gitlab - Debian Package Tracker

general

source: gitlab (main)
version: 17.6.5-19
maintainer: Debian Ruby Team (archive) (DMD)
uploaders: Pirate Praveen [DMD] – Utkarsh Gupta [DMD] – Cédric Boutillier [DMD] – Balasankar C [DMD] – Sruthi Chandran [DMD]
arch: all any
std-ver: 4.6.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

unstable: 17.6.5-19

versioned links

17.6.5-19: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

gitlab (37 bugs: 2, 31, 4, 0)
gitlab-workhorse

action needed

Debci reports failed tests high

unstable: fail (log)
The tests ran in 0:00:58
Last run: 2025-07-25T18:27:38.000Z
Previous status: unknown

testing: fail (log)
The tests ran in 0:12:14
Last run: 2019-01-19T01:29:51.000Z
Previous status: unknown

stable: fail (log)
The tests ran in 0:00:22
Last run: 2019-07-25T19:45:07.000Z
Previous status: unknown

Created: 2018-12-15 Last update: 2025-07-27 00:01

A new upstream version is available: 18.2.1 high

A new upstream version 18.2.1 is available, you should consider packaging it.

Created: 2025-01-30 Last update: 2025-07-26 22:02

46 security issues in sid high

There are 46 open security issues in sid.

46 important issues:

CVE-2024-4025: A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions from 7.10 prior before 16.11.5, version 17.0 before 17.0.3, and 17.1 before 17.1.1. It is possible for an attacker to cause a denial of service using a crafted markdown page.
CVE-2024-4994: An issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0 before 16.11.5, all versions starting from 17.0 before 17.0.3, all versions starting from 17.1.0 before 17.1.1 which allowed for a CSRF attack on GitLab's GraphQL API leading to the execution of arbitrary GraphQL mutations.
CVE-2024-7803: An issue has been discovered in GitLab CE/EE affecting all versions from 11.6 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A Discord webhook integration may cause DoS.
CVE-2024-8186: An issue has been discovered in GitLab CE/EE affecting all versions from 16.6 before 17.7.6, 17.8 before 17.8.4, and 17.9 before 17.9.1. An attacker could inject HMTL into the child item search potentially leading to XSS in certain situations.
CVE-2024-8973: An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.1 prior to 17.9.8, from 17.10 prior to 17.10.6, and from 17.11 prior to 17.11.2. It was possible to cause a DoS condition via GitHub import requests using a malicious crafted payload.
CVE-2024-9163: A business logic error in GitLab CE/EE affecting all versions starting from 12.1 prior to 17.10.7, 17.11 prior to 17.11.3 and 18.0 prior to 18.0.1 where an attacker can cause a branch name confusion in confidential MRs.
CVE-2025-0362: An issue has been discovered in GitLab CE/EE affecting all versions from 7.7 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions, an attacker could potentially trick users into unintentionally authorizing sensitive actions on their behalf.
CVE-2025-0475: An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1. A proxy feature could potentially allow unintended content rendering leading to XSS under specific circumstances.
CVE-2025-0516: Improper Authorization in GitLab CE/EE affecting all versions from 17.7 prior to 17.7.4, 17.8 prior to 17.8.2 allow users with limited permissions to perform unauthorized actions on critical project data.
CVE-2025-0549: An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.3 prior to 17.9.8, from 17.10 prior to 17.10.6, and from 17.11 prior to 17.11.2. A security vulnerability allows attackers to bypass Device OAuth flow protections, enabling authorization form submission through minimal user interaction.
CVE-2025-0605: An issue has been discovered in GitLab CE/EE affecting all versions from 16.8 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Group access controls could allow certain users to bypass two-factor authentication requirements.
CVE-2025-0639: An issue has been discovered affecting service availability via issue preview in GitLab CE/EE affecting all versions from 16.7 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1.
CVE-2025-0652: An issue has been discovered in GitLab EE/CE affecting all versions starting from 16.9 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2 could allow unauthorized users to access confidential information intended for internal use only.
CVE-2025-0679: An issue has been discovered in GitLab CE/EE affecting all versions from 17.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Under certain conditions un-authorised users can view full email addresses that should be partially obscured.
CVE-2025-0811: An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. Improper rendering of certain file types leads to cross-site scripting.
CVE-2025-0993: An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. This could allow an authenticated attacker to cause a denial of service condition by exhausting server resources.
CVE-2025-1110: An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1. In certain circumstances, a user with limited permissions could access Job Data via a crafted GraphQL query.
CVE-2025-1278: An issue has been discovered in GitLab CE/EE affecting all versions from 12.0 before 17.9.8, 17.10 before 17.10.6, and 17.11 before 17.11.2. Under certain conditions users could bypass IP access restrictions and view sensitive information.
CVE-2025-1299: An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 18.0.5, all versions starting from 18.1 before 18.1.3, all versions starting from 18.2 before 18.2.1 that, under circumstances, could have allowed an unauthorized user to read deployment job logs by sending a crafted request.
CVE-2025-1478: An issue has been discovered in GitLab CE/EE affecting all versions from 8.13 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of input validation in Board Names could be used to trigger a denial of service.
CVE-2025-1516: An issue has been discovered in GitLab CE/EE affecting all versions from 8.7 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. Improper input validation in Tokens Names could be used to trigger a denial of service.
CVE-2025-1677: A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all up to 17.8.7, 17.9 prior to 17.9.6 and 17.10 prior to 17.10.4 A denial of service could occur upon injecting oversized payloads into CI pipeline exports.
CVE-2025-1754: An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed unauthenticated attackers to upload arbitrary files to public projects by sending crafted API requests, potentially leading to resource abuse and unauthorized content storage.
CVE-2025-1908: An issue has been discovered in GitLab EE/CE that could allow an attacker to track users' browsing activities, potentially leading to full account take-over, affecting all versions from 16.6 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1.
CVE-2025-2242: An improper access control vulnerability in GitLab CE/EE affecting all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1 allows a user who was an instance admin before but has since been downgraded to a regular user to continue to maintain elevated privileges to groups and projects.
CVE-2025-2255: An issue has been discovered in Gitlab EE/CE for AppSec affecting all versions from 13.5.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. Certain error messages could allow Cross-Site Scripting attacks (XSS). for AppSec.
CVE-2025-2408: An issue has been discovered in GitLab CE/EE affecting all versions from 13.12 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions users could bypass IP access restrictions and view sensitive information.
CVE-2025-2853: An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of proper validation in GitLab could allow an authenticated user to cause a denial of service condition.
CVE-2025-2938: An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to gain elevated project privileges by requesting access to projects where role modifications during the approval process resulted in unintended permission grants.
CVE-2025-3111: An issue has been discovered in GitLab CE/EE affecting all versions from 10.2 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of input validation in the Kubernetes integration could allow an authenticated user to cause denial of service..
CVE-2025-3279: An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated attackers to create a DoS condition by sending crafted GraphQL requests.
CVE-2025-4439: An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed an authenticated user to perform cross-site scripting attacks when the instance is served through certain content delivery networks.
CVE-2025-4700: An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that, under specific circumstances, could have potentially allowed a successful attacker to trigger unintended content rendering leading to XSS.
CVE-2025-4976: An issue has been discovered in GitLab EE affecting all versions from 17.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that, under certain circumstances, could have allowed an attacker to access internal notes in GitLab Duo responses.
CVE-2025-4979: An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. An attacker may be able to reveal masked or hidden CI variables (that they did not author) in the WebUI, by simply creating their own variable and observing the HTTP response.
CVE-2025-5121: An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.4 and 18.0 before 18.0.2. A missing authorization check may have allowed compliance frameworks to be applied to projects outside the compliance framework's group.
CVE-2025-5315: An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypassed UI-enforced role restrictions.
CVE-2025-5982: An issue has been discovered in GitLab EE affecting all versions from 12.0 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. Under certain conditions users could bypass IP access restrictions and view sensitive information.
CVE-2025-5996: An issue has been discovered in GitLab CE/EE affecting all versions from 2.1.0 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. A lack of input validation in HTTP responses could allow an authenticated user to cause denial of service.
CVE-2025-6948: An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2 that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content.
CVE-2025-7001: An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed priviledged users to access certain resource_group information through the API which should have been unavailable.
CVE-2024-10307: An issue has been discovered in GitLab EE/CE affecting all versions from 12.10 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. A maliciously crafted file can cause uncontrolled CPU consumption when viewing the associated merge request.
CVE-2024-12093: An issue has been discovered in GitLab CE/EE affecting all versions from 11.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Improper XPath validation allows modified SAML response to bypass 2FA requirement under specialized conditions.
CVE-2024-12380: An issue was discovered in GitLab EE/CE affecting all versions starting from 11.5 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2. Certain user inputs in repository mirroring settings could potentially expose sensitive authentication information.
CVE-2024-12619: An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1, allowing internal users to gain unauthorized access to internal projects.
CVE-2024-13054: An issue was discovered in GitLab CE/EE affecting all versions before 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2. where a denial of service vulnerability could allow an attacker to cause a system reboot under certain conditions.

Created: 2024-02-21 Last update: 2025-07-25 04:03

lintian reports 2 errors and 163 warnings high

Lintian reports 2 errors and 163 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-06-14 Last update: 2025-07-20 10:30

debian/patches: 1 patch with invalid metadata, 16 patches to forward upstream high

Among the 22 debian patches available in version 17.6.5-19 of the package, we noticed the following issues:

1 patch with invalid metadata that ought to be fixed.
16 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-06-12 Last update: 2025-07-10 18:30

Build log checks report 1 error high

Build log checks report 1 error

Created: 2024-02-20 Last update: 2024-02-20 00:32

1 bug tagged help in the BTS normal

The BTS contains 1 bug tagged help, please consider helping the maintainer in dealing with it.

Created: 2025-07-10 Last update: 2025-07-26 23:31

5 bugs tagged patch in the BTS normal

The BTS contains patches fixing 5 bugs, consider including or untagging them.

Created: 2025-01-06 Last update: 2025-07-26 23:31

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.6.1).

Created: 2023-06-12 Last update: 2025-07-10 16:03

testing migrations

excuses:
- Migrates after: gitaly-installer, ruby-prometheus-client-mmap
- Migration status for gitlab (- to 17.6.5-19): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Updating gitlab would introduce bugs in testing: #1103306, #1109069
- ∙ ∙ autopkgtest for gitlab/17.6.5-19: amd64: Regression or new test ♻, arm64: Regression or new test ♻, armel: Regression or new test ♻, armhf: Regression or new test ♻, i386: Regression or new test ♻, ppc64el: Regression or new test ♻, riscv64: Regression or new test ♻, s390x: Regression or new test ♻
- ∙ ∙ blocked by freeze: is not in testing
- ∙ ∙ Too young, only 17 of 20 days old
- ∙ ∙ Depends: gitlab gitaly-installer (not considered)
- ∙ ∙ Depends: gitlab ruby-prometheus-client-mmap (not considered)
- Additional info:
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/g/gitlab.html
- ∙ ∙ Reproducible on amd64 - info ♻
- ∙ ∙ Reproducible on arm64 - info ♻
- ∙ ∙ Waiting for reproducibility test results on armhf - info ♻
- Not considered

news

[rss feed]

[2025-07-10] Accepted gitlab 17.6.5-19 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-06-13] Accepted gitlab 17.6.5-17 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-06-13] Accepted gitlab 17.6.5-16 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-05-02] Accepted gitlab 17.6.5-15 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-30] Accepted gitlab 17.6.5-14 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-22] Accepted gitlab 17.6.5-13 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-21] Accepted gitlab 17.6.5-12 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-19] Accepted gitlab 17.6.5-11 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-19] Accepted gitlab 17.6.5-10 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-17] Accepted gitlab 17.6.5-9 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-17] Accepted gitlab 17.6.5-8 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-16] Accepted gitlab 17.6.5-7 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-16] Accepted gitlab 17.6.5-6 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-15] Accepted gitlab 17.6.5-5 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-11] Accepted gitlab 17.6.5-4 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-11] Accepted gitlab 17.6.5-3 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-09] Accepted gitlab 17.6.5-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-06] Accepted gitlab 17.6.5-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-04] Accepted gitlab 17.5.5-6 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-04] Accepted gitlab 17.5.5-5 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-04] Accepted gitlab 17.5.5-4 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-03] Accepted gitlab 17.5.5-3 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-02] Accepted gitlab 17.5.5-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-02] Accepted gitlab 17.5.5-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-03-13] Accepted gitlab 17.3.5-3 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-01-29] Accepted gitlab 17.3.5-2 (source) into unstable (Ananthu C V)
[2024-12-01] Accepted gitlab 17.3.5-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2024-10-30] Accepted gitlab 17.0.8-4 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2024-10-28] Accepted gitlab 17.0.8-3 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2024-10-12] Accepted gitlab 17.0.8-2 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)

bugs [bug history graph]

all: 38 39
RC: 2
I&N: 32 33
M&W: 4
F&P: 0
patch: 5
help: 1

links

homepage
lintian (2, 163)
buildd: logs, checks, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci