Processed: Re: Bug#872190: gitlab: CVE-2017-12426: Remote Command Execution in git client
Processing control commands: > severity -1 minor Bug #872190 [src:gitlab] gitlab: CVE-2017-12426: Remote Command Execution in git client Severity set to 'minor' from 'grave' -- 872190: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=872190 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#872190: gitlab: CVE-2017-12426: Remote Command Execution in git client
Control: severity -1 minor On Thu, Aug 17, 2017 at 06:24:43PM +0530, Pirate Praveen wrote: > On Tue, 15 Aug 2017 07:40:59 +0200 Salvatore Bonaccorso >wrote:> If you fix the vulnerability please also > make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > This is already fixed in git 1:2.11.0-3+deb9u1. The patch in gitlab is > extra step to prevent in case of a vulnerable git. Since debian already > has the fixed version of git, I don't think we need to do anything to > gitlab. Agree, we can at least lower the severity and thanks a lot for the followup. The CVE seem to be specific assigned for the "via a crafted SSH URL in a project import". Can you close this bug once the gitlab version contains as well this extra safety measure if still running with older git? For the security tracker I have already downgraded the severity to unimportant. Regards, Salvatore
Bug#872190: gitlab: CVE-2017-12426: Remote Command Execution in git client
On Tue, 15 Aug 2017 07:40:59 +0200 Salvatore Bonaccorsowrote:> If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. This is already fixed in git 1:2.11.0-3+deb9u1. The patch in gitlab is extra step to prevent in case of a vulnerable git. Since debian already has the fixed version of git, I don't think we need to do anything to gitlab. signature.asc Description: OpenPGP digital signature
Bug#872190: gitlab: CVE-2017-12426: Remote Command Execution in git client
Source: gitlab Version: 8.13.11+dfsg1-8 Severity: grave Tags: security upstream Forwarded: https://gitlab.com/gitlab-org/gitlab-ce/issues/35212 Hi, the following vulnerability was published for gitlab. CVE-2017-12426[0]: | GitLab Community Edition (CE) and Enterprise Edition (EE) before | 8.17.8, 9.0.x before 9.0.13, 9.1.x before 9.1.10, 9.2.x before 9.2.10, | 9.3.x before 9.3.10, and 9.4.x before 9.4.4 might allow remote | attackers to execute arbitrary code via a crafted SSH URL in a project | import. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-12426 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12426 [1] https://gitlab.com/gitlab-org/gitlab-ce/issues/35212 [2] https://about.gitlab.com/2017/08/10/gitlab-9-dot-4-dot-4-released/ Regards, Salvatore