Date: Fri, 11 Aug 2017 08:05:10 +0000 (UTC) From: Torsten Zuehlsdorff <tz@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r447739 - head/security/vuxml Message-ID: <201708110805.v7B85AuV065847@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: tz Date: Fri Aug 11 08:05:09 2017 New Revision: 447739 URL: https://svnweb.freebsd.org/changeset/ports/447739 Log: Document GitLab vulnerabilities Security: CVE-2017-12426 Security: https://vuxml.FreeBSD.org/freebsd/abcc5ad3-7e6a-11e7-93f7-d43d7e971a1b.html Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Aug 11 07:58:52 2017 (r447738) +++ head/security/vuxml/vuln.xml Fri Aug 11 08:05:09 2017 (r447739) @@ -58,6 +58,62 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="abcc5ad3-7e6a-11e7-93f7-d43d7e971a1b"> + <topic>GitLab -- two vulnerabilities</topic> + <affects> + <package> + <name>gitlab</name> + <range><ge>7.9.0</ge><le>8.17.8</le></range> + <range><ge>9.0.0</ge><le>9.0.12</le></range> + <range><ge>9.1.0</ge><le>9.1.9</le></range> + <range><ge>9.2.0</ge><le>9.2.9</le></range> + <range><ge>9.3.0</ge><le>9.3.9</le></range> + <range><ge>9.4.0</ge><le>9.4.3</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>GitLab reports:</p> + <blockquote cite="https://about.gitlab.com/2017/08/10/gitlab-9-dot-4-dot-4-released/">; + <h1>Remote Command Execution in git client</h1> + <p>An external code review performed by Recurity-Labs identified a remote + command execution vulnerability in git that could be exploited via the "Repo + by URL" import option in GitLab. The command line git client was not + properly escaping command line arguments in URLs using the SSH protocol + before invoking the SSH client. A specially crafted URL could be used to + execute arbitrary shell commands on the GitLab server.<br/> + To fully patch this vulnerability two fixes were needed. The Omnibus + versions of GitLab contain a patched git client. For source users who may + still be running an older version of git, GitLab now also blocks import URLs + containing invalid host and usernames.<br/> + This issue has been assigned CVE-2017-12426.</p> + <h1>Improper sanitization of GitLab export files on import</h1> + <p>GitLab versions 8.13.3, 8.12.8, 8.11.10, 8.10.13, and 8.9.12 contained a + patch for a critical directory traversal vulnerability in the GitLab export + feature that could be exploited by including symlinks in the export file and + then re-importing it to a GitLab instance. This vulnerability was patched by + checking for and removing symlinks in these files on import.<br/> + Recurity-Labs also determined that this fix did not properly remove symlinks for + hidden files. Though not as dangerous as the original vulnerability hidden file + symlinks could still be used to steal copies of git repositories belonging to + other users if the path to the git repository was known by the attacker. An + updated fix has been included in these releases that properly removes all + symlinks.<br/> + This import option was not made available to non-admin users until GitLab + 8.13.0.</p> + </blockquote> + </body> + </description> + <references> + <url>https://about.gitlab.com/2017/08/10/gitlab-9-dot-4-dot-4-released/</url>; + <cvename>CVE-2017-12426</cvename> + </references> + <dates> + <discovery>2017-08-10</discovery> + <entry>2017-08-11</entry> + </dates> + </vuln> + <vuln vid="982872f1-7dd3-11e7-9736-6cc21735f730"> <topic>PostgreSQL vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201708110805.v7B85AuV065847>