Your message dated Thu, 03 Jan 2019 08:42:31 +0000 with message-id <e1geyaf-0009jw...@fasolo.debian.org> and subject line Bug#918086: fixed in gitlab 11.5.6+dfsg-1 has caused the Debian Bug report #918086, regarding gitlab: CVE-2018-20488 CVE-2018-20489 CVE-2018-20490 CVE-2018-20491 CVE-2018-20492 CVE-2018-20493 CVE-2018-20494 CVE-2018-20495 CVE-2018-20496 CVE-2018-20497 CVE-2018-20498 CVE-2018-20499 CVE-2018-20500 CVE-2018-20501 CVE-2018-20507 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 918086: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=918086 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: gitlab Version: 11.5.5+dfsg-1 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 11.6.0+dfsg-1 Hi, The following vulnerabilities were published for gitlab, fixed in the 11.6.1, 11.5.6, and 11.4.13 versions, cf [15]. CVE-2018-20488[0]: Secret CI variable exposure CVE-2018-20489[1]: URL rel attribute not set CVE-2018-20490[2]: Persistent XSS Autocompletion CVE-2018-20491[3]: Persistent XSS wiki in IE browser CVE-2018-20492[4]: Todos improper access control CVE-2018-20493[5]: Source code disclosure merge request diff CVE-2018-20494[6]: Guest user CI job disclosure CVE-2018-20495[7]: CI job token LFS error message disclosure CVE-2018-20496[8]: Persistent XSS label reference CVE-2018-20497[9]: SSRF repository mirroring CVE-2018-20498[10]: Improper access control branches and tags CVE-2018-20499[11]: SSRF in project imports with LFS CVE-2018-20500[12]: Improper access control CI/CD settings CVE-2018-20501[13]: Missing authorization control merge requests CVE-2018-20507[14]: Missing authentication for Prometheus alert endpoint If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-20488 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20488 [1] https://security-tracker.debian.org/tracker/CVE-2018-20489 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20489 [2] https://security-tracker.debian.org/tracker/CVE-2018-20490 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20490 [3] https://security-tracker.debian.org/tracker/CVE-2018-20491 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20491 [4] https://security-tracker.debian.org/tracker/CVE-2018-20492 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20492 [5] https://security-tracker.debian.org/tracker/CVE-2018-20493 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20493 [6] https://security-tracker.debian.org/tracker/CVE-2018-20494 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20494 [7] https://security-tracker.debian.org/tracker/CVE-2018-20495 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20495 [8] https://security-tracker.debian.org/tracker/CVE-2018-20496 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20496 [9] https://security-tracker.debian.org/tracker/CVE-2018-20497 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20497 [10] https://security-tracker.debian.org/tracker/CVE-2018-20498 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20498 [11] https://security-tracker.debian.org/tracker/CVE-2018-20499 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20499 [12] https://security-tracker.debian.org/tracker/CVE-2018-20500 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20500 [13] https://security-tracker.debian.org/tracker/CVE-2018-20501 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20501 [14] https://security-tracker.debian.org/tracker/CVE-2018-20507 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20507 [15] https://about.gitlab.com/2018/12/31/security-release-gitlab-11-dot-6-dot-1-released/ Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: gitlab Source-Version: 11.5.6+dfsg-1 We believe that the bug you reported is fixed in the latest version of gitlab, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 918...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sruthi Chandran <s...@disroot.org> (supplier of updated gitlab package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 03 Jan 2019 12:56:20 +0530 Source: gitlab Binary: gitlab gitlab-common Architecture: source all Version: 11.5.6+dfsg-1 Distribution: unstable Urgency: high Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Sruthi Chandran <s...@disroot.org> Description: gitlab - git powered software platform to collaborate on code (non-omnibus gitlab-common - git powered software platform to collaborate on code (common) Closes: 918086 Changes: gitlab (11.5.6+dfsg-1) unstable; urgency=high . * New upstream version 11.5.6+dfsg (Closes: #918086) (Fixes: CVE-2018-20488, CVE-2018-20489, CVE-2018-20490, CVE-2018-20491, CVE-2018-20492, CVE-2018-20493, CVE-2018-20494, CVE-2018-20495, CVE-2018-20496, CVE-2018-20497, CVE-2018-20498, CVE-2018-20499, CVE-2018-20500, CVE-2018-20501, CVE-2018-20507) * Bump Standards-Version to 4.3.0 Checksums-Sha1: 40f8212e20bb03c05252f03ec8c2d375bee81ec8 2297 gitlab_11.5.6+dfsg-1.dsc 11876a00d60ea0391e7a493134dd6d1f543dc9c9 46128708 gitlab_11.5.6+dfsg.orig.tar.xz 1e18716f9df666c9a941a75f0af4c060faf8cf32 66904 gitlab_11.5.6+dfsg-1.debian.tar.xz 7dfdd1f2ad519f7560ea98785ea75bf5cae36a65 145440 gitlab-common_11.5.6+dfsg-1_all.deb 5034594662ed85e4074d50b144f5591a29fab683 46627556 gitlab_11.5.6+dfsg-1_all.deb 4bcd88c983296386ccd957ce0ea40ad0d3ae304e 9037 gitlab_11.5.6+dfsg-1_amd64.buildinfo Checksums-Sha256: bb6c6e2717c25292dc4c267f720e0f2a48d6bc35931698ad3b3b0a4622f90c40 2297 gitlab_11.5.6+dfsg-1.dsc 5ba1f2c7a497522a81293582cbdc1966af0baba29fe1735d07b0f7d3d4f73b31 46128708 gitlab_11.5.6+dfsg.orig.tar.xz 10ef561f3e725fbf027ae184fac1e9895f7e9b8ec6ba8d41cbd6c60b3afd1026 66904 gitlab_11.5.6+dfsg-1.debian.tar.xz 79f1b4f285df705a0655ab2ebde559b0dc5d833a22035f6b69b9b22c7eb12ad1 145440 gitlab-common_11.5.6+dfsg-1_all.deb b239179809f807ad964025488549cb735294bd2aa0be94c1083f7a5d905ca6f9 46627556 gitlab_11.5.6+dfsg-1_all.deb 9d587f52c1b73497c408ad421db7ffa51b0fbe4b74b342e6021d44831372ddc7 9037 gitlab_11.5.6+dfsg-1_amd64.buildinfo Files: 7b212fe0127f02a4795ef5a23d4b4b47 2297 net optional gitlab_11.5.6+dfsg-1.dsc dd64923fb20e9e3d9279cd40017b81af 46128708 net optional gitlab_11.5.6+dfsg.orig.tar.xz 175ff9ba9ee1ced6613d836e330bc771 66904 net optional gitlab_11.5.6+dfsg-1.debian.tar.xz eaaa19f3b076d873fd715514b28378ed 145440 net optional gitlab-common_11.5.6+dfsg-1_all.deb 42b2b14161f7fbb4a3328e44f32a56c4 46627556 contrib/net optional gitlab_11.5.6+dfsg-1_all.deb a25ecdfee5f02e8c53b448e9c595bc4f 9037 net optional gitlab_11.5.6+dfsg-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAlwtxYsACgkQzh+cZ0US wioPUw/8CFpcU2caYdtuYnOz/AiTlhZ00Z4CIXJF/Z4S6TABxz8Pfts+3ZRRDjLW hAetOFl6xFiYUUQIlCD75OauNVZdxXS0Gp4p4VLOmFBaWc9cTi/nxjWWZ2OpcBVI EzlXdOkCqu7pL1pobWzzUibL0OMnF84qoQmom4jj8f4ZSxxpSTmvx9FUv/ZVLOWq F+TirwALHEkvH3iP8tXl+2rBnge4FAyCJCzmE3egnJklyKsAvg/3n4HE5vKZn6mX aqzpD/GHoeGWL9OpGYSZuiuJ6rHwRiYnY7GHixm+vGTxhJsEkY5/2kMANXBuzfYI NmJzlNJXFQw7H0vK56YHA1ApHz7TNL7nSqc+y4sdeVeH0VmW6OvbYmItHgmhayjW cbbk8FDYBhgPrLKC5eJZ02yBd5yA2qLjYKCH4OCKfoeboVlQ5dS1aDfbMaO/xx5c 0JhkDiTioIjpuJ3J8x1Ag0K7DVX8tUPiFme3Z3dvM7uUlHC3D0YfjL0jsTF2Z0RU VdHffn+G7HoSs+nxqvJOvCw4+pBm8lkZDnxttlxhbav3XLcBaM3HC4hlsfLcXcVA IbODuIn+KZecxbwGwtAeXuHdZS+G6o1/OhnwQQxvQ2o0NQThbV0XJeHd5xlXnWSs Eo/kYH3YvkFRi/z+amM02b4vt+a5ua28W1OQwCgmt0OwEMZ2UDc= =MW89 -----END PGP SIGNATURE-----
--- End Message ---
