gitlab - Debian Package Tracker

general

source: gitlab (main)
version: 17.6.5-17
maintainer: Debian Ruby Team (archive) (DMD)
uploaders: Pirate Praveen [DMD] – Utkarsh Gupta [DMD] – Cédric Boutillier [DMD] – Balasankar C [DMD] – Sruthi Chandran [DMD]
arch: all any
std-ver: 4.6.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

unstable: 17.6.5-17

versioned links

17.6.5-17: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

gitlab (37 bugs: 2, 31, 4, 0)
gitlab-workhorse

action needed

Debci reports failed tests high

unstable: fail (log)
The tests ran in 0:00:42
Last run: 2025-06-29T10:25:26.000Z
Previous status: unknown

testing: fail (log)
The tests ran in 0:12:14
Last run: 2019-01-19T01:29:51.000Z
Previous status: unknown

stable: fail (log)
The tests ran in 0:00:22
Last run: 2019-07-25T19:45:07.000Z
Previous status: unknown

Created: 2018-12-15 Last update: 2025-07-10 07:03

A new upstream version is available: 18.1.1 high

A new upstream version 18.1.1 is available, you should consider packaging it.

Created: 2025-01-30 Last update: 2025-07-10 02:00

40 security issues in sid high

There are 40 open security issues in sid.

40 important issues:

CVE-2024-4025: A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions from 7.10 prior before 16.11.5, version 17.0 before 17.0.3, and 17.1 before 17.1.1. It is possible for an attacker to cause a denial of service using a crafted markdown page.
CVE-2024-4994: An issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0 before 16.11.5, all versions starting from 17.0 before 17.0.3, all versions starting from 17.1.0 before 17.1.1 which allowed for a CSRF attack on GitLab's GraphQL API leading to the execution of arbitrary GraphQL mutations.
CVE-2024-7803: An issue has been discovered in GitLab CE/EE affecting all versions from 11.6 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A Discord webhook integration may cause DoS.
CVE-2024-8186: An issue has been discovered in GitLab CE/EE affecting all versions from 16.6 before 17.7.6, 17.8 before 17.8.4, and 17.9 before 17.9.1. An attacker could inject HMTL into the child item search potentially leading to XSS in certain situations.
CVE-2024-8973: An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.1 prior to 17.9.8, from 17.10 prior to 17.10.6, and from 17.11 prior to 17.11.2. It was possible to cause a DoS condition via GitHub import requests using a malicious crafted payload.
CVE-2024-9163: A business logic error in GitLab CE/EE affecting all versions starting from 12.1 prior to 17.10.7, 17.11 prior to 17.11.3 and 18.0 prior to 18.0.1 where an attacker can cause a branch name confusion in confidential MRs.
CVE-2025-0362: An issue has been discovered in GitLab CE/EE affecting all versions from 7.7 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions, an attacker could potentially trick users into unintentionally authorizing sensitive actions on their behalf.
CVE-2025-0475: An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1. A proxy feature could potentially allow unintended content rendering leading to XSS under specific circumstances.
CVE-2025-0516: Improper Authorization in GitLab CE/EE affecting all versions from 17.7 prior to 17.7.4, 17.8 prior to 17.8.2 allow users with limited permissions to perform unauthorized actions on critical project data.
CVE-2025-0549: An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.3 prior to 17.9.8, from 17.10 prior to 17.10.6, and from 17.11 prior to 17.11.2. A security vulnerability allows attackers to bypass Device OAuth flow protections, enabling authorization form submission through minimal user interaction.
CVE-2025-0605: An issue has been discovered in GitLab CE/EE affecting all versions from 16.8 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Group access controls could allow certain users to bypass two-factor authentication requirements.
CVE-2025-0639: An issue has been discovered affecting service availability via issue preview in GitLab CE/EE affecting all versions from 16.7 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1.
CVE-2025-0652: An issue has been discovered in GitLab EE/CE affecting all versions starting from 16.9 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2 could allow unauthorized users to access confidential information intended for internal use only.
CVE-2025-0679: An issue has been discovered in GitLab CE/EE affecting all versions from 17.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Under certain conditions un-authorised users can view full email addresses that should be partially obscured.
CVE-2025-0811: An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. Improper rendering of certain file types leads to cross-site scripting.
CVE-2025-0993: An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. This could allow an authenticated attacker to cause a denial of service condition by exhausting server resources.
CVE-2025-1110: An issue has been discovered in GitLab CE/EE affecting all versions from 18.0 before 18.0.1. In certain circumstances, a user with limited permissions could access Job Data via a crafted GraphQL query.
CVE-2025-1278: An issue has been discovered in GitLab CE/EE affecting all versions from 12.0 before 17.9.8, 17.10 before 17.10.6, and 17.11 before 17.11.2. Under certain conditions users could bypass IP access restrictions and view sensitive information.
CVE-2025-1478: An issue has been discovered in GitLab CE/EE affecting all versions from 8.13 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of input validation in Board Names could be used to trigger a denial of service.
CVE-2025-1516: An issue has been discovered in GitLab CE/EE affecting all versions from 8.7 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. Improper input validation in Tokens Names could be used to trigger a denial of service.
CVE-2025-1677: A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all up to 17.8.7, 17.9 prior to 17.9.6 and 17.10 prior to 17.10.4 A denial of service could occur upon injecting oversized payloads into CI pipeline exports.
CVE-2025-1754: An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed unauthenticated attackers to upload arbitrary files to public projects by sending crafted API requests, potentially leading to resource abuse and unauthorized content storage.
CVE-2025-1908: An issue has been discovered in GitLab EE/CE that could allow an attacker to track users' browsing activities, potentially leading to full account take-over, affecting all versions from 16.6 before 17.9.7, 17.10 before 17.10.5, and 17.11 before 17.11.1.
CVE-2025-2242: An improper access control vulnerability in GitLab CE/EE affecting all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1 allows a user who was an instance admin before but has since been downgraded to a regular user to continue to maintain elevated privileges to groups and projects.
CVE-2025-2255: An issue has been discovered in Gitlab EE/CE for AppSec affecting all versions from 13.5.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. Certain error messages could allow Cross-Site Scripting attacks (XSS). for AppSec.
CVE-2025-2408: An issue has been discovered in GitLab CE/EE affecting all versions from 13.12 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions users could bypass IP access restrictions and view sensitive information.
CVE-2025-2853: An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of proper validation in GitLab could allow an authenticated user to cause a denial of service condition.
CVE-2025-2938: An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to gain elevated project privileges by requesting access to projects where role modifications during the approval process resulted in unintended permission grants.
CVE-2025-3111: An issue has been discovered in GitLab CE/EE affecting all versions from 10.2 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. A lack of input validation in the Kubernetes integration could allow an authenticated user to cause denial of service..
CVE-2025-3279: An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated attackers to create a DoS condition by sending crafted GraphQL requests.
CVE-2025-4979: An issue has been discovered in GitLab CE/EE affecting all versions before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. An attacker may be able to reveal masked or hidden CI variables (that they did not author) in the WebUI, by simply creating their own variable and observing the HTTP response.
CVE-2025-5121: An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.4 and 18.0 before 18.0.2. A missing authorization check may have allowed compliance frameworks to be applied to projects outside the compliance framework's group.
CVE-2025-5315: An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypassed UI-enforced role restrictions.
CVE-2025-5982: An issue has been discovered in GitLab EE affecting all versions from 12.0 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. Under certain conditions users could bypass IP access restrictions and view sensitive information.
CVE-2025-5996: An issue has been discovered in GitLab CE/EE affecting all versions from 2.1.0 before 17.10.8, 17.11 before 17.11.4, and 18.0 before 18.0.2. A lack of input validation in HTTP responses could allow an authenticated user to cause denial of service.
CVE-2024-10307: An issue has been discovered in GitLab EE/CE affecting all versions from 12.10 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. A maliciously crafted file can cause uncontrolled CPU consumption when viewing the associated merge request.
CVE-2024-12093: An issue has been discovered in GitLab CE/EE affecting all versions from 11.1 before 17.10.7, 17.11 before 17.11.3, and 18.0 before 18.0.1. Improper XPath validation allows modified SAML response to bypass 2FA requirement under specialized conditions.
CVE-2024-12380: An issue was discovered in GitLab EE/CE affecting all versions starting from 11.5 before 17.7.7, all versions starting from 17.8 before 17.8.5, all versions starting from 17.9 before 17.9.2. Certain user inputs in repository mirroring settings could potentially expose sensitive authentication information.
CVE-2024-12619: An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1, allowing internal users to gain unauthorized access to internal projects.
CVE-2024-13054: An issue was discovered in GitLab CE/EE affecting all versions before 17.7.7, 17.8 prior to 17.8.5, and 17.9 prior to 17.9.2. where a denial of service vulnerability could allow an attacker to cause a system reboot under certain conditions.

Created: 2024-02-21 Last update: 2025-06-27 03:58

Build log checks report 1 error high

Build log checks report 1 error

Created: 2024-02-20 Last update: 2024-02-20 00:32

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 20-day delay is over. Check why.

Created: 2025-07-04 Last update: 2025-07-10 07:02

5 bugs tagged patch in the BTS normal

The BTS contains patches fixing 5 bugs, consider including or untagging them.

Created: 2025-01-06 Last update: 2025-07-10 07:00

lintian reports 54 warnings normal

Lintian reports 54 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-06-14 Last update: 2025-06-14 11:00

debian/patches: 16 patches to forward upstream low

Among the 21 debian patches available in version 17.6.5-17 of the package, we noticed the following issues:

16 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-06-12 Last update: 2025-06-14 10:31

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.6.1).

Created: 2023-06-12 Last update: 2025-06-14 06:31

testing migrations

excuses:
- Migrates after: ruby-prometheus-client-mmap
- Migration status for gitlab (- to 17.6.5-17): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Updating gitlab would introduce bugs in testing: #1103306, #1107585
- ∙ ∙ autopkgtest for gitlab/17.6.5-17: amd64: Regression or new test ♻, arm64: Regression or new test ♻, armel: Regression or new test ♻, armhf: Regression or new test ♻, i386: Regression or new test ♻, ppc64el: Regression or new test ♻, riscv64: Regression or new test ♻, s390x: Regression or new test ♻
- ∙ ∙ blocked by freeze: is not in testing
- ∙ ∙ Depends: gitlab ruby-prometheus-client-mmap (not considered)
- Additional info:
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/g/gitlab.html
- ∙ ∙ Reproducible on amd64 - info ♻
- ∙ ∙ Reproducible on arm64 - info ♻
- ∙ ∙ Waiting for reproducibility test results on armhf - info ♻
- ∙ ∙ 26 days old (needed 20 days)
- Not considered

news

[rss feed]

[2025-06-13] Accepted gitlab 17.6.5-17 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-06-13] Accepted gitlab 17.6.5-16 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-05-02] Accepted gitlab 17.6.5-15 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-30] Accepted gitlab 17.6.5-14 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-22] Accepted gitlab 17.6.5-13 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-21] Accepted gitlab 17.6.5-12 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-19] Accepted gitlab 17.6.5-11 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-19] Accepted gitlab 17.6.5-10 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-17] Accepted gitlab 17.6.5-9 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-17] Accepted gitlab 17.6.5-8 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-16] Accepted gitlab 17.6.5-7 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-16] Accepted gitlab 17.6.5-6 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-15] Accepted gitlab 17.6.5-5 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-11] Accepted gitlab 17.6.5-4 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-11] Accepted gitlab 17.6.5-3 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-09] Accepted gitlab 17.6.5-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-06] Accepted gitlab 17.6.5-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-04] Accepted gitlab 17.5.5-6 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-04] Accepted gitlab 17.5.5-5 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-04] Accepted gitlab 17.5.5-4 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-03] Accepted gitlab 17.5.5-3 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-02] Accepted gitlab 17.5.5-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-04-02] Accepted gitlab 17.5.5-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-03-13] Accepted gitlab 17.3.5-3 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2025-01-29] Accepted gitlab 17.3.5-2 (source) into unstable (Ananthu C V)
[2024-12-01] Accepted gitlab 17.3.5-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2024-10-30] Accepted gitlab 17.0.8-4 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2024-10-28] Accepted gitlab 17.0.8-3 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2024-10-12] Accepted gitlab 17.0.8-2 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2024-10-11] Accepted gitlab 17.0.8-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)

bugs [bug history graph]

all: 38 39
RC: 2
I&N: 32 33
M&W: 4
F&P: 0
patch: 5

links

homepage
lintian (0, 54)
buildd: logs, checks, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci