gitlab: CVE-2019-6240: Arbitrary repo read in Gitlab project import

Debian Bug report logs - #919822
gitlab: CVE-2019-6240: Arbitrary repo read in Gitlab project import

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: gitlab: CVE-2019-6240: Arbitrary repo read in Gitlab project import

Date: Sat, 19 Jan 2019 22:56:01 +0100

Source: gitlab
Version: 11.5.6+dfsg-1
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole

Hi,

The following vulnerability was published for gitlab, and fixed in
11.6.4, 11.5.7, and 11.4.14.

CVE-2019-6240[0]:
RESERVED

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-6240
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6240
[1] https://about.gitlab.com/2019/01/16/critical-security-release-gitlab-11-dot-6-dot-4-released/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Message #10 received at 919822-close@bugs.debian.org (full text, mbox, reply):

From: Abhijith PA <abhijith@debian.org>

To: 919822-close@bugs.debian.org

Subject: Bug#919822: fixed in gitlab 11.5.7+dfsg-1

Date: Tue, 22 Jan 2019 06:05:01 +0000

Source: gitlab
Source-Version: 11.5.7+dfsg-1

We believe that the bug you reported is fixed in the latest version of
gitlab, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 919822@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Abhijith PA <abhijith@debian.org> (supplier of updated gitlab package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 20 Jan 2019 21:37:01 +0530
Source: gitlab
Binary: gitlab gitlab-common
Architecture: source all
Version: 11.5.7+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Abhijith PA <abhijith@debian.org>
Description:
 gitlab     - git powered software platform to collaborate on code (non-omnibus
 gitlab-common - git powered software platform to collaborate on code (common)
Closes: 919822
Changes:
 gitlab (11.5.7+dfsg-1) unstable; urgency=medium
 .
   * Team upload
   * New upstream version 11.5.7+dfsg
   * Fix CVE-2019-6240: Arbitrary repo read in Gitlab project import
     (Closes: #919822)
Checksums-Sha1:
 946de46090868d8e2622a1cd035fa8cb9d13c28a 2326 gitlab_11.5.7+dfsg-1.dsc
 4d46b46ef4c70d791ed1bbdec91d982e07089865 51005289 gitlab_11.5.7+dfsg.orig.tar.gz
 ff154f96786cbf4d0efcb95f94e2336133b7cc44 66956 gitlab_11.5.7+dfsg-1.debian.tar.xz
 f5d66741df516c5e2d439a496df010dc0a04dda1 145524 gitlab-common_11.5.7+dfsg-1_all.deb
 d993b7d7dbd2d0842725b0023dc9bd92df2d28b6 46627576 gitlab_11.5.7+dfsg-1_all.deb
 547d382f5482268e54859687be65b88212533f4a 8995 gitlab_11.5.7+dfsg-1_amd64.buildinfo
Checksums-Sha256:
 bf0f94ad51752740c40734e82d55ce242dea7f106d7696970dd7557bf374d8c3 2326 gitlab_11.5.7+dfsg-1.dsc
 d6989d4d07ac4b3d1dc4afbc3f019fbae793b2791fb37b9c918e6b529a69641e 51005289 gitlab_11.5.7+dfsg.orig.tar.gz
 5b1f5409b3079d82f9bb8a0b5d5c4b0c9b374485c56abd29063a8cc9e36ee3e6 66956 gitlab_11.5.7+dfsg-1.debian.tar.xz
 e3864d4e56589aea0f14e874fb46001321b74ce519e2d5fa71759f06b066db6c 145524 gitlab-common_11.5.7+dfsg-1_all.deb
 a71dbebb2563ec3ecd7b3de043b6a825a9d23f75b2fe86a0049792001c6c6dfb 46627576 gitlab_11.5.7+dfsg-1_all.deb
 17ddda591c226d32c840d76e386cd6cc4f3c5c6049ab599481ae301459d885d3 8995 gitlab_11.5.7+dfsg-1_amd64.buildinfo
Files:
 1a34cfb1ffb3a1a6477a8bae5f1fd923 2326 net optional gitlab_11.5.7+dfsg-1.dsc
 c09eb5b441ef6df079e5794bfcdf4c06 51005289 net optional gitlab_11.5.7+dfsg.orig.tar.gz
 047592a4f701f4fc5758bcb4e7353378 66956 net optional gitlab_11.5.7+dfsg-1.debian.tar.xz
 8ebf3ee11ef683a482d3a16ede40f215 145524 net optional gitlab-common_11.5.7+dfsg-1_all.deb
 d6127bfa71d3afa4ecb9ea63fa1ed837 46627576 contrib/net optional gitlab_11.5.7+dfsg-1_all.deb
 3a8809009a2626abc288348caf7dcdcc 8995 net optional gitlab_11.5.7+dfsg-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAlxGrmEUHGFiaGlqaXRo
QGRlYmlhbi5vcmcACgkQhj1N8u2cKO9qWA/+LHLTN7NKenNLaEiY806UIcTF/za9
GSA8rwN4eH0pIjS0ROSbzvCn/dXYugXzDh4DG7nR3L+5nnb2qBbnSurUz+cL7M9o
lgErxrHc1TMuwYApA86LR00FhbzKTjTKaJOJw/mUK4+7y4kyL8Y+FylKyat8gBUZ
244IO3uWpBDWsgiM7MjFPWaGBfQj6eiL8vFMua9h/7ldNEj9QzY1jrHTLaV5VyGh
8FJYTybWE5yL8WLk3NR2doKvg+4T3tirGXHLtbuKLR5ZUnid1E+An/cKladqH4lD
vD5PiOuYQx+bZ73FIjfuo9nrm0FfFdHX1gVQ/ZtptG5xQ+s58YE13lLb/L7UpZJd
uSvPcKdG9tjWaHeP7NHIAPOwWFOlT658ekhg4/So4rKkFVVbZKSP/7Ds2wOEzWMF
X8Ihv9F70+FjSgGD8cA+hK0KqPhS2Wo0KO7JyJTAiRyBGoVWzrhftktI92D3lUkl
3Imk5W/7YbOMnGIKs0Qcx9N1oiy0DNQmyrw8yZZJxLii6ZD96d3QUpSWYE4ef4bH
SZvOwwziBTXy8Tt8qbWxYdWRnEU7yfxAxS2dbZ08RSn2mdU/IMnu/YQxfWuLs8c8
BeKMq3rMXxYuxvJZkvmpXh6sgH73oBfjmIu+C3QKQxTNHP1mt56GjYGiWPcwAdgd
14i17RVP/6ZGMVI=
=Wg4d
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.