Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

gitlab: CVE-2019-9866: Project Runner Token Exposed Through Issues Quick Actions

Related Vulnerabilities: CVE-2019-9866  

Source

Debian Bug report logs - #925196
gitlab: CVE-2019-9866: Project Runner Token Exposed Through Issues Quick Actions

version graph

Package: src:gitlab; Maintainer for src:gitlab is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 21 Mar 2019 06:06:02 UTC

Severity: grave

Tags: security, upstream

Found in version gitlab/11.8.2-3

Fixed in version gitlab/11.8.3-1

Done: Sruthi Chandran <srud@disroot.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#925196; Package src:gitlab. (Thu, 21 Mar 2019 06:06:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Thu, 21 Mar 2019 06:06:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gitlab: CVE-2019-9866: Project Runner Token Exposed Through Issues Quick Actions
Date: Thu, 21 Mar 2019 07:03:52 +0100
Source: gitlab
Version: 11.8.2-3
Severity: grave
Tags: security upstream

Hi,

The following vulnerability was published for gitlab.

CVE-2019-9866[0]:
Project Runner Token Exposed Through Issues Quick Actions

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-9866
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9866
[1] https://about.gitlab.com/2019/03/20/critical-security-release-gitlab-11-dot-8-dot-3-released/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply sent to Sruthi Chandran <srud@disroot.org>:
You have taken responsibility. (Thu, 21 Mar 2019 19:21:06 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 21 Mar 2019 19:21:06 GMT) (full text, mbox, link).

Message #10 received at 925196-close@bugs.debian.org (full text, mbox, reply):

From: Sruthi Chandran <srud@disroot.org>
To: 925196-close@bugs.debian.org
Subject: Bug#925196: fixed in gitlab 11.8.3-1
Date: Thu, 21 Mar 2019 19:20:15 +0000
Source: gitlab
Source-Version: 11.8.3-1

We believe that the bug you reported is fixed in the latest version of
gitlab, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 925196@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sruthi Chandran <srud@disroot.org> (supplier of updated gitlab package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 22 Mar 2019 00:19:33 +0530
Source: gitlab
Binary: gitlab gitlab-common
Architecture: source
Version: 11.8.3-1
Distribution: unstable
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Sruthi Chandran <srud@disroot.org>
Description:
 gitlab     - git powered software platform to collaborate on code (non-omnibus
 gitlab-common - git powered software platform to collaborate on code (common)
Closes: 925196
Changes:
 gitlab (11.8.3-1) unstable; urgency=high
 .
   [ Pirate Praveen ]
   * Set minimum version of git to 2.18
 .
   [ Sruthi Chandran ]
   * New upstream version 11.8.3 (Closes: #925196) (Fixes: CVE-2019-9866)
Checksums-Sha1:
 5da18b312fa9bba4d4df3a8c9ffac500ea903bbc 2268 gitlab_11.8.3-1.dsc
 0dd018731b390f64dbb930ed0bd7b6e58e14b54f 47911944 gitlab_11.8.3.orig.tar.xz
 8f269044faefe3d7f2f8c714f70e0f8d24556190 1252976 gitlab_11.8.3-1.debian.tar.xz
 f68629f6d2de8f5cbc0d4d1e39285339866b9291 11522 gitlab_11.8.3-1_source.buildinfo
Checksums-Sha256:
 58fd644d099a7bc37d4874e0cdcdc353a25d771f717146605a6e645d168763ed 2268 gitlab_11.8.3-1.dsc
 235874cdb83d0818f0234cac9c649ea753ffb885d9786accd7960dc728563f10 47911944 gitlab_11.8.3.orig.tar.xz
 4fe224c3cc03cb8ca68b413f9aa3cf7687b469ccd02c569a9c4db6230135ada2 1252976 gitlab_11.8.3-1.debian.tar.xz
 1ac3f20dd0d4adbed024c0966353de8bde95c1facb76efb65ac9b5c6d90920cd 11522 gitlab_11.8.3-1_source.buildinfo
Files:
 fede48f7de2a23377b969e86eefe9b1f 2268 net optional gitlab_11.8.3-1.dsc
 e1406ce444c3a92190ccf129d1941ea5 47911944 net optional gitlab_11.8.3.orig.tar.xz
 04170ec0483c054656c6d143f2a32df9 1252976 net optional gitlab_11.8.3-1.debian.tar.xz
 94727ef6ba5ea27103c0f2cacb98fe6c 11522 net optional gitlab_11.8.3-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEsclPZxif+sAmSPvz1N6yL8C5bhUFAlyT3jcACgkQ1N6yL8C5
bhVvEhAAnfPNBdWJNHG49KuVOx9iX5fkt2TM9hCuk7HxKsXiIQs2s62Froku0xqf
tsQ711N8VdbB59sTEId0JQH0qFmwbJtXlJbUqkHPAc3DCjYWgI+vBL2JSxFubQ5y
SnOFp1chU+8TegIMt86XpFXgaL6ZIh5ZJXacV6Qknf19F2tdPpA2SGZC7q+6rZJy
Nufcb3uEFU2GOSXRNmIYe3L3xRoDKRqvkrOneQGVG2AJKzxC18LRAJRCpM05pvZI
y3etcwsJshlSFM5gkFB+Fl21g36XgDbnZSlgrBVEy0AIv1tjojL7zHAjDzUOP0KY
Gk6F6uPDujPG2eGLlO6Yjt9j0jG56El8P4qQBbOAyRPNdzyNHHqv5e7viUfZjJRJ
GVW/tdoL9Zns9K2vh9fR8Go4uBamGTFiPDcyw83AYjoPZGhpXPuuuEc3mxIefqgP
iRUSHyJiOXvg/swr6MdGUMd7W912i7UT6uH1hxSx70T5ib8hUkBv8vAAQlMmSrHT
aMs5aVZ1Oa5e8nql2gZvLwbPXomiMmZjrO/0sxSlDvUt1Q+f420D1thPXSIWFlfo
jXd7E2ipRGSy4uK2ScETXyy+vSdGZoXMBMqVIgjCAj68fTxXe3WwgE9xj6Zu4lrY
jfpiAPgc0/HE4daGxO95mRg0F4HPi+hB8kfqXorjBAFsmJrtojc=
=GEoo
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 19 Apr 2019 07:28:05 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:49:43 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started