[DRE-maint] Bug#933785: gitlab: CVE-2019-5470 CVE-2019-5469 CVE-2019-5468 CVE-2019-5466 CVE-2019-5465 CVE-2019-5464 CVE-2019-5463 CVE-2019-5462 CVE-2019-5461

Salvatore Bonaccorso carnil at debian.org
Sat Aug 3 14:41:53 BST 2019 

Source: gitlab
Version: 11.8.10+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

The following vulnerabilities were published for gitlab, see [9].

CVE-2019-5470[0]:
Information Disclosure Vulnerability Feedback

CVE-2019-5469[1]:
Arbitrary File Upload via Import Project Archive

CVE-2019-5468[2]:
User Revokation Bypass with Mattermost Integration

CVE-2019-5466[3]:
IDOR Label Name Enumeration

CVE-2019-5465[4]:
Information Disclosure New Issue ID

CVE-2019-5464[5]:
SSRF Mitigation Bypass

CVE-2019-5463[6]:
Build Status Disclosure

CVE-2019-5462[7]:
Trigger Token Impersonation

CVE-2019-5461[8]:
GitHub Integration SSRF

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-5470
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5470
[1] https://security-tracker.debian.org/tracker/CVE-2019-5469
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5469
[2] https://security-tracker.debian.org/tracker/CVE-2019-5468
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5468
[3] https://security-tracker.debian.org/tracker/CVE-2019-5466
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5466
[4] https://security-tracker.debian.org/tracker/CVE-2019-5465
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5465
[5] https://security-tracker.debian.org/tracker/CVE-2019-5464
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5464
[6] https://security-tracker.debian.org/tracker/CVE-2019-5463
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5463
[7] https://security-tracker.debian.org/tracker/CVE-2019-5462
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5462
[8] https://security-tracker.debian.org/tracker/CVE-2019-5461
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5461
[9] https://about.gitlab.com/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/

Please adjust the affected versions in the BTS as needed.



-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

More information about the Pkg-ruby-extras-maintainers mailing list