[DRE-maint] Bug#926482: gitlab: CVE-2018-5158 CVE-2019-10109 CVE-2019-10110 CVE-2019-10111 CVE-2019-10113 CVE-2019-10115 CVE-2019-10116 CVE-2019-10640
Salvatore Bonaccorso
carnil at debian.org
Fri Apr 5 22:38:23 BST 2019
Source: gitlab
Version: 11.8.3-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerabilities were published for gitlab, fixed
upstream in the 11.9.4, 11.8.6, and 11.7.10 releases.
CVE-2018-5158[0]:
| The PDF viewer does not sufficiently sanitize PostScript calculator
| functions, allowing malicious JavaScript to be injected through a
| crafted PDF file. This JavaScript can then be run with the permissions
| of the PDF viewer by its worker. This vulnerability affects Firefox
| ESR < 52.8 and Firefox < 60.
CVE-2019-10109[1]:
EXIF geolocation data not stripped from uploaded images
CVE-2019-10110[2]:
Improper authorization control "move issue"
CVE-2019-10111[3]:
Persistent XSS at merge request resolve conflicts
CVE-2019-10113[4]:
DoS potential on project languages page
CVE-2019-10115[5]:
Guest users of private projects have access to releases
CVE-2019-10116[6]:
Related branches visible in issues for guests
CVE-2019-10640[7]:
DoS potential for regex in CI/CD refs
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-5158
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5158
[1] https://security-tracker.debian.org/tracker/CVE-2019-10109
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10109
[2] https://security-tracker.debian.org/tracker/CVE-2019-10110
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10110
[3] https://security-tracker.debian.org/tracker/CVE-2019-10111
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10111
[4] https://security-tracker.debian.org/tracker/CVE-2019-10113
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10113
[5] https://security-tracker.debian.org/tracker/CVE-2019-10115
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10115
[6] https://security-tracker.debian.org/tracker/CVE-2019-10116
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10116
[7] https://security-tracker.debian.org/tracker/CVE-2019-10640
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10640
[8] https://about.gitlab.com/2019/04/01/security-release-gitlab-11-dot-9-dot-4-released/
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list