[DRE-maint] Bug#918086: gitlab: CVE-2018-20488 CVE-2018-20489 CVE-2018-20490 CVE-2018-20491 CVE-2018-20492 CVE-2018-20493 CVE-2018-20494 CVE-2018-20495 CVE-2018-20496 CVE-2018-20497 CVE-2018-20498 CVE-2018-20499 CVE-2018-20500 CVE-2018-20501 CVE-2018-20507
Salvatore Bonaccorso
carnil at debian.org
Thu Jan 3 07:07:50 GMT 2019
Source: gitlab
Version: 11.5.5+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 11.6.0+dfsg-1
Hi,
The following vulnerabilities were published for gitlab, fixed in the
11.6.1, 11.5.6, and 11.4.13 versions, cf [15].
CVE-2018-20488[0]:
Secret CI variable exposure
CVE-2018-20489[1]:
URL rel attribute not set
CVE-2018-20490[2]:
Persistent XSS Autocompletion
CVE-2018-20491[3]:
Persistent XSS wiki in IE browser
CVE-2018-20492[4]:
Todos improper access control
CVE-2018-20493[5]:
Source code disclosure merge request diff
CVE-2018-20494[6]:
Guest user CI job disclosure
CVE-2018-20495[7]:
CI job token LFS error message disclosure
CVE-2018-20496[8]:
Persistent XSS label reference
CVE-2018-20497[9]:
SSRF repository mirroring
CVE-2018-20498[10]:
Improper access control branches and tags
CVE-2018-20499[11]:
SSRF in project imports with LFS
CVE-2018-20500[12]:
Improper access control CI/CD settings
CVE-2018-20501[13]:
Missing authorization control merge requests
CVE-2018-20507[14]:
Missing authentication for Prometheus alert endpoint
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-20488
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20488
[1] https://security-tracker.debian.org/tracker/CVE-2018-20489
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20489
[2] https://security-tracker.debian.org/tracker/CVE-2018-20490
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20490
[3] https://security-tracker.debian.org/tracker/CVE-2018-20491
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20491
[4] https://security-tracker.debian.org/tracker/CVE-2018-20492
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20492
[5] https://security-tracker.debian.org/tracker/CVE-2018-20493
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20493
[6] https://security-tracker.debian.org/tracker/CVE-2018-20494
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20494
[7] https://security-tracker.debian.org/tracker/CVE-2018-20495
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20495
[8] https://security-tracker.debian.org/tracker/CVE-2018-20496
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20496
[9] https://security-tracker.debian.org/tracker/CVE-2018-20497
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20497
[10] https://security-tracker.debian.org/tracker/CVE-2018-20498
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20498
[11] https://security-tracker.debian.org/tracker/CVE-2018-20499
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20499
[12] https://security-tracker.debian.org/tracker/CVE-2018-20500
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20500
[13] https://security-tracker.debian.org/tracker/CVE-2018-20501
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20501
[14] https://security-tracker.debian.org/tracker/CVE-2018-20507
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20507
[15] https://about.gitlab.com/2018/12/31/security-release-gitlab-11-dot-6-dot-1-released/
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list