Debian Bug report logs -
#918086
gitlab: CVE-2018-20488 CVE-2018-20489 CVE-2018-20490 CVE-2018-20491 CVE-2018-20492 CVE-2018-20493 CVE-2018-20494 CVE-2018-20495 CVE-2018-20496 CVE-2018-20497 CVE-2018-20498 CVE-2018-20499 CVE-2018-20500 CVE-2018-20501 CVE-2018-20507
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 3 Jan 2019 07:09:02 UTC
Severity: grave
Tags: security, upstream
Found in versions gitlab/11.5.5+dfsg-1, gitlab/11.6.0+dfsg-1
Fixed in version gitlab/11.5.6+dfsg-1
Done: Sruthi Chandran <srud@disroot.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#918086; Package src:gitlab.
(Thu, 03 Jan 2019 07:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Thu, 03 Jan 2019 07:09:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gitlab
Version: 11.5.5+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 11.6.0+dfsg-1
Hi,
The following vulnerabilities were published for gitlab, fixed in the
11.6.1, 11.5.6, and 11.4.13 versions, cf [15].
CVE-2018-20488[0]:
Secret CI variable exposure
CVE-2018-20489[1]:
URL rel attribute not set
CVE-2018-20490[2]:
Persistent XSS Autocompletion
CVE-2018-20491[3]:
Persistent XSS wiki in IE browser
CVE-2018-20492[4]:
Todos improper access control
CVE-2018-20493[5]:
Source code disclosure merge request diff
CVE-2018-20494[6]:
Guest user CI job disclosure
CVE-2018-20495[7]:
CI job token LFS error message disclosure
CVE-2018-20496[8]:
Persistent XSS label reference
CVE-2018-20497[9]:
SSRF repository mirroring
CVE-2018-20498[10]:
Improper access control branches and tags
CVE-2018-20499[11]:
SSRF in project imports with LFS
CVE-2018-20500[12]:
Improper access control CI/CD settings
CVE-2018-20501[13]:
Missing authorization control merge requests
CVE-2018-20507[14]:
Missing authentication for Prometheus alert endpoint
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-20488
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20488
[1] https://security-tracker.debian.org/tracker/CVE-2018-20489
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20489
[2] https://security-tracker.debian.org/tracker/CVE-2018-20490
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20490
[3] https://security-tracker.debian.org/tracker/CVE-2018-20491
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20491
[4] https://security-tracker.debian.org/tracker/CVE-2018-20492
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20492
[5] https://security-tracker.debian.org/tracker/CVE-2018-20493
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20493
[6] https://security-tracker.debian.org/tracker/CVE-2018-20494
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20494
[7] https://security-tracker.debian.org/tracker/CVE-2018-20495
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20495
[8] https://security-tracker.debian.org/tracker/CVE-2018-20496
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20496
[9] https://security-tracker.debian.org/tracker/CVE-2018-20497
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20497
[10] https://security-tracker.debian.org/tracker/CVE-2018-20498
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20498
[11] https://security-tracker.debian.org/tracker/CVE-2018-20499
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20499
[12] https://security-tracker.debian.org/tracker/CVE-2018-20500
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20500
[13] https://security-tracker.debian.org/tracker/CVE-2018-20501
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20501
[14] https://security-tracker.debian.org/tracker/CVE-2018-20507
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20507
[15] https://about.gitlab.com/2018/12/31/security-release-gitlab-11-dot-6-dot-1-released/
Regards,
Salvatore
Marked as found in versions gitlab/11.6.0+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 03 Jan 2019 07:09:04 GMT) (full text, mbox, link).
Reply sent
to Sruthi Chandran <srud@disroot.org>:
You have taken responsibility.
(Thu, 03 Jan 2019 08:45:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 03 Jan 2019 08:45:04 GMT) (full text, mbox, link).
Message #12 received at 918086-close@bugs.debian.org (full text, mbox, reply):
Source: gitlab
Source-Version: 11.5.6+dfsg-1
We believe that the bug you reported is fixed in the latest version of
gitlab, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 918086@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sruthi Chandran <srud@disroot.org> (supplier of updated gitlab package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 03 Jan 2019 12:56:20 +0530
Source: gitlab
Binary: gitlab gitlab-common
Architecture: source all
Version: 11.5.6+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Sruthi Chandran <srud@disroot.org>
Description:
gitlab - git powered software platform to collaborate on code (non-omnibus
gitlab-common - git powered software platform to collaborate on code (common)
Closes: 918086
Changes:
gitlab (11.5.6+dfsg-1) unstable; urgency=high
.
* New upstream version 11.5.6+dfsg (Closes: #918086) (Fixes: CVE-2018-20488,
CVE-2018-20489, CVE-2018-20490, CVE-2018-20491, CVE-2018-20492,
CVE-2018-20493, CVE-2018-20494, CVE-2018-20495, CVE-2018-20496,
CVE-2018-20497, CVE-2018-20498, CVE-2018-20499, CVE-2018-20500,
CVE-2018-20501, CVE-2018-20507)
* Bump Standards-Version to 4.3.0
Checksums-Sha1:
40f8212e20bb03c05252f03ec8c2d375bee81ec8 2297 gitlab_11.5.6+dfsg-1.dsc
11876a00d60ea0391e7a493134dd6d1f543dc9c9 46128708 gitlab_11.5.6+dfsg.orig.tar.xz
1e18716f9df666c9a941a75f0af4c060faf8cf32 66904 gitlab_11.5.6+dfsg-1.debian.tar.xz
7dfdd1f2ad519f7560ea98785ea75bf5cae36a65 145440 gitlab-common_11.5.6+dfsg-1_all.deb
5034594662ed85e4074d50b144f5591a29fab683 46627556 gitlab_11.5.6+dfsg-1_all.deb
4bcd88c983296386ccd957ce0ea40ad0d3ae304e 9037 gitlab_11.5.6+dfsg-1_amd64.buildinfo
Checksums-Sha256:
bb6c6e2717c25292dc4c267f720e0f2a48d6bc35931698ad3b3b0a4622f90c40 2297 gitlab_11.5.6+dfsg-1.dsc
5ba1f2c7a497522a81293582cbdc1966af0baba29fe1735d07b0f7d3d4f73b31 46128708 gitlab_11.5.6+dfsg.orig.tar.xz
10ef561f3e725fbf027ae184fac1e9895f7e9b8ec6ba8d41cbd6c60b3afd1026 66904 gitlab_11.5.6+dfsg-1.debian.tar.xz
79f1b4f285df705a0655ab2ebde559b0dc5d833a22035f6b69b9b22c7eb12ad1 145440 gitlab-common_11.5.6+dfsg-1_all.deb
b239179809f807ad964025488549cb735294bd2aa0be94c1083f7a5d905ca6f9 46627556 gitlab_11.5.6+dfsg-1_all.deb
9d587f52c1b73497c408ad421db7ffa51b0fbe4b74b342e6021d44831372ddc7 9037 gitlab_11.5.6+dfsg-1_amd64.buildinfo
Files:
7b212fe0127f02a4795ef5a23d4b4b47 2297 net optional gitlab_11.5.6+dfsg-1.dsc
dd64923fb20e9e3d9279cd40017b81af 46128708 net optional gitlab_11.5.6+dfsg.orig.tar.xz
175ff9ba9ee1ced6613d836e330bc771 66904 net optional gitlab_11.5.6+dfsg-1.debian.tar.xz
eaaa19f3b076d873fd715514b28378ed 145440 net optional gitlab-common_11.5.6+dfsg-1_all.deb
42b2b14161f7fbb4a3328e44f32a56c4 46627556 contrib/net optional gitlab_11.5.6+dfsg-1_all.deb
a25ecdfee5f02e8c53b448e9c595bc4f 9037 net optional gitlab_11.5.6+dfsg-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAlwtxYsACgkQzh+cZ0US
wioPUw/8CFpcU2caYdtuYnOz/AiTlhZ00Z4CIXJF/Z4S6TABxz8Pfts+3ZRRDjLW
hAetOFl6xFiYUUQIlCD75OauNVZdxXS0Gp4p4VLOmFBaWc9cTi/nxjWWZ2OpcBVI
EzlXdOkCqu7pL1pobWzzUibL0OMnF84qoQmom4jj8f4ZSxxpSTmvx9FUv/ZVLOWq
F+TirwALHEkvH3iP8tXl+2rBnge4FAyCJCzmE3egnJklyKsAvg/3n4HE5vKZn6mX
aqzpD/GHoeGWL9OpGYSZuiuJ6rHwRiYnY7GHixm+vGTxhJsEkY5/2kMANXBuzfYI
NmJzlNJXFQw7H0vK56YHA1ApHz7TNL7nSqc+y4sdeVeH0VmW6OvbYmItHgmhayjW
cbbk8FDYBhgPrLKC5eJZ02yBd5yA2qLjYKCH4OCKfoeboVlQ5dS1aDfbMaO/xx5c
0JhkDiTioIjpuJ3J8x1Ag0K7DVX8tUPiFme3Z3dvM7uUlHC3D0YfjL0jsTF2Z0RU
VdHffn+G7HoSs+nxqvJOvCw4+pBm8lkZDnxttlxhbav3XLcBaM3HC4hlsfLcXcVA
IbODuIn+KZecxbwGwtAeXuHdZS+G6o1/OhnwQQxvQ2o0NQThbV0XJeHd5xlXnWSs
Eo/kYH3YvkFRi/z+amM02b4vt+a5ua28W1OQwCgmt0OwEMZ2UDc=
=MW89
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 13 Mar 2019 07:32:00 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:58:42 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon