[Git][security-tracker-team/security-tracker][master] Add new gitlab issues

Salvatore Bonaccorso carnil at debian.org
Thu Nov 28 06:25:37 GMT 2019 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
01090cd0 by Salvatore Bonaccorso at 2019-11-28T06:25:11Z
Add new gitlab issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -246,18 +246,30 @@ CVE-2019-19316
 	RESERVED
 CVE-2019-19315
 	RESERVED
-CVE-2019-19314
+CVE-2019-19314 [Tokens stored in plaintext]
 	RESERVED
-CVE-2019-19313
+	- gitlab <not-affected> (Only affects Gitlab EE)
+	NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
+CVE-2019-19313 [Denial of Service in the issue and commit comment pages]
 	RESERVED
-CVE-2019-19312
+	- gitlab <not-affected> (Only affects Gitlab EE)
+	NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
+CVE-2019-19312 [Forked project information disclosed via Project API]
 	RESERVED
-CVE-2019-19311
+	- gitlab <not-affected> (Only affects Gitlab EE)
+	NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
+CVE-2019-19311 [Stored XSS in Group and User profile fields]
 	RESERVED
-CVE-2019-19310
+	- gitlab <not-affected> (Only affects Gitlab EE)
+	NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
+CVE-2019-19310 [Disclosure of AWS secret keys on certain Admin pages]
 	RESERVED
-CVE-2019-19309
+	- gitlab <not-affected> (Only affects Gitlab EE)
+	NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
+CVE-2019-19309 [Private objects exposed through project import]
 	RESERVED
+	- gitlab <not-affected> (Only affects Gitlab EE)
+	NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
 CVE-2019-19330 (The HTTP/2 implementation in HAProxy before 2.0.10 mishandles headers, ...)
 	- haproxy 2.0.10-1
 	[stretch] - haproxy <not-affected> (Vulnerable code introduced in 1.8)
@@ -388,26 +400,46 @@ CVE-2019-19265
 	RESERVED
 CVE-2019-19264
 	RESERVED
-CVE-2019-19263
+CVE-2019-19263 [Tags pushes from blocked users]
 	RESERVED
-CVE-2019-19262
+	- gitlab <not-affected> (Only affects Gitlab EE)
+	NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
+CVE-2019-19262 [Unauthorized access to grafana metrics]
 	RESERVED
-CVE-2019-19261
+	- gitlab <not-affected> (Only affects Gitlab EE)
+	NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
+CVE-2019-19261 [DNS Rebind SSRF in various chat notifications]
 	RESERVED
-CVE-2019-19260
+	- gitlab <not-affected> (Only affects Gitlab EE)
+	NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
+CVE-2019-19260 [Former project members able to access repository information]
 	RESERVED
-CVE-2019-19259
+	- gitlab <unfixed>
+	NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
+CVE-2019-19259 [IDOR when adding users to protected environments]
 	RESERVED
-CVE-2019-19258
+	- gitlab <not-affected> (Only affects Gitlab EE)
+	NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
+CVE-2019-19258 [Branches and Commits exposed to Guest members via integration]
 	RESERVED
-CVE-2019-19257
+	- gitlab <not-affected> (Only affects Gitlab EE)
+	NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
+CVE-2019-19257 [Exposure of related branch names]
 	RESERVED
-CVE-2019-19256
+	- gitlab <unfixed>
+	NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
+CVE-2019-19256 [Disclosure of vulnerability status in dependency list]
 	RESERVED
-CVE-2019-19255
+	- gitlab <not-affected> (Only affects Gitlab EE)
+	NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
+CVE-2019-19255 [Todos created for former project members]
 	RESERVED
-CVE-2019-19254
+	- gitlab <not-affected> (Only affects Gitlab EE)
+	NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
+CVE-2019-19254 [Disclosure of commit count in Cycle Analytics]
 	RESERVED
+	- gitlab <unfixed>
+	NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
 CVE-2019-19253
 	RESERVED
 	NOT-FOR-US: Apereo CAS
@@ -763,12 +795,18 @@ CVE-2019-19090
 	RESERVED
 CVE-2019-19089
 	RESERVED
-CVE-2019-19088
+CVE-2019-19088 [Path traversal with potential remote code execution]
 	RESERVED
-CVE-2019-19087
+	- gitlab <not-affected> (Only affects Gitlab EE)
+	NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
+CVE-2019-19087 [Disclosure of comments via Elasticsearch integration]
 	RESERVED
-CVE-2019-19086
+	- gitlab <not-affected> (Only affects Gitlab EE)
+	NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
+CVE-2019-19086 [Disclosure of notes via Elasticsearch integration]
 	RESERVED
+	- gitlab <not-affected> (Only affects Gitlab EE)
+	NOTE: https://about.gitlab.com/blog/2019/11/27/security-release-gitlab-12-5-1-released/
 CVE-2019-19085 (A persistent cross-site scripting (XSS) vulnerability in Octopus Serve ...)
 	NOT-FOR-US: Octopus Server
 CVE-2019-19084 (In Octopus Deploy 3.3.0 through 2019.10.4, an authenticated user with  ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/01090cd04a49a9cd9f1a994544f8d2c9f6363248

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/01090cd04a49a9cd9f1a994544f8d2c9f6363248
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20191128/39b0778c/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list