Site Navigation

Date:      Thu, 27 Jun 2024 04:49:53 GMT
From:      Matthias Fechner <mfechner@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   git: 1dae53187bd9 - main - security/vuxml: document gitlab vulnerabilities
Message-ID:  <202406270449.45R4nriV088139@gitrepo.freebsd.org>

---

next in thread | raw e-mail | index | archive | help

---

The branch main has been updated by mfechner:

URL: https://cgit.FreeBSD.org/ports/commit/?id=1dae53187bd915a228d02c9d3d8eaf7bc3033711

commit 1dae53187bd915a228d02c9d3d8eaf7bc3033711
Author:     Matthias Fechner <mfechner@FreeBSD.org>
AuthorDate: 2024-06-27 04:49:03 +0000
Commit:     Matthias Fechner <mfechner@FreeBSD.org>
CommitDate: 2024-06-27 04:49:03 +0000

    security/vuxml: document gitlab vulnerabilities
---
 security/vuxml/vuln/2024.xml | 55 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/security/vuxml/vuln/2024.xml b/security/vuxml/vuln/2024.xml
index a68a5d19be54..a406e45c64b2 100644
--- a/security/vuxml/vuln/2024.xml
+++ b/security/vuxml/vuln/2024.xml
@@ -1,3 +1,58 @@
+  <vuln vid="589de937-343f-11ef-8a7b-001b217b3468">
+    <topic>Gitlab -- Vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>gitlab-ce</name>
+	<name>gitlab-ee</name>
+	<range><ge>17.1.0</ge><lt>17.1.1</lt></range>
+	<range><ge>17.0.0</ge><lt>17.0.3</lt></range>
+	<range><ge>1.0.0</ge><lt>16.11.5</lt></range>
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Gitlab reports:</p>
+	<blockquote cite="https://about.gitlab.com/releases/2024/06/26/patch-release-gitlab-17-1-1-released/">;
+	  <p>Run pipelines as any user</p>
+	  <p>Stored XSS injected in imported project's commit notes</p>
+	  <p>CSRF on GraphQL API IntrospectionQuery</p>
+	  <p>Remove search results from public projects with unauthorized repos</p>
+	  <p>Cross window forgery in user application OAuth flow</p>
+	  <p>Project maintainers can bypass group's merge request approval policy</p>
+	  <p>ReDoS via custom built markdown page</p>
+	  <p>Private job artifacts can be accessed by any user</p>
+	  <p>Security fixes for banzai pipeline</p>
+	  <p>ReDoS in dependency linker</p>
+	  <p>Denial of service using a crafted OpenAPI file</p>
+	  <p>Merge request title disclosure</p>
+	  <p>Access issues and epics without having an SSO session</p>
+	  <p>Non project member can promote key results to objectives</p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2024-5655</cvename>
+      <cvename>CVE-2024-4901</cvename>
+      <cvename>CVE-2024-4994</cvename>
+      <cvename>CVE-2024-6323</cvename>
+      <cvename>CVE-2024-2177</cvename>
+      <cvename>CVE-2024-5430</cvename>
+      <cvename>CVE-2024-4025</cvename>
+      <cvename>CVE-2024-3959</cvename>
+      <cvename>CVE-2024-4557</cvename>
+      <cvename>CVE-2024-1493</cvename>
+      <cvename>CVE-2024-1816</cvename>
+      <cvename>CVE-2024-2191</cvename>
+      <cvename>CVE-2024-3115</cvename>
+      <cvename>CVE-2024-4011</cvename>
+      <url>https://about.gitlab.com/releases/2024/06/26/patch-release-gitlab-17-1-1-released/</url>;
+    </references>
+    <dates>
+      <discovery>2024-06-26</discovery>
+      <entry>2024-06-27</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="2b68c86a-32d5-11ef-8a0f-a8a1599412c6">
     <topic>chromium -- multiple security fixes</topic>
     <affects>

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202406270449.45R4nriV088139>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact