Bug#933785: gitlab: CVE-2019-5470 CVE-2019-5469 CVE-2019-5468 CVE-2019-5466 CVE-2019-5465 CVE-2019-5464 CVE-2019-5463 CVE-2019-5462 CVE-2019-5461

[Pirate Praveen]

I have uploaded 11.11.7 in my personal repo [1]. Since grpc and protobuf 
updates are not in the archive I cannot upload it to archive right now.


[1] people.debian.org/~praveen/gitlab

Bug#933785: gitlab: CVE-2019-5470 CVE-2019-5469 CVE-2019-5468 CVE-2019-5466 CVE-2019-5465 CVE-2019-5464 CVE-2019-5463 CVE-2019-5462 CVE-2019-5461

[Pirate Praveen]

Control: block -1 by 933795
Control: block -1 by 933778

On Sat, 03 Aug 2019 15:41:53 +0200 Salvatore Bonaccorso wrote:

The following vulnerabilities were published for gitlab, see [9].


Since these fixes are not backported to 11.10 branch, we will have to 
update to 11.11 branch.


Currently blocked by gitaly build failure reported upstream 
https://gitlab.com/gitlab-org/gitaly/issues/1840

Bug#933785: gitlab: CVE-2019-5470 CVE-2019-5469 CVE-2019-5468 CVE-2019-5466 CVE-2019-5465 CVE-2019-5464 CVE-2019-5463 CVE-2019-5462 CVE-2019-5461

[Salvatore Bonaccorso]

Source: gitlab
Version: 11.8.10+dfsg-1
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

The following vulnerabilities were published for gitlab, see [9].

CVE-2019-5470[0]:
Information Disclosure Vulnerability Feedback

CVE-2019-5469[1]:
Arbitrary File Upload via Import Project Archive

CVE-2019-5468[2]:
User Revokation Bypass with Mattermost Integration

CVE-2019-5466[3]:
IDOR Label Name Enumeration

CVE-2019-5465[4]:
Information Disclosure New Issue ID

CVE-2019-5464[5]:
SSRF Mitigation Bypass

CVE-2019-5463[6]:
Build Status Disclosure

CVE-2019-5462[7]:
Trigger Token Impersonation

CVE-2019-5461[8]:
GitHub Integration SSRF

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-5470
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5470
[1] https://security-tracker.debian.org/tracker/CVE-2019-5469
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5469
[2] https://security-tracker.debian.org/tracker/CVE-2019-5468
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5468
[3] https://security-tracker.debian.org/tracker/CVE-2019-5466
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5466
[4] https://security-tracker.debian.org/tracker/CVE-2019-5465
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5465
[5] https://security-tracker.debian.org/tracker/CVE-2019-5464
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5464
[6] https://security-tracker.debian.org/tracker/CVE-2019-5463
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5463
[7] https://security-tracker.debian.org/tracker/CVE-2019-5462
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5462
[8] https://security-tracker.debian.org/tracker/CVE-2019-5461
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5461
[9] 
https://about.gitlab.com/2019/07/29/security-release-gitlab-12-dot-1-dot-2-released/

Please adjust the affected versions in the BTS as needed.



-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled