[DRE-maint] Bug#823290: gitlab: several security issues fixed by latest version (including CVE-2016-4340)
Paul Wise
pabs at debian.org
Tue May 3 06:04:16 UTC 2016
Package: gitlab
Severity: serious
GitLab recently fixed several serious security issues:
https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/
CVE-2016-4340: Privilege escalation via "impersonate" feature
Privilege escalation via notes API
Privilege escalation via project webhook API
XSS vulnerability via branch and tag names
XSS vulnerability via custom issue tracker URL
XSS vulnerability via window.opener
XSS vulnerability via label drop-down
Information disclosure via milestone API
Information disclosure via snippet API
Information disclosure via project labels
Information disclosure via new merge request page
Please update the Debian gitlab package to the latest upstream.
--
bye,
pabs
https://wiki.debian.org/PaulWise
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20160503/d9e3ee34/attachment.sig>
More information about the Pkg-ruby-extras-maintainers
mailing list