[DRE-maint] Bug#861870: gitlab: CVE-2017-8778

[Tomasz Buchert]

On 05/05/17 20:46, Tomasz Buchert wrote:
> On 05/05/17 06:19, Salvatore Bonaccorso wrote:
> > [...]
>
> Hi Salvatore,
> the fix for this issue seems to be here:
> https://gitlab.com/winniehell/gitlab-ce/commit/dd944bf14f4a0fd555db32d5833325fa459d9565
>
> I'll try to apply it to stretch's gitlab.
> Tomasz

Interestingly, the CVE has been fixed for unstable just an hour ago or so:
https://anonscm.debian.org/cgit/pkg-ruby-extras/gitlab.git/commit/?id=7241318db49ec356f31dac96345a4ff730d313f0

I've reapplied this for the stretch version and I attach the
debdiff. I'm going to request an unblock for this.

For some reason I couldn't push my branch to ssh://git.debian.org/git/pkg-ruby-extras/gitlab.git.
Probably I should become ruby-extras team member or something. For this reason I also attach
the commits from my branch.

Cheers,
Tomasz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debdiff.diff
Type: text/x-diff
Size: 5041 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20170505/f14ec742/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-CVE-2017-8778.patch
Type: text/x-diff
Size: 4700 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20170505/f14ec742/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-release.patch
Type: text/x-diff
Size: 681 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20170505/f14ec742/attachment-0001.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20170505/f14ec742/attachment.sig>