823290
gitlab: several security issues fixed by latest version (including CVE-2016-4340)

version graph

Package: gitlab; Maintainer for gitlab is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>; Source for gitlab is src:gitlab (PTS, buildd, popcon).

Reported by: Paul Wise <pabs@debian.org>

Date: Tue, 3 May 2016 06:09:02 UTC

Severity: serious

Fixed in version gitlab/8.8.2+dfsg-1

Done: Pirate Praveen <praveen@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#823290; Package gitlab. (Tue, 03 May 2016 06:09:06 GMT) (full text, mbox, link).

Acknowledgement sent to Paul Wise <pabs@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Tue, 03 May 2016 06:09:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>
To: bts <submit@bugs.debian.org>
Subject: gitlab: several security issues fixed by latest version (including CVE-2016-4340)
Date: Tue, 03 May 2016 14:04:16 +0800
[Message part 1 (text/plain, inline)]
Package: gitlab
Severity: serious

GitLab recently fixed several serious security issues:

https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/

CVE-2016-4340: Privilege escalation via "impersonate" feature
Privilege escalation via notes API
Privilege escalation via project webhook API
XSS vulnerability via branch and tag names
XSS vulnerability via custom issue tracker URL
XSS vulnerability via window.opener
XSS vulnerability via label drop-down
Information disclosure via milestone API
Information disclosure via snippet API
Information disclosure via project labels
Information disclosure via new merge request page

Please update the Debian gitlab package to the latest upstream.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise



[signature.asc (application/pgp-signature, inline)]

Reply sent to Pirate Praveen <praveen@debian.org>:
You have taken responsibility. (Fri, 03 Jun 2016 13:21:23 GMT) (full text, mbox, link).

Notification sent to Paul Wise <pabs@debian.org>:
Bug acknowledged by developer. (Fri, 03 Jun 2016 13:21:23 GMT) (full text, mbox, link).

Message #10 received at 823290-close@bugs.debian.org (full text, mbox, reply):

From: Pirate Praveen <praveen@debian.org>
To: 823290-close@bugs.debian.org
Subject: Bug#823290: fixed in gitlab 8.8.2+dfsg-1
Date: Fri, 03 Jun 2016 13:18:51 +0000
Source: gitlab
Source-Version: 8.8.2+dfsg-1

We believe that the bug you reported is fixed in the latest version of
gitlab, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 823290@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pirate Praveen <praveen@debian.org> (supplier of updated gitlab package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 02 Jun 2016 22:27:15 +0530
Source: gitlab
Binary: gitlab
Architecture: source all
Version: 8.8.2+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Pirate Praveen <praveen@debian.org>
Description:
 gitlab     - git powered software platform to collaborate on code
Closes: 821085 823290
Changes:
 gitlab (8.8.2+dfsg-1) unstable; urgency=medium
 .
   * New upstream release (Closes: #823290)
   * Refresh patches
   * Bump standards version to 3.9.8 (no changes)
   * Enable the pg_trgm extension for postgresql
   * Check if nginx site configuration directory is present before copying
     (Closes: #821085)
   * Symlink /run/gitlab/cache to /var/lib/gitlab/cache (or /run gets filled up)
   * Remove debconf db on purge
Checksums-Sha1:
 1704362adafab4c52267fb437c9b65e4b97fc4e4 2054 gitlab_8.8.2+dfsg-1.dsc
 1a3c1b8e92a2d7cc72c4ddec1ac94c19c4bffa0e 18555944 gitlab_8.8.2+dfsg.orig.tar.gz
 780bb978634b3e5570539e42f09ca833a925706d 36376 gitlab_8.8.2+dfsg-1.debian.tar.xz
 89e30495cee772c543f9d4a9b371bef646c70269 17578638 gitlab_8.8.2+dfsg-1_all.deb
Checksums-Sha256:
 999f699406432ce486c0f3d39aa75a7375b03589705802da7ea591cd89c31866 2054 gitlab_8.8.2+dfsg-1.dsc
 40e9dc0cccbe857b8302b429824b8c1c6aa60d2182c0bc1bc76d30e5f86928f0 18555944 gitlab_8.8.2+dfsg.orig.tar.gz
 57de7410c36d7b25d6d3c5b3270b58eb7783408b7a229e6876af54ace6aef13d 36376 gitlab_8.8.2+dfsg-1.debian.tar.xz
 599927aa020c9e3ca8e807f1f2a58a6f9e09c9513fa8b28606946ec3817934a5 17578638 gitlab_8.8.2+dfsg-1_all.deb
Files:
 5b6cc6f6ad74afe147312a92ac13e66e 2054 ruby optional gitlab_8.8.2+dfsg-1.dsc
 38a1274179ed1caa712288dc3fac6482 18555944 ruby optional gitlab_8.8.2+dfsg.orig.tar.gz
 7995f928b82b29b5de3af07cf7fcc9e4 36376 ruby optional gitlab_8.8.2+dfsg-1.debian.tar.xz
 a7ac6b270999298b3c6b964fe337e2fe 17578638 ruby optional gitlab_8.8.2+dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXUXtNAAoJEM4fnGdFEsIqRXoQAJ//wHTu01XOo8rBb49pUbg5
uy9bnaI/pkIwl2B3ynjKIGIeDPg6gAnMG/ImXL6rM+OJ7KuyCfT4CFM6/FLb1zla
dHRX8uV3P1U46CHj+JNWgupoWdETTNOkbYHmVd4Verc+h+xGb8fL93rNPzZkcBsN
q2xKCF7Xi5xOwuWDMumkJJvSKpXDKra2l8vdbxfwWkRlDYgnwnJxVEp6cIKcFLAJ
v1prXSORQVaqEig5FaNLx/bkyqFBTsF8u0gL8nScBzzEOMaVwVjdn2WfcpMtP4Dz
/nhHKNOOOkYgI0smz44wE74lzuR5WXz6foXFLBwh/Qyycr71mRolKhMSShaf2eDw
Wf6OAmQ1Y8F0RlAghjic4J6PPvJs9Z1VyRJlmDw6PSZuF3Dt4O+WjNn/ACCeGUUO
9wCfxy8HF7I+mksyAocob23ljm5DI03R+kbYqY5rFm3uvfxAwkYamiwPW8UTKi1B
VO4D+EmGIo5gAM3nH7C4yuYj6swj5ToIXC/KZp+likU2hvbwlGXlJGCd5hpgTZCK
YlvIT6ikbISuzLbrwy+jD2czZ+2JWhabHX9oJK/MedUn/Lhn6ocZEXyePd+/jWgP
aEX9Xr9F5LrvAA4ob9ewLQFNKRXBfg4K37fS8ifgps7tPlwGMedvlyHi/KOQljRd
PWkphvYMkBdXmVsLFqbr
=/Car
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 02 Jul 2016 07:39:41 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:06:09 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started