Debian Bug report logs -
#847157
gitlab: CVE-2016-9469
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 6 Dec 2016 06:24:01 UTC
Severity: grave
Tags: security, upstream
Found in version gitlab/8.13.3+dfsg1-2
Fixed in version gitlab/8.13.6+dfsg2-2
Done: Pirate Praveen <praveen@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#847157; Package src:gitlab.
(Tue, 06 Dec 2016 06:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Tue, 06 Dec 2016 06:24:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gitlab
Version: 8.13.3+dfsg1-2
Severity: grave
Tags: security upstream
Hi,
the following vulnerability was published for gitlab.
CVE-2016-9469[0]:
|Denial-of-Service and Data Corruption Vulnerability in Issue and Merge
|Request Trackers
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9469
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9469
[1] https://about.gitlab.com/2016/12/05/cve-2016-9469/
According to upstream all 8.13.0 through 8.13.7 are affected.
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#847157; Package src:gitlab.
(Tue, 06 Dec 2016 06:36:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Pirate Praveen <praveen@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Tue, 06 Dec 2016 06:36:02 GMT) (full text, mbox, link).
Message #10 received at 847157@bugs.debian.org (full text, mbox, reply):
control: tags -1 pending
On 2016, ഡിസംബർ 6 11:52:00 AM IST, Salvatore Bonaccorso <carnil@debian.org> wrote:
>According to upstream all 8.13.0 through 8.13.7 are affected.
Updated in git and people.debian.org/~praveen/gitlab. I'm waiting for current version in unstable to migrate before I upload it.
Added tag(s) pending.
Request was from Pirate Praveen <praveen@debian.org>
to 847157-submit@bugs.debian.org.
(Tue, 06 Dec 2016 06:36:03 GMT) (full text, mbox, link).
Reply sent
to Pirate Praveen <praveen@debian.org>:
You have taken responsibility.
(Sun, 11 Dec 2016 16:51:18 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 11 Dec 2016 16:51:19 GMT) (full text, mbox, link).
Message #17 received at 847157-close@bugs.debian.org (full text, mbox, reply):
Source: gitlab
Source-Version: 8.13.6+dfsg2-2
We believe that the bug you reported is fixed in the latest version of
gitlab, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 847157@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pirate Praveen <praveen@debian.org> (supplier of updated gitlab package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 11 Dec 2016 22:06:59 +0530
Source: gitlab
Binary: gitlab
Architecture: source
Version: 8.13.6+dfsg2-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Pirate Praveen <praveen@debian.org>
Description:
gitlab - git powered software platform to collaborate on code
Closes: 847114 847157 847337 847420
Changes:
gitlab (8.13.6+dfsg2-2) unstable; urgency=medium
.
* Add patch cve-2016-9469.diff (Fixes: CVE-2016-9469) (Closes: #847157)
* Use ruby-jquery-ui-rails 6 (Closes: #847337)
* Enable more tests
* Use -C for specifing sidekiq queues, Thanks to Justin F. Hallett
(Closes: #847114)
* Add dpkg trigger to refresh Gemfile.lock if a dependency is changed
(Closes: #847420)
Checksums-Sha1:
a1b5f705ca29a95baacef0b6c330fe9aa64b47c8 2492 gitlab_8.13.6+dfsg2-2.dsc
e2bf3a0b3201918d5b6b9c3191156bea24aaf8c6 45140 gitlab_8.13.6+dfsg2-2.debian.tar.xz
Checksums-Sha256:
0c2afd62c76495b2b35d7ae229b11b049246cb1528440d21c5eb3f0f167b7c1c 2492 gitlab_8.13.6+dfsg2-2.dsc
6acb1cb34c3c93db5872b42086deb4fa08f0ed319084f2bb509e4a1876e80f9a 45140 gitlab_8.13.6+dfsg2-2.debian.tar.xz
Files:
ee22558032bccd6c83ad79468fb3bb93 2492 ruby optional gitlab_8.13.6+dfsg2-2.dsc
c7446213e1bb822827860ea4d83fbb9d 45140 ruby optional gitlab_8.13.6+dfsg2-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAlhNgOMACgkQzh+cZ0US
wiqi8xAAs4QV4+V5Mjar42iXjY2eqSVTVB2uYmqvgkYYA+mr9ItUV3w/sXbO7+gK
RoMMKydVMO1wP0GIvfQJ30Ue64+ga7+ChCUO8J2fnmOSdd/gVRnyafpWRsLpAvON
J216zP/BDtWS4+0h+X1IqpWP9BGieMV1ngC4FplOtKRnarTm+symB3YP4K322Gny
sjzQASxM02M4hG9iScY/Yn47VwjKifiqPrVi25pYv61WNdIJKHnf597WGrqNSicY
JEPNHdRFLFGlQjEBH26s9H/3VMHKI+YCbp8yccNPa2yfH+bfM9ALp5TkkaEcGIpn
AH5TTX5xslR6hWYlVB8wkEC5Mav1C+c83ZnOeI5v5ZHrLP+JcnnXW+9IRclYTHxc
3lwzbdMGlXaUN9sTFU0J3u9nAdnIahZ6/0Zs5hKnxnuLwgYfmFQRzJyf4VK8YgRh
G0caaOWgUbr5AI6g5CMFer5WoPQoQ8PSh4QOq1c8ZwoKUEOb6sNTDACpsbbwcfKY
57URpBEx2s9qjzSoM71EwcKTTS0ody/DO3DEpt8QiYWG6jmWM9uoWRnxgAh+Ran1
M7awoc95DxRRT8GtmOJ73o7mbaNsWivV2k0FW8i3Mh4NJam5ILd8ARfF2bu/oz5B
NsWzcH7gXRM8qrbCb1qUW6KipnPdkVo38mOVNgFHbVyTKfgK/zE=
=kYhn
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 27 Jan 2017 10:11:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:06:04 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon