Source: gitlab Version: 8.10.5+dfsg-3 Severity: grave Tags: security upstream Justification: user security hole
Hi, the following vulnerability was published for gitlab. CVE-2016-9086[0]: | GitLab versions 8.9.x and above contain a critical security flaw in the | "import/export project" feature of GitLab. Added in GitLab 8.9, this | feature allows a user to export and then re-import their projects as | tape archive files (tar). All GitLab versions prior to 8.13.0 | restricted this feature to administrators only. Starting with version | 8.13.0 this feature was made available to all users. This feature did | not properly check for symbolic links in user-provided archives and | therefore it was possible for an authenticated user to retrieve the | contents of any file accessible to the GitLab service account. This | included sensitive files such as those that contain secret tokens used | by the GitLab service to authenticate users. GitLab CE and EE versions | 8.13.0 through 8.13.2, 8.12.0 through 8.12.7, 8.11.0 through 8.11.10, | 8.10.0 through 8.10.12, and 8.9.0 through 8.9.11 are affected. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2016-9086 [1] https://hackerone.com/reports/178152 [2] https://about.gitlab.com/2016/11/02/cve-2016-9086-patches/ Regards, Salvatore _______________________________________________ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
