[DRE-maint] Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory
Hi, As per the upstream blogpost, https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ , the applicability of the CVEs listed at https://security-tracker.debian.org/tracker/source-package/gitlab to version of GitLab in Stretch is as follows. CVE-2018-3710 - Applicable to version in Stretch (8.13.11) CVE-2017-0927 - Applicable to version in Stretch (8.13.11) CVE-2017-0926 - Applicable to version in Stretch (8.13.11) CVE-2017-0925 - Applicable to version in Stretch (8.13.11) CVE-2017-0923 - Applicable to version in Stretch (8.13.11) CVE-2017-0918 - Applicable to version in Stretch (8.13.11) CVE-2017-0916 - Applicable to version in Stretch (8.13.11) CVE-2017-0915 - Applicable to version in Stretch (8.13.11) CVE-2017-0914 - Not applicable to version in Stretch (8.13.11) CVE-2017-0917 - Not applicable to version in Stretch (8.13.11) Regarding CVE-2017-0923, I will confirm if it is indeed applicable or not, since the feature was introduced in version 9.1 only (https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/10017) . Regards Balasankar C signature.asc Description: OpenPGP digital signature ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
[DRE-maint] Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory
On ശനി 10 മാർച്ച് 2018 11:25 വൈകു, Pirate Praveen wrote: > I will attach a debdiff tomorrow with the CVEs we already backported. debdiff attached. diff -Nru gitlab-8.13.11+dfsg/debian/changelog gitlab-8.13.11+dfsg/debian/changelog --- gitlab-8.13.11+dfsg/debian/changelog2017-03-23 17:16:50.0 +0530 +++ gitlab-8.13.11+dfsg/debian/changelog2018-03-11 20:13:17.0 +0530 @@ -1,3 +1,10 @@ +gitlab (8.13.11+dfsg-8+deb9u1) stretch-security; urgency=high + + * Fixes multiple security vulnerabilities (backported from 10.3.4 release) +CVE-2017-0916, CVE-2017-0918, CVE-2017-0925, CVE-2017-0926, CVE-2017-3710 + + -- Pirate PraveenSun, 11 Mar 2018 20:13:17 +0530 + gitlab (8.13.11+dfsg-8) unstable; urgency=medium * Don't fail if gitlab-debian.defaults not found (to support upgrading diff -Nru gitlab-8.13.11+dfsg/debian/patches/cve-2017-0916.patch gitlab-8.13.11+dfsg/debian/patches/cve-2017-0916.patch --- gitlab-8.13.11+dfsg/debian/patches/cve-2017-0916.patch 1970-01-01 05:30:00.0 +0530 +++ gitlab-8.13.11+dfsg/debian/patches/cve-2017-0916.patch 2018-03-11 20:07:30.0 +0530 @@ -0,0 +1,32 @@ +--- a/app/models/hooks/web_hook.rb b/app/models/hooks/web_hook.rb +@@ -19,6 +19,7 @@ + default_timeout Gitlab.config.gitlab.webhook_timeout + + validates :url, presence: true, url: true ++ validates :token, format: { without: /\n/ } + + def execute(data, hook_name) + parsed_url = URI.parse(url) +@@ -57,7 +58,7 @@ + 'Content-Type' => 'application/json', + 'X-Gitlab-Event' => hook_name.singularize.titleize + } +-headers['X-Gitlab-Token'] = token if token.present? ++headers['X-Gitlab-Token'] = Gitlab::Utils.remove_line_breaks(token) if token.present? + headers + end + end +--- a/lib/gitlab/utils.rb b/lib/gitlab/utils.rb +@@ -14,6 +14,10 @@ + str.force_encoding(Encoding::UTF_8) + end + ++def remove_line_breaks(str) ++ str.gsub(/\r?\n/, '') ++end ++ + def to_boolean(value) + return value if [true, false].include?(value) + return true if value =~ /^(true|t|yes|y|1|on)$/i diff -Nru gitlab-8.13.11+dfsg/debian/patches/cve-2017-0918.patch gitlab-8.13.11+dfsg/debian/patches/cve-2017-0918.patch --- gitlab-8.13.11+dfsg/debian/patches/cve-2017-0918.patch 1970-01-01 05:30:00.0 +0530 +++ gitlab-8.13.11+dfsg/debian/patches/cve-2017-0918.patch 2018-03-11 20:07:30.0 +0530 @@ -0,0 +1,28 @@ +--- a/lib/gitlab/ci/config/node/validators.rb b/lib/gitlab/ci/config/node/validators.rb +@@ -48,10 +48,24 @@ + include LegacyValidationHelpers + + def validate_each(record, attribute, value) +- unless validate_string(value) ++ if validate_string(value) ++validate_path(record, attribute, value) ++ else + record.errors.add(attribute, 'should be a string or symbol') + end + end ++ ++private ++ ++def validate_path(record, attribute, value) ++ path = CGI.unescape(value.to_s) ++ ++ if path.include?('/') ++record.errors.add(attribute, 'cannot contain the "/" character') ++ elsif path == '.' || path == '..' ++record.errors.add(attribute, 'cannot be "." or ".."') ++ end ++end + end + + class TypeValidator < ActiveModel::EachValidator diff -Nru gitlab-8.13.11+dfsg/debian/patches/cve-2017-0925.patch gitlab-8.13.11+dfsg/debian/patches/cve-2017-0925.patch --- gitlab-8.13.11+dfsg/debian/patches/cve-2017-0925.patch 1970-01-01 05:30:00.0 +0530 +++ gitlab-8.13.11+dfsg/debian/patches/cve-2017-0925.patch 2018-03-11 20:07:30.0 +0530 @@ -0,0 +1,39 @@ +--- a/app/models/service.rb b/app/models/service.rb +@@ -98,6 +98,11 @@ + nil + end + ++ def api_field_names ++fields.map { |field| field[:name] } ++ .reject { |field_name| field_name =~ /(password|token|key)/ } ++ end ++ + def global_fields + fields + end +--- a/lib/api/entities.rb b/lib/api/entities.rb +@@ -411,10 +411,7 @@ + expose :tag_push_events, :note_events, :build_events, :pipeline_events + # Expose serialized properties + expose :properties do |service, options| +-field_names = service.fields. +- select { |field| options[:include_passwords] || field[:type] != 'password' }. +- map { |field| field[:name] } +-service.properties.slice(*field_names) ++service.properties.slice(*service.api_field_names) + end + end + +--- a/lib/api/services.rb b/lib/api/services.rb +@@ -56,7 +56,7 @@ + # GET /project/:id/services/gitlab-ci + # + get ':id/services/:service_slug' do +-present project_service, with: Entities::ProjectService, include_passwords: current_user.is_admin? ++present
[DRE-maint] Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory
On Mon, 5 Mar 2018 17:18:00 +0530 Pirate Praveenwrote: > On ഞായര് 04 മാർച്ച് 2018 10:29 വൈകു, Moritz Mühlenhoff wrote: > > We're now almost two months in after the upstream security > > release. If this still isn't ready, that's a sign to me > > that we can' reasonably support it, so the next best option > > is to end-of-life it and eventually ask for it's removal > > from stretch. > > > > Cheers, > > Moritz > > > I will ask upstream help in backporting and we can decide based on their > response. > I will attach a debdiff tomorrow with the CVEs we already backported. And also will try to respond quicker in case of future CVEs. CVE-2017-0923 seems to be not affecting 8.13 as this feature was introduced only in 9.1 CVE-2017-0927 is affecting only an optional component of gitlab (continuous deployment), while still good to be able to fix it, I don't think it should result in a removal. I'm yet to hear back from upstream about their help in fixing this last CVE. signature.asc Description: OpenPGP digital signature ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
[DRE-maint] Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory
On ഞായര് 04 മാർച്ച് 2018 10:29 വൈകു, Moritz Mühlenhoff wrote: > We're now almost two months in after the upstream security > release. If this still isn't ready, that's a sign to me > that we can' reasonably support it, so the next best option > is to end-of-life it and eventually ask for it's removal > from stretch. > > Cheers, > Moritz > I will ask upstream help in backporting and we can decide based on their response. signature.asc Description: OpenPGP digital signature ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
[DRE-maint] Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory
On Thu, Feb 15, 2018 at 09:53:25PM +0530, Pirate Praveen wrote: > On വ്യാഴം 15 ഫെബ്രുവരി 2018 12:07 രാവിലെ, Moritz Mühlenhoff wrote: > > What's the status? > > Cheers, > > Moritz > Some cve patches are backported, but help is welcome, > https://salsa.debian.org/ruby-team/gitlab/tree/master-8-13 We're now almost two months in after the upstream security release. If this still isn't ready, that's a sign to me that we can' reasonably support it, so the next best option is to end-of-life it and eventually ask for it's removal from stretch. Cheers, Moritz ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
[DRE-maint] Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory
On വ്യാഴം 15 ഫെബ്രുവരി 2018 12:07 രാവിലെ, Moritz Mühlenhoff wrote: > What's the status? > Cheers, > Moritz Some cve patches are backported, but help is welcome, https://salsa.debian.org/ruby-team/gitlab/tree/master-8-13 https://pad.disroot.org/p/gitlab_security_bp signature.asc Description: OpenPGP digital signature ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
[DRE-maint] Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory
On Fri, Jan 26, 2018 at 10:14:16PM +0530, Pirate Praveen wrote: > On വെള്ളി 26 ജനുവരി 2018 07:32 വൈകു, Salvatore Bonaccorso wrote: > > See > > https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ > > for which several go back to 8.9.0 versions. > > > > There are three CVEs out of > > https://security-tracker.debian.org/tracker/source-package/gitlab > > belonging to that list wich are yet marked undetermined, because not > > clear from the advisory if 8.13.11=dfsg1-12 might be affected. > > But assuming the 'version affected' information is correct, they are > > not, please confirm so we can adjust the security-tracker information. > > We are working on backporting the patches (8.13.12 don't have most of > these patches). We will confirm once we go through all of it. What's the status? Cheers, Moritz ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
[DRE-maint] Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory
On വെള്ളി 26 ജനുവരി 2018 07:32 വൈകു, Salvatore Bonaccorso wrote: > See > https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ > for which several go back to 8.9.0 versions. > > There are three CVEs out of > https://security-tracker.debian.org/tracker/source-package/gitlab > belonging to that list wich are yet marked undetermined, because not > clear from the advisory if 8.13.11=dfsg1-12 might be affected. > But assuming the 'version affected' information is correct, they are > not, please confirm so we can adjust the security-tracker information. We are working on backporting the patches (8.13.12 don't have most of these patches). We will confirm once we go through all of it. signature.asc Description: OpenPGP digital signature ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
[DRE-maint] Bug#888508: gitlab: multiple CVEs from GitLab Security Release: 10.3.4, 10.2.6, and 10.1.6 advisory
Source: gitlab Version: 8.13.11+dfsg1-12 Severity: grave Tags: upstream security Hi See https://about.gitlab.com/2018/01/16/gitlab-10-dot-3-dot-4-released/ for which several go back to 8.9.0 versions. There are three CVEs out of https://security-tracker.debian.org/tracker/source-package/gitlab belonging to that list wich are yet marked undetermined, because not clear from the advisory if 8.13.11=dfsg1-12 might be affected. But assuming the 'version affected' information is correct, they are not, please confirm so we can adjust the security-tracker information. Regards, Salvatore -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.14.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled ___ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers