Processed: Re: Bug#872190: gitlab: CVE-2017-12426: Remote Command Execution in git client

2017-08-17 Thread Debian Bug Tracking System 
Processing control commands:

> severity -1 minor
Bug #872190 [src:gitlab] gitlab: CVE-2017-12426: Remote Command Execution in 
git client
Severity set to 'minor' from 'grave'

-- 
872190: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872190
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#872190: gitlab: CVE-2017-12426: Remote Command Execution in git client

2017-08-17 Thread Salvatore Bonaccorso 
Control: severity -1 minor

On Thu, Aug 17, 2017 at 06:24:43PM +0530, Pirate Praveen wrote:
> On Tue, 15 Aug 2017 07:40:59 +0200 Salvatore Bonaccorso
>  wrote:> If you fix the vulnerability please also
> make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> This is already fixed in git 1:2.11.0-3+deb9u1. The patch in gitlab is
> extra step to prevent in case of a vulnerable git. Since debian already
> has the fixed version of git, I don't think we need to do anything to
> gitlab.

Agree, we can at least lower the severity and thanks a lot for the
followup. The CVE seem to be specific assigned for the "via a crafted
SSH URL in a project import". Can you close this bug once the gitlab
version contains as well this extra safety measure if still running
with older git?

For the security tracker I have already downgraded the severity to
unimportant.

Regards,
Salvatore

Bug#872190: gitlab: CVE-2017-12426: Remote Command Execution in git client

2017-08-17 Thread Pirate Praveen 
On Tue, 15 Aug 2017 07:40:59 +0200 Salvatore Bonaccorso
 wrote:> If you fix the vulnerability please also
make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

This is already fixed in git 1:2.11.0-3+deb9u1. The patch in gitlab is
extra step to prevent in case of a vulnerable git. Since debian already
has the fixed version of git, I don't think we need to do anything to
gitlab.



signature.asc
Description: OpenPGP digital signature

Bug#872190: gitlab: CVE-2017-12426: Remote Command Execution in git client

2017-08-14 Thread Salvatore Bonaccorso 
Source: gitlab
Version: 8.13.11+dfsg1-8
Severity: grave
Tags: security upstream
Forwarded: https://gitlab.com/gitlab-org/gitlab-ce/issues/35212

Hi,

the following vulnerability was published for gitlab.

CVE-2017-12426[0]:
| GitLab Community Edition (CE) and Enterprise Edition (EE) before
| 8.17.8, 9.0.x before 9.0.13, 9.1.x before 9.1.10, 9.2.x before 9.2.10,
| 9.3.x before 9.3.10, and 9.4.x before 9.4.4 might allow remote
| attackers to execute arbitrary code via a crafted SSH URL in a project
| import.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-12426
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12426
[1] https://gitlab.com/gitlab-org/gitlab-ce/issues/35212
[2] https://about.gitlab.com/2017/08/10/gitlab-9-dot-4-dot-4-released/

Regards,
Salvatore