From owner-svn-ports-all@freebsd.org  Thu May 18 10:45:59 2017
Return-Path: <owner-svn-ports-all@freebsd.org>
Delivered-To: svn-ports-all@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 61C1CD70E41;
 Thu, 18 May 2017 10:45:59 +0000 (UTC) (envelope-from tz@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 352C832D;
 Thu, 18 May 2017 10:45:59 +0000 (UTC) (envelope-from tz@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id v4IAjwvJ068483;
 Thu, 18 May 2017 10:45:58 GMT (envelope-from tz@FreeBSD.org)
Received: (from tz@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id v4IAjw8V068481;
 Thu, 18 May 2017 10:45:58 GMT (envelope-from tz@FreeBSD.org)
Message-Id: <201705181045.v4IAjw8V068481@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: tz set sender to tz@FreeBSD.org
 using -f
From: Torsten Zuehlsdorff <tz@FreeBSD.org>
Date: Thu, 18 May 2017 10:45:58 +0000 (UTC)
To: ports-committers@freebsd.org, svn-ports-all@freebsd.org,
 svn-ports-head@freebsd.org
Subject: svn commit: r441141 - head/security/vuxml
X-SVN-Group: ports-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-ports-all@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the ports tree <svn-ports-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-ports-all/>
List-Post: <mailto:svn-ports-all@freebsd.org>
List-Help: <mailto:svn-ports-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-ports-all>,
 <mailto:svn-ports-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 18 May 2017 10:45:59 -0000

Author: tz
Date: Thu May 18 10:45:57 2017
New Revision: 441141
URL: https://svnweb.freebsd.org/changeset/ports/441141

Log:
  Document GitLab vulnerabilities.
  
  Security: CVE-2017-0882
  Security: https://vuxml.FreeBSD.org/freebsd/5d62950f-3bb5-11e7-93f7-d43d7e971a1b.html

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Thu May 18 10:45:49 2017	(r441140)
+++ head/security/vuxml/vuln.xml	Thu May 18 10:45:57 2017	(r441141)
@@ -58,6 +58,41 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="5d62950f-3bb5-11e7-93f7-d43d7e971a1b">
+    <topic>gitlab -- Various security issues</topic>
+    <affects>
+      <package>
+	<name>gitlab</name>
+	<range><ge>8.7.0</ge><le>8.15.7</le></range>
+	<range><ge>8.16.0</ge><le>8.16.7</le></range>
+	<range><ge>8.17.0</ge><le>8.17.3</le></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>GitLab reports:</p>
+	<blockquote cite="https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/">
+    <h1>Information Disclosure in Issue and Merge Request Trackers</h1>
+	  <p>During an internal code review a critical vulnerability in the GitLab Issue and Merge Request trackers was discovered. This vulnerability could allow a user with access to assign ownership of an issue or merge request to another user to disclose that user's private token, email token, email address, and encrypted OTP secret. Reporter-level access to a GitLab project is required to exploit this flaw.</p>
+    <h1>SSRF when importing a project from a Repo by URL</h1>
+    <p>GitLab instances that have enabled project imports using "Repo by URL" were vulnerable to Server-Side Request Forgery attacks. By specifying a project import URL of localhost an attacker could target services that are bound to the local interface of the server. These services often do not require authentication. Depending on the service an attacker might be able craft an attack using the project import request URL.</p>
+    <h1>Links in Environments tab vulnerable to tabnabbing</h1>
+    <p>edio via HackerOne reported that user-configured Environment links include target=_blank but do not also include rel: noopener noreferrer. Anyone clicking on these links may therefore be subjected to tabnabbing attacks where a link back to the requesting page is maintained and can be manipulated by the target server.</p>
+    <h1>Accounts with email set to "Do not show on profile" have addresses exposed in public atom feed</h1>
+    <p>Several GitLab users reported that even with "Do not show on profile" configured for their email addresses those addresses were still being leaked in Atom feeds if they commented on a public project.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://about.gitlab.com/2017/03/20/gitlab-8-dot-17-dot-4-security-release/</url>
+      <cvename>CVE-2017-0882</cvename>
+    </references>
+    <dates>
+      <discovery>2017-03-20</discovery>
+      <entry>2017-05-18</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="4a088d67-3af2-11e7-9d75-c86000169601">
     <topic>freetype2 -- buffer overflows</topic>
     <affects>