ESB-2018.1544.2 - UPDATE [Linux][Debian] gitlab: Multiple vulnerabilities 2018-05-28

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2018.1544.2
                          gitlab security update
                                28 May 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           gitlab
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
                   Linux variants
Impact/Access:     Unauthorised Access      -- Remote/Unauthenticated
                   Access Confidential Data -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-8971 CVE-2017-0920 

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4206

Revision History:  May 28 2018: Updated packages due to a regression
                   May 22 2018: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4206-2                   security@debian.org
https://www.debian.org/security/                     Salvatore Bonaccorso
May 26, 2018                          https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : gitlab
Debian Bug     : 900066

The gitlab security update announced as DSA-4206-1 caused regressions
when creating merge requests (returning 500 Internal Server Errors) due
to an issue in the patch to address CVE-2017-0920. Updated packages are
now available to correct this issue.

For the stable distribution (stretch), this problem has been fixed in
version 8.13.11+dfsg1-8+deb9u3.

We recommend that you upgrade your gitlab packages.

For the detailed security status of gitlab please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/gitlab

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlsJYBhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0SuJw//e7rNaubqix7XYoYiOIDUx41/CzAUIJ2dy46iRu1yEbE8jCpC8OFxzccS
CpFZdWYXnIMpVYbLKnS1rivBb12VfavxQ7azCuLyQFA4UzWx6pbhihzGWIlaThYO
9OB3uesujo1tY3F59pPNF3Oze7WIp0ZI8S4IYuJEh8oyS+73Oq/FPRj1VmYugYl2
9Nb6LIVsNgi81NidgfXyPFMWBzR8VMzMXRICrsblP7LwwiqFkKnq9TwWHtbrZktp
zUot2YCf/ICdV9uFZxKbVGLUZz/VR7QKx2Ej9CwE+flZQlowgxUQLtCYVKRjsm4o
NtsqqOhLKmafF0UOq5JywgMTinHqa9il2FV7S2/yT5dcFLvGNBR4ujpTiYypkiCl
Cl/DDYgJ6U3dJR6fbB2ySdXfa8oLbL5b9c2i2c4KsWJb7fR4eT0NNGErtBEFEdBv
s87VDOkO9e2aQw8tR7Dj21hUAE8kbJZcrUMQwHQuC/UJ94T15Gu6DodZF4QGH46n
Lts7bnIx2ON3KTvIo8lJR6pIqBX5HGwoeOfDo5YSrB4K3lpZTRQAkp8nqFvKYxS4
Sx6FIY4DPFh3V+2kxBoDth48pov4TVUsB2wNqF26QQjgh/0EqhZ2MJKK6Nm/L6Hs
d8ofRsl+xZhXUjICSwdfQXhY/yk8f6KxnPZOl6+0qYMOCwhy4go=
=Cyws
- -----END PGP SIGNATURE-----

- --------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4206-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 21, 2018                          https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : gitlab
CVE ID         : CVE-2017-0920 CVE-2018-8971

Several vulnerabilities have been discovered in Gitlab, a software
platform to collaborate on code:
	    
CVE-2017-0920

    It was discovered that missing validation of merge requests allowed
    users to see names to private projects, resulting in information
    disclosure.

CVE-2018-8971

    It was discovered that the Auth0 integration was implemented
    incorrectly.

For the stable distribution (stretch), these problems have been fixed in
version 8.13.11+dfsg1-8+deb9u2. The fix for CVE-2018-8971 also requires
ruby-omniauth-auth0 to be upgraded to version 2.0.0-0+deb9u1.

We recommend that you upgrade your gitlab packages.

For the detailed security status of gitlab please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gitlab

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlsC9+QACgkQEMKTtsN8
TjZ1Xw//c8M3MYN9CGRJzRytJE3FEh3ntXDxTd2O0rHcncSu/MQK8Chlo3W/G6vc
8oJ9vFUDLhLgS4U08rDwmDGCWJRr3kfvZAriJ5CbANmOViqhmkvVujiVFJhNbmMe
SHSfuGCJ8D1F4shLmWWg5jMg9Hh+zznc+3Sk3pczU7vWaVC90qB5wWtj9Sde12O+
3SNJRyj60pKOzc3Q7JBbiwWegLewIE5Sm/B2vU5htaXsxMPsRLz/NUwXt9dEsLnF
6WldwBL2cS9oM05/LPc8c3T4In2dF8zVS8Z1Roi0f4CBPsnk5OZGtJmNQfEaUmPb
wssXNKfawJfq6QOU5AnNL38EhU1WC4dE8vcGZxLs80UAs/etP3Pzm5V640/hnui/
QLMviDChzpXIgnE4nzvYHsnERNBBBjv2k64J0MuZlfu3lMWgMbaToGBgkTol145O
ZNnJp2pGtJRc2J60wHR5ML0bipMlAldlgm3rp/KTGHCDdGxDHkQcizmRRLvleFee
JT9MUMbvWauaNY6BZ5Kf1Hb2URygwxfnu020oJl+FWoljYEL0v/6gUs+YAF42CM0
BXVj3Y7TGsNQtBgTndt7iNoSCs3/zXWK0TfBoOHap/YS4cJ4zdG0/jA1+p11hYvm
Us3JfcpLOTjJfShPkqnX5fHTEHLOvpY3vmdBrYMyDy7fmaxrLNg=
=q0tg
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWwtSzmaOgq3Tt24GAQg7jA/+K+FSZloVd9JGRBrc2YvRn/IW1RWn0snn
bs4A7Te7klP7WkONpTrqQKpu9rNAQSVdPLjrN0Ehe3zFWXkQg+xo9RtSA3dEviI1
lyntK+bPG13RBc+ZUcFfaZdzlbjoUsQj3KeOlZWqCn/CWK4dy6q6Ub4CZU5VNwc9
gyitsHsWjznE9co/K2aRVsU4jTYrmDovprWezgQEXbTMxWsvRU5XZ41x+bSCJW6s
Tn09SfUvHSyMlKzoSqeieqT+gQWdF9Wt//kT7DZY3x4lCjFqd0wy4srPPGd/pRIe
mnsLR/kU5/5uDhcEMgqLai2THekxpyTHFYreJy/opEgv3Z1uU6uC+gpePVVfvBsk
bmIVJxE6Xznh6O6ca1KEUerbs74AHDlt2iswqmzpu03uTdNYor5Xbe0BFgYgL17n
XqN6OoZhz86hswYYvhzhlD2z/WXHICbggqq45k2h5cHNzyL4D1BWqmlVhh2SWuEr
6AI/J3uIEQOzV2OYGcrsxvtnUukB1z34zrTNc4BHzHpF531mtBP1YAm8zuUrpnd+
93CabhKaAMkATXM+hzrCK71sZY8cyVmcJWCy95evDiYMhkma+52xKtVbFGB1AGxE
UoTPiLr491w2DTxshcw3bRXA+H7ST2loA5zOR8deBVo2DDYyZ309YJffqhlLYfgS
OlkZqArPMzs=
=uNBV
-----END PGP SIGNATURE-----

« Back to bulletins