Date: Wed, 28 Mar 2018 13:05:54 +0000 (UTC) From: Matthias Fechner <mfechner@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r465805 - head/security/vuxml Message-ID: <201803281305.w2SD5sgM055087@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: mfechner Date: Wed Mar 28 13:05:54 2018 New Revision: 465805 URL: https://svnweb.freebsd.org/changeset/ports/465805 Log: Document gitlab vulnerability. Reviewed by: tz (mentor) Approved by: tz (mentor) Differential Revision: https://reviews.freebsd.org/D14870 Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Wed Mar 28 12:58:19 2018 (r465804) +++ head/security/vuxml/vuln.xml Wed Mar 28 13:05:54 2018 (r465805) @@ -203,6 +203,42 @@ Notes: </dates> </vuln> + <vuln vid="dc0c201c-31da-11e8-ac53-d8cb8abf62dd"> + <topic>Gitlab -- multiple vulnerabilities</topic> + <affects> + <package> + <name>gitlab</name> + <range><ge>8.3</ge><lt>10.5.6</lt></range> + <range><ge>8.3</ge><lt>10.4.6</lt></range> + <range><ge>8.3</ge><lt>10.3.9</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>GitLab reports:</p> + <blockquote cite="https://about.gitlab.com/2018/03/20/critical-security-release-gitlab-10-dot-5-dot-6-released/">; + <h1>SSRF in services and web hooks</h1> + <p>There were multiple server-side request forgery issues in the Services feature. + An attacker could make requests to servers within the same network of the GitLab + instance. This could lead to information disclosure, authentication bypass, or + potentially code execution. This issue has been assigned + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8801">CVE-2018-8801</a>.</p>; + <h1>Gitlab Auth0 integration issue</h1> + <p>There was an issue with the GitLab <code>omniauth-auth0</code> configuration + which resulted in the Auth0 integration signing in the wrong users.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2018-8801</cvename> + <url>https://about.gitlab.com/2018/03/20/critical-security-release-gitlab-10-dot-5-dot-6-released/</url>; + </references> + <dates> + <discovery>2018-03-20</discovery> + <entry>2018-03-27</entry> + </dates> + </vuln> + <vuln vid="23f59689-0152-42d3-9ade-1658d6380567"> <topic>mozilla -- use-after-free in compositor</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201803281305.w2SD5sgM055087>