From nobody Fri Sep 30 16:11:24 2022
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MfFbK1rr0z4f4bh;
	Fri, 30 Sep 2022 16:11:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4MfFbK1PpHz3q33;
	Fri, 30 Sep 2022 16:11:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1664554285;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=6uPoV82mg3AwSEI1V/lwNO+NqTpgFY7PI36+pqpRuFM=;
	b=e/unDJWZTGZlEoYYd3X8A6ttevEANYZnGotClb/OZemzuTjyqFNsV7iNUEV32g4E2Gd0nz
	l7UPxAHM/RGraS4AkQkVnzKpIijCMbxaG6cUTFQ1CaRZDIPORCMEHkwkQz1YRHwclg/+6n
	a5b+S/7gnOmd5iLlCcWu0u3IJ9qAOxABKunTkARtHr4wg/ehlkX/3/uLQ0epEAs+P7uUne
	5l3IjS7t8C4ePpO9wwDlEdBB6cnU/jkUri9F/abUy0iTtnl7TaaxFDucc4DQuJgzzd/N+E
	VjDEDjeFkK5YsWCbsKAQ6qQrICjJKv0DrcyFA8nD5aunZTYVmIW2fg6KPDLdrA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MfFbK09JBzDfX;
	Fri, 30 Sep 2022 16:11:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 28UGBOqG055415;
	Fri, 30 Sep 2022 16:11:24 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 28UGBOVv055414;
	Fri, 30 Sep 2022 16:11:24 GMT
	(envelope-from git)
Date: Fri, 30 Sep 2022 16:11:24 GMT
Message-Id: <202209301611.28UGBOVv055414@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Matthias Fechner <mfechner@FreeBSD.org>
Subject: git: a2eb3ac977b2 - main - security/vuxml: document gitlab-ce vulnerabilities
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-all@freebsd.org
X-BeenThere: dev-commits-ports-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: mfechner
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: a2eb3ac977b27335172e5c815009007863d0cff5
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1664554285;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=6uPoV82mg3AwSEI1V/lwNO+NqTpgFY7PI36+pqpRuFM=;
	b=CRzJHyp7xl6tW3VmWLg4gcogJhxtjVUt1+h+Av6zW+FhVrOhTjGcnT9ArBcBVqIlUePXX3
	g/DYpZ9PnhUEL7QEOkxalWbeFoqOsOUQQlHYz90S8Mn/Uhi1OTImYl81KHagBU6heKPIAN
	psmwZtF4jWtcM2jzn/yyQzUDhwy61zJMut6Vfy09vLqViXhUUhVrbGAibG7EpkV7V1yyfN
	e8jtP2u//GrgddHcTLO1xnIWElxetfxeoXnjC0oHrG05PxfjHMQydsKS/+fy5XDQYkmJUh
	zvcz/jhTOKchewgBKBZcy1JqyBSaqQqzgE0+T82fp416HhVBw34uIuh6sVaRUQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1664554285; a=rsa-sha256; cv=none;
	b=VjA7QFoUlivO4Qp+yLH60O2GnTX4SrGjeGU7QS4bpfnYmZM4sMgcNOWD7L6sgmR2xZOg++
	6UeHoxGCEA1n25CeM5/PrBTzrjQm2BUw2qF8BKOXfVe/RNQOofdWT/NL8pI+x1LGW/KlXk
	lpARpA1XcY6CYpFhAuf7j7w5mDre6bhp3Ki1l9CnV+XrMyBMRuGOe1SSoFH+pW0jqekXQA
	eq8soLYuL7lpLEboZfz13Haj/vnbk9UhwCoTrR//C20SqnMyKnVhvByT1tZLAQovxDf4Qw
	TNUqvVqzwPbI98mn0X1ffq5COCzBEzPs2/naB86H2ZDuzxEZpH49wGrPJIyRfg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by mfechner:

URL: https://cgit.FreeBSD.org/ports/commit/?id=a2eb3ac977b27335172e5c815009007863d0cff5

commit a2eb3ac977b27335172e5c815009007863d0cff5
Author:     Matthias Fechner <mfechner@FreeBSD.org>
AuthorDate: 2022-09-30 16:10:12 +0000
Commit:     Matthias Fechner <mfechner@FreeBSD.org>
CommitDate: 2022-09-30 16:11:14 +0000

    security/vuxml: document gitlab-ce vulnerabilities
---
 security/vuxml/vuln-2022.xml | 58 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)

diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml
index a01fb2fa89c9..ffbe525d0d7a 100644
--- a/security/vuxml/vuln-2022.xml
+++ b/security/vuxml/vuln-2022.xml
@@ -1,3 +1,61 @@
+  <vuln vid="04422df1-40d8-11ed-9be7-454b1dd82c64">
+    <topic>Gitlab -- Multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>gitlab-ce</name>
+	<range><ge>15.4.0</ge><lt>15.4.1</lt></range>
+	<range><ge>15.3.0</ge><lt>15.3.4</lt></range>
+	<range><ge>9.3.0</ge><lt>15.2.5</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Gitlab reports:</p>
+	<blockquote cite="https://about.gitlab.com/releases/2022/09/29/security-release-gitlab-15-4-1-released/">
+	  <p>Denial of Service via cloning an issue</p>
+	  <p>Arbitrary PUT request as victim user through Sentry error list</p>
+	  <p>Content injection via External Status Checks</p>
+	  <p>Project maintainers can access Datadog API Key from logs</p>
+	  <p>Unsafe serialization of Json data could lead to sensitive data leakage</p>
+	  <p>Import bug allows importing of private local git repos</p>
+	  <p>Maintainer can leak Github access tokens by changing integration URL (even after 15.2.1 patch)</p>
+	  <p>Unauthorized users able to create issues in any project</p>
+	  <p>Bypass group IP restriction on Dependency Proxy</p>
+	  <p>Healthcheck endpoint allow list can be bypassed when accessed over HTTP in an HTTPS enabled system</p>
+	  <p>Disclosure of Todo details to guest users</p>
+	  <p>A user's primary email may be disclosed through group member events webhooks</p>
+	  <p>Content manipulation due to branch/tag name confusion with the default branch name</p>
+	  <p>Leakage of email addresses in WebHook logs</p>
+	  <p>Specially crafted output makes job logs inaccessible</p>
+	  <p>Enforce editing approval rules on project level</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2022-3283</cvename>
+      <cvename>CVE-2022-3060</cvename>
+      <cvename>CVE-2022-2904</cvename>
+      <cvename>CVE-2022-3018</cvename>
+      <cvename>CVE-2022-3291</cvename>
+      <cvename>CVE-2022-3067</cvename>
+      <cvename>CVE-2022-2882</cvename>
+      <cvename>CVE-2022-3066</cvename>
+      <cvename>CVE-2022-3286</cvename>
+      <cvename>CVE-2022-3285</cvename>
+      <cvename>CVE-2022-3330</cvename>
+      <cvename>CVE-2022-3351</cvename>
+      <cvename>CVE-2022-3288</cvename>
+      <cvename>CVE-2022-3293</cvename>
+      <cvename>CVE-2022-3279</cvename>
+      <cvename>CVE-2022-3325</cvename>
+      <url>https://about.gitlab.com/releases/2022/09/29/security-release-gitlab-15-4-1-released/</url>
+    </references>
+    <dates>
+      <discovery>2022-09-29</discovery>
+      <entry>2022-09-30</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="5a1c2e06-3fb7-11ed-a402-b42e991fc52e">
     <topic>unbound -- Non-Responsive Delegation Attack</topic>
     <affects>