Source: gitlab Version: 11.8.10+dfsg-1 Severity: grave Tags: security upstream Justification: user security hole
Hi, The following vulnerabilities were published for gitlab, see [11] for a complete listing. CVE-2019-12428[0]: Mandatory External Authentication Provider Sign-In Restrictions Bypass CVE-2019-12431[1]: Disclosure of Milestone Metadata through the Search API CVE-2019-12432[2]: Confidential Issue Titles Revealed to Restricted Users on Unsubscribe CVE-2019-12433[3]: Internal Projects Allowed to Be Created on in Private Groups CVE-2019-12434[4]: Private Project Discovery via Comment Links CVE-2019-12441[5]: Protected Branches Restriction Rules Bypass CVE-2019-12442[6]: Stored Cross-Site Scripting Vulnerability on Child Epics CVE-2019-12443[7]: Server-Side Request Forgery Through DNS Rebinding CVE-2019-12444[8]: Stored Cross-Site Scripting on Wiki Pages CVE-2019-12445[9]: Stored Cross-Site Scripting on Notes CVE-2019-12446[10]: Repository Password Disclosed on Import Error Page If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-12428 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12428 [1] https://security-tracker.debian.org/tracker/CVE-2019-12431 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12431 [2] https://security-tracker.debian.org/tracker/CVE-2019-12432 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12432 [3] https://security-tracker.debian.org/tracker/CVE-2019-12433 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12433 [4] https://security-tracker.debian.org/tracker/CVE-2019-12434 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12434 [5] https://security-tracker.debian.org/tracker/CVE-2019-12441 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12441 [6] https://security-tracker.debian.org/tracker/CVE-2019-12442 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12442 [7] https://security-tracker.debian.org/tracker/CVE-2019-12443 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12443 [8] https://security-tracker.debian.org/tracker/CVE-2019-12444 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12444 [9] https://security-tracker.debian.org/tracker/CVE-2019-12445 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12445 [10] https://security-tracker.debian.org/tracker/CVE-2019-12446 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12446 [11] https://about.gitlab.com/2019/06/03/security-release-gitlab-11-dot-11-dot-1-released/ Regards, Salvatore