[DRE-maint] Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory
Pirate Praveen
praveen at debian.org
Sat Mar 10 17:55:28 UTC 2018
On Mon, 5 Mar 2018 17:18:00 +0530 Pirate Praveen <praveen at debian.org> wrote:
> On ഞായര് 04 മാർച്ച് 2018 10:29 വൈകു, Moritz Mühlenhoff wrote:
> > We're now almost two months in after the upstream security
> > release. If this still isn't ready, that's a sign to me
> > that we can' reasonably support it, so the next best option
> > is to end-of-life it and eventually ask for it's removal
> > from stretch.
> >
> > Cheers,
> > Moritz
> >
> I will ask upstream help in backporting and we can decide based on their
> response.
>
I will attach a debdiff tomorrow with the CVEs we already backported.
And also will try to respond quicker in case of future CVEs.
CVE-2017-0923 seems to be not affecting 8.13 as this feature was
introduced only in 9.1
CVE-2017-0927 is affecting only an optional component of gitlab
(continuous deployment), while still good to be able to fix it, I don't
think it should result in a removal.
I'm yet to hear back from upstream about their help in fixing this last CVE.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 862 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20180310/a08bf581/attachment.sig>
More information about the Pkg-ruby-extras-maintainers
mailing list