[DRE-maint] Bug#930004: gitlab: CVE-2019-12428 CVE-2019-12431 CVE-2019-12432 CVE-2019-12433 CVE-2019-12434 CVE-2019-12441 CVE-2019-12442 CVE-2019-12443 CVE-2019-12444 CVE-2019-12445 CVE-2019-12446
Salvatore Bonaccorso
carnil at debian.org
Tue Jun 4 21:20:12 BST 2019
Source: gitlab
Version: 11.8.10+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
The following vulnerabilities were published for gitlab, see [11] for
a complete listing.
CVE-2019-12428[0]:
Mandatory External Authentication Provider Sign-In Restrictions Bypass
CVE-2019-12431[1]:
Disclosure of Milestone Metadata through the Search API
CVE-2019-12432[2]:
Confidential Issue Titles Revealed to Restricted Users on Unsubscribe
CVE-2019-12433[3]:
Internal Projects Allowed to Be Created on in Private Groups
CVE-2019-12434[4]:
Private Project Discovery via Comment Links
CVE-2019-12441[5]:
Protected Branches Restriction Rules Bypass
CVE-2019-12442[6]:
Stored Cross-Site Scripting Vulnerability on Child Epics
CVE-2019-12443[7]:
Server-Side Request Forgery Through DNS Rebinding
CVE-2019-12444[8]:
Stored Cross-Site Scripting on Wiki Pages
CVE-2019-12445[9]:
Stored Cross-Site Scripting on Notes
CVE-2019-12446[10]:
Repository Password Disclosed on Import Error Page
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-12428
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12428
[1] https://security-tracker.debian.org/tracker/CVE-2019-12431
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12431
[2] https://security-tracker.debian.org/tracker/CVE-2019-12432
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12432
[3] https://security-tracker.debian.org/tracker/CVE-2019-12433
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12433
[4] https://security-tracker.debian.org/tracker/CVE-2019-12434
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12434
[5] https://security-tracker.debian.org/tracker/CVE-2019-12441
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12441
[6] https://security-tracker.debian.org/tracker/CVE-2019-12442
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12442
[7] https://security-tracker.debian.org/tracker/CVE-2019-12443
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12443
[8] https://security-tracker.debian.org/tracker/CVE-2019-12444
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12444
[9] https://security-tracker.debian.org/tracker/CVE-2019-12445
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12445
[10] https://security-tracker.debian.org/tracker/CVE-2019-12446
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12446
[11] https://about.gitlab.com/2019/06/03/security-release-gitlab-11-dot-11-dot-1-released/
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list