[DRE-maint] Bug#872190: gitlab: CVE-2017-12426: Remote Command Execution in git client
Salvatore Bonaccorso
carnil at debian.org
Thu Aug 17 17:16:38 UTC 2017
Control: severity -1 minor
On Thu, Aug 17, 2017 at 06:24:43PM +0530, Pirate Praveen wrote:
> On Tue, 15 Aug 2017 07:40:59 +0200 Salvatore Bonaccorso
> <carnil at debian.org> wrote:> If you fix the vulnerability please also
> make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> This is already fixed in git 1:2.11.0-3+deb9u1. The patch in gitlab is
> extra step to prevent in case of a vulnerable git. Since debian already
> has the fixed version of git, I don't think we need to do anything to
> gitlab.
Agree, we can at least lower the severity and thanks a lot for the
followup. The CVE seem to be specific assigned for the "via a crafted
SSH URL in a project import". Can you close this bug once the gitlab
version contains as well this extra safety measure if still running
with older git?
For the security tracker I have already downgraded the severity to
unimportant.
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list