[DRE-maint] Bug#843519: gitlab: CVE-2016-9086
Salvatore Bonaccorso
carnil at debian.org
Mon Nov 7 11:20:09 UTC 2016
Source: gitlab
Version: 8.10.5+dfsg-3
Severity: grave
Tags: security upstream
Justification: user security hole
Hi,
the following vulnerability was published for gitlab.
CVE-2016-9086[0]:
| GitLab versions 8.9.x and above contain a critical security flaw in the
| "import/export project" feature of GitLab. Added in GitLab 8.9, this
| feature allows a user to export and then re-import their projects as
| tape archive files (tar). All GitLab versions prior to 8.13.0
| restricted this feature to administrators only. Starting with version
| 8.13.0 this feature was made available to all users. This feature did
| not properly check for symbolic links in user-provided archives and
| therefore it was possible for an authenticated user to retrieve the
| contents of any file accessible to the GitLab service account. This
| included sensitive files such as those that contain secret tokens used
| by the GitLab service to authenticate users. GitLab CE and EE versions
| 8.13.0 through 8.13.2, 8.12.0 through 8.12.7, 8.11.0 through 8.11.10,
| 8.10.0 through 8.10.12, and 8.9.0 through 8.9.11 are affected.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-9086
[1] https://hackerone.com/reports/178152
[2] https://about.gitlab.com/2016/11/02/cve-2016-9086-patches/
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list