Your message dated Sat, 6 May 2017 23:00:37 +0530 with message-id <20170506173037.vekbilq5hdsnbigc@chelamattathu.chelamattathu.localhost> and subject line Re: Requesting unblock has caused the Debian Bug report #861870, regarding gitlab: CVE-2017-8778 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 861870: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861870 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: gitlab Version: 8.13.11+dfsg1-3 Severity: grave Tags: upstream security Forwarded: https://gitlab.com/gitlab-org/gitlab-ce/issues/27471 Hi, the following vulnerability was published for gitlab. Please note I was not able to verfy that affects back 8.13.11, and the merge request has restricted access. Can you confirm 8.13.11+dfsg1-3 is affected as well? CVE-2017-8778[0]: | GitLab before 8.14.9, 8.15.x before 8.15.6, and 8.16.x before 8.16.5 | has XSS via a SCRIPT element in an issue attachment or avatar that is | an SVG document. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-8778 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8778 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Hi, On Sat, 6 May 2017 10:43:13 +0200 Tomasz Buchert <tom...@debian.org> wrote: > > Hi, > in this case I'm going to close my request in #861914, and let you > take care of it. I just confirmed that this vulnerability does not apply to the GitLab version we have in Debian. This is because the SVG rendering feature was introduced in a later version and this vulnerability applies only to the ones with that feature. So, I will be reverting the commit I pushed to gitlab source repository in alioth and once 8.13.11+dfsg1-5 migrates to Testing, all will be well. Thanks for the report Salvatore and the help Tomasz. It's encouraging to see others are also looking at this package. Because of the above reasons, I will be closing this issue.signature.asc
Description: PGP signature
--- End Message ---
_______________________________________________ Pkg-ruby-extras-maintainers mailing list Pkg-ruby-extras-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers