Date: Wed, 2 Aug 2023 05:50:59 GMT From: Matthias Fechner <mfechner@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: e79188cc5ea5 - main - security/vuxml: document gitlab vulnerabilities Message-ID: <202308020550.3725ox7J083415@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by mfechner: URL: https://cgit.FreeBSD.org/ports/commit/?id=e79188cc5ea5700509b8da86e3c89cc4966c0ec3 commit e79188cc5ea5700509b8da86e3c89cc4966c0ec3 Author: Matthias Fechner <mfechner@FreeBSD.org> AuthorDate: 2023-08-02 05:50:23 +0000 Commit: Matthias Fechner <mfechner@FreeBSD.org> CommitDate: 2023-08-02 05:50:23 +0000 security/vuxml: document gitlab vulnerabilities --- security/vuxml/vuln/2023.xml | 55 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 91f5df1ac77e..53897f30e535 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,58 @@ + <vuln vid="fa239535-30f6-11ee-aef9-001b217b3468"> + <topic>Gitlab -- Vulnerabilities</topic> + <affects> + <package> + <name>gitlab-ce</name> + <range><ge>16.2.0</ge><lt>16.2.2</lt></range> + <range><ge>16.1.0</ge><lt>16.1.3</lt></range> + <range><ge>9.3.0</ge><lt>16.0.8</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Gitlab reports:</p> + <blockquote cite="https://about.gitlab.com/releases/2023/08/01/security-release-gitlab-16-2-2-released/"> + <p>ReDoS via ProjectReferenceFilter in any Markdown fields</p> + <p>ReDoS via AutolinkFilter in any Markdown fields</p> + <p>Regex DoS in Harbor Registry search</p> + <p>Arbitrary read of files owned by the "git" user via malicious tar.gz file upload using GitLab export functionality</p> + <p>Stored XSS in Web IDE Beta via crafted URL</p> + <p>securityPolicyProjectAssign mutation does not authorize security policy project ID</p> + <p>An attacker can run pipeline jobs as arbitrary user</p> + <p>Possible Pages Unique Domain Overwrite</p> + <p>Access tokens may have been logged when a query was made to an endpoint</p> + <p>Reflected XSS via PlantUML diagram</p> + <p>The main branch of a repository with a specially designed name may allow an attacker to create repositories with malicious code</p> + <p>Invalid 'start_sha' value on merge requests page may lead to Denial of Service</p> + <p>Developers can create pipeline schedules on protected branches even if they don't have access to merge</p> + <p>Potential DOS due to lack of pagination while loading license data</p> + <p>Leaking emails of newly created users</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2023-3994</cvename> + <cvename>CVE-2023-3364</cvename> + <cvename>CVE-2023-0632</cvename> + <cvename>CVE-2023-3385</cvename> + <cvename>CVE-2023-2164</cvename> + <cvename>CVE-2023-4002</cvename> + <cvename>CVE-2023-4008</cvename> + <cvename>CVE-2023-3993</cvename> + <cvename>CVE-2023-3500</cvename> + <cvename>CVE-2023-3401</cvename> + <cvename>CVE-2023-3900</cvename> + <cvename>CVE-2023-2022</cvename> + <cvename>CVE-2023-4011</cvename> + <cvename>CVE-2023-1210</cvename> + <url>https://about.gitlab.com/releases/2023/08/01/security-release-gitlab-16-2-2-released/</url> + </references> + <dates> + <discovery>2023-08-01</discovery> + <entry>2023-08-02</entry> + </dates> + </vuln> + <vuln vid="bad6588e-2fe0-11ee-a0d1-84a93843eb75"> <topic>OpenSSL -- Excessive time spent checking DH q parameter value</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202308020550.3725ox7J083415>