Your message dated Sun, 11 Aug 2019 08:41:49 +0000 with message-id <e1hwjqd-0004e3...@fasolo.debian.org> and subject line Bug#933785: fixed in gitlab 11.11.7+dfsg-1 has caused the Debian Bug report #933785, regarding gitlab: CVE-2019-5470 CVE-2019-5469 CVE-2019-5468 CVE-2019-5466 CVE-2019-5465 CVE-2019-5464 CVE-2019-5463 CVE-2019-5462 CVE-2019-5461 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 933785: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933785 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: gitlab Version: 11.8.10+dfsg-1 Severity: grave Tags: security upstream Justification: user security hole Hi, The following vulnerabilities were published for gitlab, see [9]. CVE-2019-5470[0]: Information Disclosure Vulnerability Feedback CVE-2019-5469[1]: Arbitrary File Upload via Import Project Archive CVE-2019-5468[2]: User Revokation Bypass with Mattermost Integration CVE-2019-5466[3]: IDOR Label Name Enumeration CVE-2019-5465[4]: Information Disclosure New Issue ID CVE-2019-5464[5]: SSRF Mitigation Bypass CVE-2019-5463[6]: Build Status Disclosure CVE-2019-5462[7]: Trigger Token Impersonation CVE-2019-5461[8]: GitHub Integration SSRF If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-5470 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5470 [1] https://security-tracker.debian.org/tracker/CVE-2019-5469 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5469 [2] https://security-tracker.debian.org/tracker/CVE-2019-5468 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5468 [3] https://security-tracker.debian.org/tracker/CVE-2019-5466 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5466 [4] https://security-tracker.debian.org/tracker/CVE-2019-5465 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5465 [5] https://security-tracker.debian.org/tracker/CVE-2019-5464 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5464 [6] https://security-tracker.debian.org/tracker/CVE-2019-5463 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5463 [7] https://security-tracker.debian.org/tracker/CVE-2019-5462 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5462 [8] https://security-tracker.debian.org/tracker/CVE-2019-5461 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5461 [9] https://about.gitlab.com/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/ Please adjust the affected versions in the BTS as needed. -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/2 CPU cores) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---Source: gitlab Source-Version: 11.11.7+dfsg-1 We believe that the bug you reported is fixed in the latest version of gitlab, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 933...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Pirate Praveen <prav...@debian.org> (supplier of updated gitlab package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 11 Aug 2019 13:00:50 +0530 Source: gitlab Architecture: source Version: 11.11.7+dfsg-1 Distribution: experimental Urgency: medium Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Pirate Praveen <prav...@debian.org> Closes: 933785 Changes: gitlab (11.11.7+dfsg-1) experimental; urgency=medium . [ Pirate Praveen ] * New upstream security release 11.11.7+dfsg (Closes: #933785) (Fixes: CVE-2019-5470, CVE-2019-5469, CVE-2019-5468, CVE-2019-5466, CVE-2019-5465, CVE-2019-5464, CVE-2019-5463, CVE-2019-5462, CVE-2019-5461) * Use packaged version of node-d3 * Refresh patches * Bump standards version to 4.4.0 * Install security.txt * Update embedded rails version to 5.1.7 * Add ruby-omniauth-openid-connect, ruby-sassc and ruby-jaeger-client as new dependencies. * Embed omniauth-ultraauth, omniauth-salesforce, apollo_upload_server, sassc-rails, gitlab-labkit * Update dependency on ruby-sidekiq and ruby-nokogiri, gitaly, ruby-fog-google, ruby-batch-loader, ruby-gitaly-proto, ruby-grpc . [ Dmitry Smirnov ] * CI: dropped .git directory and added job to build on Buster. . [ Pirate Praveen ] * Update minimum version of gitaly * Switch to packaged version of webpack * Use packaged versions of node-worker-loader, node-cache-loader, node-imports-loader, node-exports-loader, node-url-loader, node-raw-loader and node-file-loader * Remove upstream-file-list.new in clean Checksums-Sha1: cbd22954b147d04e61009b7438670161b389c271 2354 gitlab_11.11.7+dfsg-1.dsc 63f7d5e069af4ef2507e80056761bdb1937be5a6 68198484 gitlab_11.11.7+dfsg.orig.tar.xz 1144c0d5f7902abcdbe8fefdb0a477859be8ce18 1267156 gitlab_11.11.7+dfsg-1.debian.tar.xz 696cccb0495af5fb2f10bae162ea312be85776ad 8996 gitlab_11.11.7+dfsg-1_amd64.buildinfo Checksums-Sha256: 05807c7a0566125d3d1e13607b2c54133e21de4ba62b598d363a4f9e5ea847cd 2354 gitlab_11.11.7+dfsg-1.dsc 0eaf0e308b93dca7a73e295eef7424e30da70a645507c5c689dc25d7e94ebc80 68198484 gitlab_11.11.7+dfsg.orig.tar.xz 116703cfd7691ec09b924ec0a48f263b4b1d4b7c4b65bdc84c222b68586aca54 1267156 gitlab_11.11.7+dfsg-1.debian.tar.xz 0ee24feacae2ebf4b36916572916be10d49d95786cabda0e288ad89ca43404b8 8996 gitlab_11.11.7+dfsg-1_amd64.buildinfo Files: 6485f4e1cd373e3a2741c10832fa0907 2354 net optional gitlab_11.11.7+dfsg-1.dsc 820cf3049b99049d6206e63004ba2067 68198484 net optional gitlab_11.11.7+dfsg.orig.tar.xz aed7eae63652e582bcd45f573797be0a 1267156 net optional gitlab_11.11.7+dfsg-1.debian.tar.xz 973364e748f5315e39535212b46b781a 8996 net optional gitlab_11.11.7+dfsg-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE/OFtr184QaN6dPMgC3aSB2Kmt4UFAl1Pz+gACgkQC3aSB2Km t4U2Xw//VHh1hyuB4IgbdGJAKht3U6H7Xl6qijKQwn4xHNwOJxsy3VXB+whAbdxa aBAjI+Krmi7PIV+nLZstZnDaVSdjhsXfJPaAD5Eb5e8dElvEmdtUsInAyvdCa6v0 Lr+m2603yJzX3Wi+3hOAi0nouhTExD161tkYo2FU0677ntSyLLKKmkUYz+3QyF4d 0NqB5Jt4PfW4q2K628kVtD732gxStXlhaDraK9Tu2bgTo9XnIkNTBe5reF7ALawO K4FEB8kPNgNsfR3+0I8d1LeTDMiT74YCtpOv/mir2JezLEgicrAMx5RnnFgVuOVl H75WxsyDKzWpRfGjMC4XSSnEBkJVMwjqovJDrzvv7tL66yLiNOPh2/X9jd1L6x9q WEXGMDrdqSUIQRBDvWz0gGrphEG5WXz0oXTF/esMAR78VJ/HSuQIl0VnfUu8+vML hB3tGsjeE0PZNEQQZWCvnMHOsicpnByYbjZ3WKj+UHwuQO+ugmP6PhKDl6tPEjoR 8vX8NPIiJX3LPDRj/S95Z+x3VRGHYwNd7zLgtzJDhrIMG7npHmD4uZ+oJeEBLhd1 mO4ipz09GQbMntRix7VU1sCP6MHJHEOivS9Y1XwuzqVB7OOewMRYe1A4DDV0nlFM KIRxvL+SOPQm9B8t2ptNTTg9EvyWCQn9RgGleKgTvFD0J51fVGo= =aUtL -----END PGP SIGNATURE-----
--- End Message ---
