gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory

Debian Bug report logs - #888508
gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory

Date: Fri, 26 Jan 2018 15:02:05 +0100

Source: gitlab
Version: 8.13.11+dfsg1-12
Severity: grave
Tags: upstream security

Hi 

See
https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/
for which several go back to 8.9.0 versions.

There are three CVEs out of
https://security-tracker.debian.org/tracker/source-package/gitlab
belonging to that list wich are yet marked undetermined, because not
clear from the advisory if 8.13.11=dfsg1-12 might be affected.
But assuming the 'version affected' information is correct, they are
not, please confirm so we can adjust the security-tracker information.

Regards,
Salvatore


-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Message #10 received at 888508@bugs.debian.org (full text, mbox, reply):

From: Pirate Praveen <praveen@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 888508@bugs.debian.org, Balasankar C <balasankarc@debian.org>

Subject: Re: Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory

Date: Fri, 26 Jan 2018 22:14:16 +0530

[Message part 1 (text/plain, inline)]

On വെള്ളി 26 ജനുവരി 2018 07:32 വൈകു, Salvatore Bonaccorso wrote:
> See
> https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/
> for which several go back to 8.9.0 versions.
> 
> There are three CVEs out of
> https://security-tracker.debian.org/tracker/source-package/gitlab
> belonging to that list wich are yet marked undetermined, because not
> clear from the advisory if 8.13.11=dfsg1-12 might be affected.
> But assuming the 'version affected' information is correct, they are
> not, please confirm so we can adjust the security-tracker information.

We are working on backporting the patches (8.13.12 don't have most of
these patches). We will confirm once we go through all of it.

[signature.asc (application/pgp-signature, attachment)]

Message #15 received at 888508@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Pirate Praveen <praveen@debian.org>

Cc: Salvatore Bonaccorso <carnil@debian.org>, 888508@bugs.debian.org, Balasankar C <balasankarc@debian.org>

Subject: Re: Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory

Date: Wed, 14 Feb 2018 19:37:54 +0100

On Fri, Jan 26, 2018 at 10:14:16PM +0530, Pirate Praveen wrote:
> On വെള്ളി 26 ജനുവരി 2018 07:32 വൈകു, Salvatore Bonaccorso wrote:
> > See
> > https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/
> > for which several go back to 8.9.0 versions.
> > 
> > There are three CVEs out of
> > https://security-tracker.debian.org/tracker/source-package/gitlab
> > belonging to that list wich are yet marked undetermined, because not
> > clear from the advisory if 8.13.11=dfsg1-12 might be affected.
> > But assuming the 'version affected' information is correct, they are
> > not, please confirm so we can adjust the security-tracker information.
> 
> We are working on backporting the patches (8.13.12 don't have most of
> these patches). We will confirm once we go through all of it.

What's the status?

Cheers,
        Moritz

Message #20 received at 888508@bugs.debian.org (full text, mbox, reply):

From: Pirate Praveen <praveen@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: Salvatore Bonaccorso <carnil@debian.org>, 888508@bugs.debian.org, Balasankar C <balasankarc@debian.org>

Subject: Re: Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory

Date: Thu, 15 Feb 2018 21:53:25 +0530

[Message part 1 (text/plain, inline)]

On വ്യാഴം 15 ഫെബ്രുവരി 2018 12:07 രാവിലെ, Moritz Mühlenhoff wrote:
> What's the status?
> Cheers,
>         Moritz
Some cve patches are backported, but help is welcome,
https://salsa.debian.org/ruby-team/gitlab/tree/master-8-13

https://pad.disroot.org/p/gitlab_security_bp

[signature.asc (application/pgp-signature, attachment)]

Message #25 received at 888508@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Pirate Praveen <praveen@debian.org>

Cc: 888508@bugs.debian.org, Balasankar C <balasankarc@debian.org>, team@security.debian.org

Subject: Re: Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory

Date: Sun, 4 Mar 2018 17:59:00 +0100

On Thu, Feb 15, 2018 at 09:53:25PM +0530, Pirate Praveen wrote:
> On വ്യാഴം 15 ഫെബ്രുവരി 2018 12:07 രാവിലെ, Moritz Mühlenhoff wrote:
> > What's the status?
> > Cheers,
> >         Moritz
> Some cve patches are backported, but help is welcome,
> https://salsa.debian.org/ruby-team/gitlab/tree/master-8-13

We're now almost two months in after the upstream security
release. If this still isn't ready, that's a sign to me
that we can' reasonably support it, so the next best option
is to end-of-life it and eventually ask for it's removal
from stretch.

Cheers,
        Moritz

Message #30 received at 888508@bugs.debian.org (full text, mbox, reply):

From: Pirate Praveen <praveen@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: 888508@bugs.debian.org, Balasankar C <balasankarc@debian.org>, team@security.debian.org

Subject: Re: Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory

Date: Mon, 5 Mar 2018 17:18:00 +0530

[Message part 1 (text/plain, inline)]

On ഞായര്‍ 04 മാർച്ച് 2018 10:29 വൈകു, Moritz Mühlenhoff wrote:
> We're now almost two months in after the upstream security
> release. If this still isn't ready, that's a sign to me
> that we can' reasonably support it, so the next best option
> is to end-of-life it and eventually ask for it's removal
> from stretch.
>
> Cheers,
>         Moritz
>
I will ask upstream help in backporting and we can decide based on their
response.

[signature.asc (application/pgp-signature, attachment)]

Message #35 received at 888508@bugs.debian.org (full text, mbox, reply):

From: Pirate Praveen <praveen@debian.org>

To: 888508@bugs.debian.org, Moritz Mühlenhoff <jmm@inutil.org>, Balasankar C <balasankarc@debian.org>, team@security.debian.org

Subject: Re: Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory

Date: Sat, 10 Mar 2018 23:25:28 +0530

[Message part 1 (text/plain, inline)]

On Mon, 5 Mar 2018 17:18:00 +0530 Pirate Praveen <praveen@debian.org> wrote:
> On ഞായര്‍ 04 മാർച്ച് 2018 10:29 വൈകു, Moritz Mühlenhoff wrote:
> > We're now almost two months in after the upstream security
> > release. If this still isn't ready, that's a sign to me
> > that we can' reasonably support it, so the next best option
> > is to end-of-life it and eventually ask for it's removal
> > from stretch.
> >
> > Cheers,
> >         Moritz
> >
> I will ask upstream help in backporting and we can decide based on their
> response.
> 

I will attach a debdiff tomorrow with the CVEs we already backported.
And also will try to respond quicker in case of future CVEs.

CVE-2017-0923 seems to be not affecting 8.13 as this feature was
introduced only in 9.1

CVE-2017-0927 is affecting only an optional component of gitlab
(continuous deployment), while still good to be able to fix it, I don't
think it should result in a removal.

I'm yet to hear back from upstream about their help in fixing this last CVE.

[signature.asc (application/pgp-signature, attachment)]

Message #40 received at 888508@bugs.debian.org (full text, mbox, reply):

From: Pirate Praveen <praveen@onenetbeyond.org>

To: 888508@bugs.debian.org, Moritz Mühlenhoff <jmm@inutil.org>, Balasankar C <balasankarc@debian.org>, team@security.debian.org

Subject: Re: Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory

Date: Sun, 11 Mar 2018 20:37:49 +0530

[Message part 1 (text/plain, inline)]

On ശനി 10 മാർച്ച് 2018 11:25 വൈകു, Pirate Praveen wrote:
> I will attach a debdiff tomorrow with the CVEs we already backported.

debdiff attached.

[gitlab_8.13.11+dfsg-8.dsc..gitlab_8.13.11+dfsg-8+deb9u1.dsc.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #45 received at 888508@bugs.debian.org (full text, mbox, reply):

From: Balasankar C <balasankarc@autistici.org>

To: 888508@bugs.debian.org

Subject: Re: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory

Date: Mon, 12 Mar 2018 11:40:35 +0530

[Message part 1 (text/plain, inline)]

Hi,

As per the upstream blogpost,
https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ ,
the applicability of the CVEs listed at
https://security-tracker.debian.org/tracker/source-package/gitlab to
version of GitLab in Stretch is as follows.

CVE-2018-3710 - Applicable to version in Stretch (8.13.11)
CVE-2017-0927 - Applicable to version in Stretch (8.13.11)
CVE-2017-0926 - Applicable to version in Stretch (8.13.11)
CVE-2017-0925 - Applicable to version in Stretch (8.13.11)
CVE-2017-0923 - Applicable to version in Stretch (8.13.11)
CVE-2017-0918 - Applicable to version in Stretch (8.13.11)
CVE-2017-0916 - Applicable to version in Stretch (8.13.11)
CVE-2017-0915 - Applicable to version in Stretch (8.13.11)

CVE-2017-0914 - Not applicable to version in Stretch (8.13.11)
CVE-2017-0917 - Not applicable to version in Stretch (8.13.11)

Regarding CVE-2017-0923, I will confirm if it is indeed applicable or
not, since the feature was introduced in version 9.1 only
(https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/10017) .


Regards
Balasankar C

[signature.asc (application/pgp-signature, attachment)]

Message #52 received at 888508-close@bugs.debian.org (full text, mbox, reply):

From: Pirate Praveen <praveen@debian.org>

To: 888508-close@bugs.debian.org

Subject: Bug#888508: fixed in gitlab 10.5.5+dfsg-1

Date: Wed, 21 Mar 2018 18:05:27 +0000

Source: gitlab
Source-Version: 10.5.5+dfsg-1

We believe that the bug you reported is fixed in the latest version of
gitlab, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888508@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pirate Praveen <praveen@debian.org> (supplier of updated gitlab package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 18 Mar 2018 15:17:08 +0530
Source: gitlab
Binary: gitlab
Architecture: source
Version: 10.5.5+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Pirate Praveen <praveen@debian.org>
Description:
 gitlab     - git powered software platform to collaborate on code (non-omnibus
Closes: 888508 890757
Changes:
 gitlab (10.5.5+dfsg-1) unstable; urgency=medium
 .
   [ Dmitry Smirnov ]
   * Depends += "ruby-excon (>= 0.60.0~)"
   * Added new patch to fix Markdown rendering (Closes: #890757).
   * Depends: set minimum version for "rake".
 .
   [ Pirate Praveen ]
   * New upstream version 10.5.5 (Closes: #888508)
     - Fixes multiple security vulnerabilities in 10.3.4 (CVE-2017-0914,
       CVE-2017-0916, CVE-2017-0917, CVE-2017-0918, CVE-2017-0923,
       CVE-2017-0925, CVE-2017-0926, CVE-2017-0927, CVE-2017-3710)
   * Remove files no longer present in vendor from Files-Excluded
   * Refresh patches
   * Add new node-* dependencies already in the archive as depends
   * Tighten dependencies
   * Bump debhelper compat to 10 and standards version to 4.1.3
Checksums-Sha1:
 8335491d4fa010ec1ae525b33c24f9ae300eb2b8 2523 gitlab_10.5.5+dfsg-1.dsc
 9f726e11889c0bd7f5e730c019f1468c349ee8fe 44727574 gitlab_10.5.5+dfsg.orig.tar.gz
 76ba841f3f52f394c3ba1f3aa5eaeaa9a1b40b32 61472 gitlab_10.5.5+dfsg-1.debian.tar.xz
 9ba15455174c4a67b7b2fc8fc2d99a5bd1d67ecf 8025 gitlab_10.5.5+dfsg-1_source.buildinfo
Checksums-Sha256:
 a206cdf1042f34c33cfd339c41c97c380dfb2b31df3a0e30d9525c772f756db1 2523 gitlab_10.5.5+dfsg-1.dsc
 d75e02a5c428bf5201ba6a96eeba7346dd16bb489093940b9623509b4d0f3654 44727574 gitlab_10.5.5+dfsg.orig.tar.gz
 6af9dbaa6e1dec89abdc0bd2a3993f081296c155a871d80e3ad5a3fe07de1b14 61472 gitlab_10.5.5+dfsg-1.debian.tar.xz
 e5a45f9e917c2ff6063ee079f60d1111994b1ac30a45ccef5097b103681716e7 8025 gitlab_10.5.5+dfsg-1_source.buildinfo
Files:
 905ab61ee2a44a36c8af3491446616e7 2523 contrib/net optional gitlab_10.5.5+dfsg-1.dsc
 21f94a6b4537850d46fd7cece9d54d76 44727574 contrib/net optional gitlab_10.5.5+dfsg.orig.tar.gz
 193dff203a7aecff132699c058364c73 61472 contrib/net optional gitlab_10.5.5+dfsg-1.debian.tar.xz
 5db348f2df8c57f988f1cde2c3a1ea93 8025 contrib/net optional gitlab_10.5.5+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAlqymPgACgkQzh+cZ0US
wiolmQ/9HhPbci8NCEwMgQt907NrV5z0c12xecspXzWxShjK6oxhzr9mtmpYdkUF
T0ITuYaY0ChAPSZPaO8WilMk8MYD11o3Ebay73NwLm8mvIhTHBvTKuU4EbR8zYGw
gceVYcTTv4uBYwNp/VfHzAfq+xrqC/9uyy71OXFB73ddK/dm/kkUoevNvn67T6oq
cvpe82Zh8xAL+d/DLQv/SGiKewozrlFtzNkp4J87yrl1n4Solyc0Z+/6xvepMOal
aWwGE29fKo6bg44K3FKc3kqTiH3sNv6STpBf6a157Co5vSwpFhmPmWwjg8rk6GXo
nXFtlaQMZ4NVJZt1T4vemasryrciaEWqSg75bEzlODiBvg9qD5Nf+QfkRBDhWpBO
ue28i0EmRMd/FLQe6YFn6BY434q0cux6Gz/aqrXvlMAfw5bx+Qd4hQKa4KOGO3So
oXRhoS31KkIRaP3DGjAOKDNxw9975Hth4NWHhEjUGjkyzKJncAsNmuJna9AmmxX+
4UuxrGmBQxxlRE2kj2DTjwIXuXleSJM/tBLv/8lJWGL7QFOiH4/ABio30D3yr4WK
yP/oxdBqgFEGfnq+4j+h4ge9PV8cxNoON2YFOqVtiLkJK983/ZFZG2DsTVOhk6s0
BjbSCHTFQewzaIMgbawfmHD0XmMRbdCupO3uommF5QHiFNArEWM=
=Dh+N
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.