-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0046
            GitLab security updates v12.6.2, 12.5.6, and 12.4.7
                              6 January 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           GitLab
Publisher:         GitLab
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
                   Virtualisation
Impact/Access:     Denial of Service        -- Existing Account      
                   Access Confidential Data -- Remote/Unauthenticated
                   Unauthorised Access      -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-5197 CVE-2019-20148 CVE-2019-20147
                   CVE-2019-20146 CVE-2019-20145 CVE-2019-20144
                   CVE-2019-20143 CVE-2019-20142 

Original Bulletin: 
   https://about.gitlab.com/blog/2020/01/02/security-release-gitlab-12-6-2-released/

- --------------------------BEGIN INCLUDED TEXT--------------------

Jan 2, 2020 - Vitor Meireles De Sousa  

GitLab Security Release: 12.6.2, 12.5.6, and 12.4.7

Today we are releasing versions 12.6.2, 12.5.6, and 12.4.7 for GitLab Community
Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes that were inadvertently not
included in our most recent security release. We strongly recommend that all
GitLab installations be upgraded to one of these versions immediately.

The vulnerability details will be made public on our issue tracker in
approximately 30 days.

Please read on for more information regarding this release.

# Group Maintainers Can Update/Delete Group Runners Using API

Insufficient access verification lead to unauthorized modification of group
runners through the API. This issue is now mitigated in the latest release and
is assigned CVE-2019-20144.

Thanks @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE/CE 10.8 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

# GraphQL Queries Can Hang the Application

Certain GraphQL queries can hang the application due to some server's missing
parameters in handling time consuming queries. This issue is now mitigated in
the latest release and is assigned CVE-2019-20146.

Thanks the GitLab team for finding and reporting this issue.

Versions Affected

Affects GitLab EE/CE 11.0 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

# Unauthorized Users Have Access to Milestones of Releases

Under certain circumstances, an unauthenticated user can access a release's
milestone and issues. This issue is now mitigated in the latest release and is
assigned CVE-2019-20143.

Thanks @xanbanx for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE/CE 12.6.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

# Private Group Name Revealed Through Protected Tags API

When a group is removed from a project membership, it was possible for group
members to see project namespace changes through the Protected Tags API. This
issue is now mitigated in the latest release and is assigned CVE-2019-20147.

Thanks @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE/CE 9.1 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

# Users Can Publish Reviews on Locked Merge Requests

When a merge request was locked, a user was still able to submit a drafted
review and publish. This issue is now mitigated in the latest release and is
assigned CVE-2019-20145.

Thanks @rafiem for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 11.4 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

DoS in the Issue and Commit Comments Pages

While adding a comment in the Issue and Commit pages, a malicious user can
cause HTTP 500 code when sending a special message. This issue is now mitigated
in the latest release and is assigned CVE-2019-20142.

Thanks @dfens for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 12.3 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

# Project Name Disclosed Through Unsubscribe Link

When an unauthenticated user visits an unsubscribe link, a private project name
can be disclosed under certain conditions. This issue is now mitigated in the
latest release and is assigned CVE-2019-20148.

Thanks @ashish_r_padelkar for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE/CE 8.13 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

# Private Project Name Disclosed Through Notification Settings

Under specific conditions an user can view the name of a private project
through the notifications settings. This issue is now mitigated in the latest
release and is assigned CVE-2020-5197.

Thanks @iframe for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab EE/CE 5.1 and later.

Remediation

We strongly recommend that all installations running an affected version above
are upgraded to the latest version as soon as possible.

Updating

To update GitLab, see the Update page.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXhK5cWaOgq3Tt24GAQhO6A/9Gj2G6V3pc7wOdfTmd39pLr3UlAjfyZrs
gI0QuWmH9K9bsNbu8UrI7BOmA9f+k4N2ir7Jrf/S1bT4vB/CyuSokSoNbQqirZbk
jMtUvnhKlYu3goLygWXgjrABu3IbTwtpu4mQS0BaokSG5WzI4Cm1zYLkIRUu2JHd
j4W6iOgKNV5V6e1HDOSuz9BEReWKToBXFyJo0UGtc39BB8HwL9xeOSnGxa87dUa7
dR5T8rq01ClGDLfHjnrV7zwTdKD0Mfv5faAWGreoOvplKsQKgpChQGY/DyCgo8mn
uTuevj++pkZvDOJepIDlPABnNF/tSKxCbUfh1U/4UaRcj3ObPSTsxORKgq13BXPK
uedEJ4hbHgCGvbfUuOyQYGAiTPEQiRJcM5hwCsZOM2XLbyQnt2NbbNpX4FsxT+yX
LwmwLmxGPgztQZitdOm8NgapuwAaa0xtZUch1pXxR6jFNt2tkdUXft70lkFtjt3+
tJWyB8OURq06URCTHXCybjTc8QYvhhEAMnrb9w4bTvQQctXapLEqYSRB1O8cf5/S
TEY3okx1OgCgK57US+7RUkhtqsab5r0v8bY+xU01z/3Nf0vEgKV9OuCB3BupJWGd
0cIsaKMB1kZ08pOlLSw31XfUm6S7FU4cfB5hsR3dY2k4vYofPsBk/2+WdnLrQNJy
l+DgF/5NZb4=
=FbCV
-----END PGP SIGNATURE-----