Your message dated Sat, 6 May 2017 23:00:37 +0530
with message-id
<20170506173037.vekbilq5hdsnbigc@chelamattathu.chelamattathu.localhost>
and subject line Re: Requesting unblock
has caused the Debian Bug report #861870,
regarding gitlab: CVE-2017-8778
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
861870: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861870
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: gitlab
Version: 8.13.11+dfsg1-3
Severity: grave
Tags: upstream security
Forwarded: https://gitlab.com/gitlab-org/gitlab-ce/issues/27471
Hi,
the following vulnerability was published for gitlab. Please note I
was not able to verfy that affects back 8.13.11, and the merge request
has restricted access. Can you confirm 8.13.11+dfsg1-3 is affected as
well?
CVE-2017-8778[0]:
| GitLab before 8.14.9, 8.15.x before 8.15.6, and 8.16.x before 8.16.5
| has XSS via a SCRIPT element in an issue attachment or avatar that is
| an SVG document.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-8778
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8778
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Hi,
On Sat, 6 May 2017 10:43:13 +0200 Tomasz Buchert <tom...@debian.org> wrote:
>
> Hi,
> in this case I'm going to close my request in #861914, and let you
> take care of it.
I just confirmed that this vulnerability does not apply to the GitLab version we
have in Debian. This is because the SVG rendering feature was introduced in a
later version and this vulnerability applies only to the ones with that feature.
So, I will be reverting the commit I pushed to gitlab source repository in
alioth and once 8.13.11+dfsg1-5 migrates to Testing, all will be well.
Thanks for the report Salvatore and the help Tomasz. It's encouraging to see
others are also looking at this package.
Because of the above reasons, I will be closing this issue.
signature.asc
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-ruby-extras-maintainers mailing list
Pkg-ruby-extras-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
