Your message dated Fri, 11 Nov 2016 06:48:41 +0000
with message-id <e1c55dh-000bwh...@fasolo.debian.org>
and subject line Bug#843519: fixed in gitlab 8.13.3+dfsg1-2
has caused the Debian Bug report #843519,
regarding gitlab: CVE-2016-9086
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
843519: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=843519
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: gitlab
Version: 8.10.5+dfsg-3
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
the following vulnerability was published for gitlab.
CVE-2016-9086[0]:
| GitLab versions 8.9.x and above contain a critical security flaw in the
| "import/export project" feature of GitLab. Added in GitLab 8.9, this
| feature allows a user to export and then re-import their projects as
| tape archive files (tar). All GitLab versions prior to 8.13.0
| restricted this feature to administrators only. Starting with version
| 8.13.0 this feature was made available to all users. This feature did
| not properly check for symbolic links in user-provided archives and
| therefore it was possible for an authenticated user to retrieve the
| contents of any file accessible to the GitLab service account. This
| included sensitive files such as those that contain secret tokens used
| by the GitLab service to authenticate users. GitLab CE and EE versions
| 8.13.0 through 8.13.2, 8.12.0 through 8.12.7, 8.11.0 through 8.11.10,
| 8.10.0 through 8.10.12, and 8.9.0 through 8.9.11 are affected.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9086
[1] https://hackerone.com/reports/178152
[2] https://about.gitlab.com/2016/11/02/cve-2016-9086-patches/
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gitlab
Source-Version: 8.13.3+dfsg1-2
We believe that the bug you reported is fixed in the latest version of
gitlab, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 843...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Pirate Praveen <prav...@debian.org> (supplier of updated gitlab package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 11 Nov 2016 10:56:31 +0530
Source: gitlab
Binary: gitlab
Architecture: source
Version: 8.13.3+dfsg1-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers
<pkg-ruby-extras-maintain...@lists.alioth.debian.org>
Changed-By: Pirate Praveen <prav...@debian.org>
Description:
gitlab - git powered software platform to collaborate on code
Closes: 843519
Changes:
gitlab (8.13.3+dfsg1-2) unstable; urgency=medium
.
* Reupload to unstable (Closes: #843519)
Checksums-Sha1:
9857cbf76fc44b2917456b144fb2cd5befcfd92c 2063 gitlab_8.13.3+dfsg1-2.dsc
a7341b53880eb81115ff5c3ad62e7f919e7cb800 43488
gitlab_8.13.3+dfsg1-2.debian.tar.xz
Checksums-Sha256:
ee1b5816a23cbb4b61a3a70d8de15b4da4c931dff6c73af2a2991a537826b4f6 2063
gitlab_8.13.3+dfsg1-2.dsc
459c8ecd668cbf5449cd0e3351b431456134e14b44c82cb7d61583ac8e14ed65 43488
gitlab_8.13.3+dfsg1-2.debian.tar.xz
Files:
0c89a5e98311e7e129fbab667ed71144 2063 ruby optional gitlab_8.13.3+dfsg1-2.dsc
affdebd92a346d193ec52bf8e92ee2c0 43488 ruby optional
gitlab_8.13.3+dfsg1-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJYJWVRAAoJEM4fnGdFEsIqh08QAIkWQV39J3pF08M4bEIcXBxX
C/gUaouC+ijVslpe0gkPrIVMiK0Q+xGtC/dmmqyoHmilv3LJQmU/Pgc02snDI7EH
u++vng02A/eNWFMNvI1ldL14YIibsy1ag/fS3b0RMEN9J5UfNobnUTn8i9gWFYHT
imB8mZcTP74I1Mz4qFsravKZ4zwoib9TYJYX/uiUjnmjs15aL9FHzlj3zvMVe/NL
4LF977665eUIpd9cSgdn6GDDzpXnwXl0E7mJSaikbYSsW9kjnGXCCfmZzl80yAUh
BuUfRFDYEYyq9+/kI6JTW34YSAxDTxhUMIVoOUcujuit8r2dTwss9fnpj01qltvz
81Hy3vcljpCimXEF+igc7FlCnAHW5Ew2zuRRs93kxLyuELfil+R63UXUuGygA53n
eXH64EN//kKVFrAtyEHSz2pmwF6rUVVCKcHII4CnFxLqqaocoCVO190YAnlswTuX
0qRjzUOznXjdz3af69mlszW3RfRBCoseqaTPbsuXIKFKlOwMc2VJQbwB8p/VIVCe
Eucgrn5PxCopQeW8cBIlQrNcCLEg41IrVWyEo76QdXdoalAXTgVQRtaLM+NW3G1D
1jtdG4Ukvhg/bmwxiUTpo12EVFQIjI+XPumaLIe1KSNT+RdPcUUMBwEuE6VbfCTP
ltttExoTd8dHvBOoXysg
=hcGr
-----END PGP SIGNATURE-----
--- End Message ---
