Site Navigation

Date:      Thu, 13 Nov 2025 07:22:40 -0500
From:      "Dan Langille" <dan@langille.org>
To:        "Matthias Fechner" <mfechner@freebsd.org>, ports-committers@freebsd.org, dev-commits-ports-all@freebsd.org, dev-commits-ports-main@freebsd.org
Subject:   Re: git: 7503d426d494 - main - security/vuxml: document gitlab  vulnerabilities
Message-ID:  <738eb675-3640-4f0e-b5ef-67d476eca238@app.fastmail.com>
In-Reply-To: <202511130445.5AD4jbhV033180@gitrepo.freebsd.org>

---

index | next in thread | previous in thread | raw e-mail

---

FreshPorts coughed when processing this commit.

A test confirms:

[12:16 mydev dvl /usr/ports/security/vuxml] % sudo make validate
xmllint -noent /usr/ports/security/vuxml/vuln.xml > vuln-flat.xml
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln-flat.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln-flat.xml
file:///usr/local/share/xml/dtd/xhtml-modularization/xhtml-special.ent:37: parser warning : Invalid redeclaration of predefined entity 'lt'
<!ENTITY lt      "&#38;&#60;" ><!-- less-than sign, U+003C ISOnum -->
                             ^
file:///usr/local/share/xml/dtd/xhtml-modularization/xhtml-special.ent:39: parser warning : Invalid redeclaration of predefined entity 'amp'
<!ENTITY amp     "&#38;&#38;" ><!-- ampersand, U+0026 ISOnum -->
                             ^
/usr/ports/security/vuxml/vuln-flat.xml:92: element affects: validity error : Element affects content does not follow the DTD, expecting (package | system)+, got (name name range range range )
    </affects>
              ^
>>> FAILED.
*** Error code 1

Stop.
make: stopped in /usr/ports/security/vuxml


I think the fix is shown below. Blank lines added to ease reading.

On Wed, Nov 12, 2025, at 11:45 PM, Matthias Fechner wrote:
> The branch main has been updated by mfechner:
>
> URL: 
> https://cgit.FreeBSD.org/ports/commit/?id=7503d426d494c3f37968357d3f70ced05f5dfd64
>
> commit 7503d426d494c3f37968357d3f70ced05f5dfd64
> Author:     Matthias Fechner <mfechner@FreeBSD.org>
> AuthorDate: 2025-11-13 04:45:13 +0000
> Commit:     Matthias Fechner <mfechner@FreeBSD.org>
> CommitDate: 2025-11-13 04:45:13 +0000
>
>     security/vuxml: document gitlab vulnerabilities
> ---
>  security/vuxml/vuln/2025.xml | 43 +++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 43 insertions(+)
>
> diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
> index c1adf0d8ff6d..035c72922be5 100644
> --- a/security/vuxml/vuln/2025.xml
> +++ b/security/vuxml/vuln/2025.xml
> @@ -1,3 +1,46 @@
> +  <vuln vid="5a1d6309-c04a-11f0-85d8-2cf05da270f3">
> +    <topic>Gitlab -- vulnerabilities</topic>
> +    <affects>

       <package>

> +	<name>gitlab-ce</name>
> +	<name>gitlab-ee</name>
> +	<range><ge>18.5.0</ge><lt>18.5.2</lt></range>
> +	<range><ge>18.4.0</ge><lt>18.4.4</lt></range>
> +	<range><ge>13.2.0</ge><lt>18.3.6</lt></range>
> +    </affects>

       </package>

> +    <description>
> +	<body xmlns="http://www.w3.org/1999/xhtml">;
> +	<p>Gitlab reports:</p>
> +	<blockquote 
> cite="https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/">;
> +	  <p>Cross-site scripting issue in k8s proxy impacts GitLab CE/EE</p>
> +	  <p>Incorrect Authorization issue in workflows impacts GitLab EE</p>
> +	  <p>Information Disclosure issue in GraphQL subscriptions impacts 
> GitLab CE/EE</p>
> +	  <p>Information Disclosure issue in access control impacts GitLab 
> CE/EE</p>
> +	  <p>Prompt Injection issue in GitLab Duo review impacts GitLab EE</p>
> +	  <p>Client Side Path Traversal issue in branch names impacts GitLab 
> EE</p>
> +	  <p>Information Disclosure issue in packages API endpoint impacts 
> GitLab CE/EE</p>
> +	  <p>Improper Access Control issue in GitLab Pages impacts GitLab 
> CE/EE</p>
> +	  <p>Denial of service issue in markdown impacts GitLab CE/EE</p>
> +	</blockquote>
> +	</body>
> +    </description>
> +    <references>
> +      <cvename>CVE-2025-11224</cvename>
> +      <cvename>CVE-2025-11865</cvename>
> +      <cvename>CVE-2025-2615</cvename>
> +      <cvename>CVE-2025-7000</cvename>
> +      <cvename>CVE-2025-6945</cvename>
> +      <cvename>CVE-2025-11990</cvename>
> +      <cvename>CVE-2025-6171</cvename>
> +      <cvename>CVE-2025-7736</cvename>
> +      <cvename>CVE-2025-12983</cvename>
> +      
> <url>https://about.gitlab.com/releases/2025/11/12/patch-release-gitlab-18-5-2-released/</url>;
> +    </references>
> +    <dates>
> +      <discovery>2025-11-12</discovery>
> +      <entry>2025-11-13</entry>
> +    </dates>
> +  </vuln>
> +
>    <vuln vid="6e1105d8-bfc2-11f0-bb2b-ecf4bbefc954">
>      <topic>privatebin XSS</topic>
>      <affects>

-- 
  Dan Langille
  dan@langille.org

home | help

---

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?738eb675-3640-4f0e-b5ef-67d476eca238>

Legal Notices | © 1995-2026 The FreeBSD Project. All rights reserved.

Contact