[Git][security-tracker-team/security-tracker][master] Add new gitlab issues (fixed in versions 11.9.4, 11.8.6, and 11.7.10)

Salvatore Bonaccorso carnil at debian.org
Tue Apr 2 07:30:29 BST 2019 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
186c47fa by Salvatore Bonaccorso at 2019-04-02T06:29:43Z
Add new gitlab issues (fixed in versions 11.9.4, 11.8.6, and 11.7.10)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -99,8 +99,10 @@ CVE-2019-10642
 	RESERVED
 CVE-2019-10641
 	RESERVED
-CVE-2019-10640
+CVE-2019-10640 [DoS potential for regex in CI/CD refs]
 	RESERVED
+	- gitlab <unfixed>
+	NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/
 CVE-2019-10639
 	RESERVED
 CVE-2019-10638
@@ -1190,26 +1192,46 @@ CVE-2019-10119
 	RESERVED
 CVE-2019-10118 (Snipe-IT before 4.6.14 has XSS, as demonstrated by log_meta values and ...)
 	NOT-FOR-US: Snipe-IT
-CVE-2019-10117
+CVE-2019-10117 [Recurity assessment: open redirect]
 	RESERVED
-CVE-2019-10116
+	- gitlab <not-affected> (Only affects 11.9 and later)
+	NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/
+CVE-2019-10116 [Related branches visible in issues for guests]
 	RESERVED
-CVE-2019-10115
+	- gitlab <unfixed>
+	NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/
+CVE-2019-10115 [Guest users of private projects have access to releases]
 	RESERVED
-CVE-2019-10114
+	- gitlab <unfixed>
+	NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/
+CVE-2019-10114 [Recurity assessment: information exposure through timing discrepancy]
 	RESERVED
-CVE-2019-10113
+	- gitlab <not-affected> (Only affects 11.9 and later)
+	NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/
+CVE-2019-10113 [DoS potential on project languages page]
 	RESERVED
-CVE-2019-10112
+	- gitlab <unfixed>
+	NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/
+CVE-2019-10112 [Recurity assessment: loginState HMAC issues]
 	RESERVED
-CVE-2019-10111
+	- gitlab <not-affected> (Only affects 11.9 and later)
+	NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/
+CVE-2019-10111 [Persistent XSS at merge request resolve conflicts]
 	RESERVED
-CVE-2019-10110
+	- gitlab <unfixed>
+	NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/
+CVE-2019-10110 [Improper authorization control "move issue"]
 	RESERVED
-CVE-2019-10109
+	- gitlab <unfixed>
+	NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/
+CVE-2019-10109 [EXIF geolocation data not stripped from uploaded images]
 	RESERVED
-CVE-2019-10108
+	- gitlab <unfixed>
+	NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/
+CVE-2019-10108 [IDOR labels of private projects/groups]
 	RESERVED
+	- gitlab <unfixed>
+	NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/
 CVE-2019-10107 (CMS Made Simple 2.2.10 has XSS via the myaccount.php "Email Address" f ...)
 	NOT-FOR-US: CMS Made Simple
 CVE-2019-10106 (CMS Made Simple 2.2.10 has XSS via the 'moduleinterface.php' Name fiel ...)
@@ -67190,8 +67212,10 @@ CVE-2018-5158 (The PDF viewer does not sufficiently sanitize PostScript calculat
 	{DSA-4199-1 DLA-1376-1}
 	- firefox 60.0-1
 	- firefox-esr 52.8.0esr-1
+	- gitlab <unfixed>
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5158
 	NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2018-12/#CVE-2018-5158
+	NOTE: https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/
 CVE-2018-5157 (Same-origin protections for the PDF viewer can be bypassed, allowing a ...)
 	{DSA-4199-1 DLA-1376-1}
 	- firefox 60.0-1



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/186c47fa7d3c8a4a549f855e90686161b44e5d59

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/186c47fa7d3c8a4a549f855e90686161b44e5d59
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190402/752fa2e6/attachment.html>

More information about the debian-security-tracker-commits mailing list