Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

gitlab: CVE-2016-9086

Related Vulnerabilities: CVE-2016-9086   cve-2016-9086  

Source

Debian Bug report logs - #843519
gitlab: CVE-2016-9086

version graph

Package: src:gitlab; Maintainer for src:gitlab is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Mon, 7 Nov 2016 11:24:01 UTC

Severity: grave

Tags: security, upstream

Found in version gitlab/8.10.5+dfsg-3

Fixed in versions gitlab/8.13.3+dfsg1-2, gitlab/8.13.3+dfsg1-1

Done: Pirate Praveen <praveen@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#843519; Package src:gitlab. (Mon, 07 Nov 2016 11:24:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>. (Mon, 07 Nov 2016 11:24:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gitlab: CVE-2016-9086
Date: Mon, 07 Nov 2016 12:20:09 +0100
Source: gitlab
Version: 8.10.5+dfsg-3
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

the following vulnerability was published for gitlab.

CVE-2016-9086[0]:
| GitLab versions 8.9.x and above contain a critical security flaw in the
| "import/export project" feature of GitLab. Added in GitLab 8.9, this
| feature allows a user to export and then re-import their projects as
| tape archive files (tar). All GitLab versions prior to 8.13.0
| restricted this feature to administrators only. Starting with version
| 8.13.0 this feature was made available to all users. This feature did
| not properly check for symbolic links in user-provided archives and
| therefore it was possible for an authenticated user to retrieve the
| contents of any file accessible to the GitLab service account. This
| included sensitive files such as those that contain secret tokens used
| by the GitLab service to authenticate users. GitLab CE and EE versions
| 8.13.0 through 8.13.2, 8.12.0 through 8.12.7, 8.11.0 through 8.11.10,
| 8.10.0 through 8.10.12, and 8.9.0 through 8.9.11 are affected.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-9086
[1] https://hackerone.com/reports/178152
[2] https://about.gitlab.com/2016/11/02/cve-2016-9086-patches/

Regards,
Salvatore

Reply sent to Pirate Praveen <praveen@debian.org>:
You have taken responsibility. (Fri, 11 Nov 2016 06:57:11 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Fri, 11 Nov 2016 06:57:11 GMT) (full text, mbox, link).

Message #10 received at 843519-close@bugs.debian.org (full text, mbox, reply):

From: Pirate Praveen <praveen@debian.org>
To: 843519-close@bugs.debian.org
Subject: Bug#843519: fixed in gitlab 8.13.3+dfsg1-2
Date: Fri, 11 Nov 2016 06:48:41 +0000
Source: gitlab
Source-Version: 8.13.3+dfsg1-2

We believe that the bug you reported is fixed in the latest version of
gitlab, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 843519@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Pirate Praveen <praveen@debian.org> (supplier of updated gitlab package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 11 Nov 2016 10:56:31 +0530
Source: gitlab
Binary: gitlab
Architecture: source
Version: 8.13.3+dfsg1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Pirate Praveen <praveen@debian.org>
Description:
 gitlab     - git powered software platform to collaborate on code
Closes: 843519
Changes:
 gitlab (8.13.3+dfsg1-2) unstable; urgency=medium
 .
   * Reupload to unstable (Closes: #843519)
Checksums-Sha1:
 9857cbf76fc44b2917456b144fb2cd5befcfd92c 2063 gitlab_8.13.3+dfsg1-2.dsc
 a7341b53880eb81115ff5c3ad62e7f919e7cb800 43488 gitlab_8.13.3+dfsg1-2.debian.tar.xz
Checksums-Sha256:
 ee1b5816a23cbb4b61a3a70d8de15b4da4c931dff6c73af2a2991a537826b4f6 2063 gitlab_8.13.3+dfsg1-2.dsc
 459c8ecd668cbf5449cd0e3351b431456134e14b44c82cb7d61583ac8e14ed65 43488 gitlab_8.13.3+dfsg1-2.debian.tar.xz
Files:
 0c89a5e98311e7e129fbab667ed71144 2063 ruby optional gitlab_8.13.3+dfsg1-2.dsc
 affdebd92a346d193ec52bf8e92ee2c0 43488 ruby optional gitlab_8.13.3+dfsg1-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJYJWVRAAoJEM4fnGdFEsIqh08QAIkWQV39J3pF08M4bEIcXBxX
C/gUaouC+ijVslpe0gkPrIVMiK0Q+xGtC/dmmqyoHmilv3LJQmU/Pgc02snDI7EH
u++vng02A/eNWFMNvI1ldL14YIibsy1ag/fS3b0RMEN9J5UfNobnUTn8i9gWFYHT
imB8mZcTP74I1Mz4qFsravKZ4zwoib9TYJYX/uiUjnmjs15aL9FHzlj3zvMVe/NL
4LF977665eUIpd9cSgdn6GDDzpXnwXl0E7mJSaikbYSsW9kjnGXCCfmZzl80yAUh
BuUfRFDYEYyq9+/kI6JTW34YSAxDTxhUMIVoOUcujuit8r2dTwss9fnpj01qltvz
81Hy3vcljpCimXEF+igc7FlCnAHW5Ew2zuRRs93kxLyuELfil+R63UXUuGygA53n
eXH64EN//kKVFrAtyEHSz2pmwF6rUVVCKcHII4CnFxLqqaocoCVO190YAnlswTuX
0qRjzUOznXjdz3af69mlszW3RfRBCoseqaTPbsuXIKFKlOwMc2VJQbwB8p/VIVCe
Eucgrn5PxCopQeW8cBIlQrNcCLEg41IrVWyEo76QdXdoalAXTgVQRtaLM+NW3G1D
1jtdG4Ukvhg/bmwxiUTpo12EVFQIjI+XPumaLIe1KSNT+RdPcUUMBwEuE6VbfCTP
ltttExoTd8dHvBOoXysg
=hcGr
-----END PGP SIGNATURE-----

Marked as fixed in versions gitlab/8.13.3+dfsg1-1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 11 Nov 2016 10:03:07 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 29 Dec 2016 07:54:03 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:25:34 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started