gitlab - Debian Package Tracker

general

source: gitlab (contrib)
version: 13.4.7-2
maintainer: Debian Ruby Team (archive) (DMD)
uploaders: Sruthi Chandran [DMD] – Cédric Boutillier [DMD] – Balasankar C [DMD] – Utkarsh Gupta [DMD] – Pirate Praveen [DMD]
arch: all
std-ver: 4.5.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

old-bpo: 11.4.9+dfsg-2~bpo9+1
unstable: 13.4.7-2
exp: 13.7.8+ds1-1

versioned links

11.4.9+dfsg-2~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
13.4.7-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
13.7.8+ds1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

gitlab (46 bugs: 4, 35, 7, 0)

action needed

Problems while searching for a new upstream version high

uscan had problems while searching for a new upstream version:

In debian/watch no matching files for watch line
  https://gemwatch.debian.net/elasticsearch-model .*/elasticsearch-model-(6.1.*).tar.gz ignore

Created: 2020-06-29 Last update: 2021-06-25 07:31

A new upstream version is available: 14.0.0 high

A new upstream version 14.0.0 is available, you should consider packaging it.

Created: 2020-08-25 Last update: 2021-06-25 07:31

Debci reports failed tests high

unstable: fail (log)
The tests ran in 0:08:00
Last run: 2021-06-14 01:57:40 UTC
Previous status: fail

testing: fail (log)
The tests ran in 0:12:14
Last run: 2019-01-19 01:29:51 UTC
Previous status: fail

stable: fail (log)
The tests ran in 0:00:22
Last run: 2019-07-25 19:45:07 UTC
Previous status: unknown

Created: 2018-12-15 Last update: 2021-06-25 07:06

43 security issues in sid high

There are 43 open security issues in sid.

43 important issues:

CVE-2020-26414: An issue has been discovered in GitLab affecting all versions starting from 12.4. The regex used for package names is written in a way that makes execution time have quadratic growth based on the length of the malicious input string.
CVE-2021-22167: An issue has been discovered in GitLab affecting all versions starting from 12.1. Incorrect headers in specific project page allows attacker to have a temporary read access to the private repository
CVE-2021-22168: A regular expression denial of service issue has been discovered in NuGet API affecting all versions of GitLab starting from version 12.8.
CVE-2021-22171: Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ allows an attacker to steal a victim's API token if they click on a maliciously crafted link
CVE-2021-22172: Improper authorization in GitLab 12.8+ allows a guest user in a private project to view tag data that should be inaccessible on the releases page
CVE-2021-22175: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled
CVE-2021-22176: An issue has been discovered in GitLab affecting all versions starting with 3.0.1. Improper access control allows demoted project members to access details on authored merge requests
CVE-2021-22177: Potential DoS was identified in gitlab-shell in GitLab CE/EE version 12.6.0 or above, which allows an attacker to spike the server resource utilization via gitlab-shell command.
CVE-2021-22178: An issue has been discovered in GitLab affecting all versions starting from 13.2. Gitlab was vulnerable to SRRF attack through the Prometheus integration.
CVE-2021-22179: A vulnerability was discovered in GitLab versions before 12.2. GitLab was vulnerable to a SSRF attack through the Outbound Requests feature.
CVE-2021-22180: An issue has been discovered in GitLab affecting all versions starting from 13.4. Improper access control allows unauthorized users to access details on analytic pages.
CVE-2021-22181: A denial of service vulnerability in GitLab CE/EE affecting all versions since 11.8 allows an attacker to create a recursive pipeline relationship and exhaust resources.
CVE-2021-22183: An issue has been discovered in GitLab affecting all versions starting with 11.8. GitLab was vulnerable to a stored XSS in the epics page, which could be exploited with user interactions.
CVE-2021-22184: An information disclosure issue in GitLab starting from version 12.8 allowed a user with access to the server logs to see sensitive information that wasn't properly redacted.
CVE-2021-22186: An authorization issue in GitLab CE/EE version 9.4 and up allowed a group maintainer to modify group CI/CD variables which should be restricted to group owners
CVE-2021-22188: An issue has been discovered in GitLab affecting all versions starting with 13.0. Confidential issue titles in Gitlab were readable by an unauthorised user via branch logs.
CVE-2021-22189: Starting with version 13.7 the Gitlab CE/EE editions were affected by a security issue related to the validation of the certificates for the Fortinet OTP that could result in authentication issues.
CVE-2021-22190: A path traversal vulnerability via the GitLab Workhorse in all versions of GitLab could result in the leakage of a JWT token
CVE-2021-22192: An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorized authenticated users to execute arbitrary code on the server.
CVE-2021-22193: An issue has been discovered in GitLab affecting all versions starting with 7.1. A member of a private group was able to validate the use of a specific name for private project.
CVE-2021-22194: In all versions of GitLab starting from 13.7, marshalled session keys were being stored in Redis.
CVE-2021-22196: An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4. It was possible to exploit a stored cross-site-scripting in merge request via a specifically crafted branch name.
CVE-2021-22197: An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 where an infinite loop exist when an authenticated user with specific rights access a MR having source and target branch pointing to each other
CVE-2021-22198: An issue has been discovered in GitLab CE/EE affecting all versions from 13.8 and above allowing an authenticated user to delete incident metric images of public projects.
CVE-2021-22199: An issue has been discovered in GitLab affecting all versions starting with 12.9. GitLab was vulnerable to a stored XSS if scoped labels were used.
CVE-2021-22200: An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.6. Under a special condition it was possible to access data of an internal repository through a public project fork as an anonymous user.
CVE-2021-22201: An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9. A specially crafted import file could read files on the server.
CVE-2021-22202: An issue has been discovered in GitLab CE/EE affecting all previous versions. If the victim is an admin, it was possible to issue a CSRF in System hooks through the API.
CVE-2021-22203: An issue has been discovered in GitLab CE/EE affecting all versions starting with 13.7.9. A specially crafted Wiki page allowed attackers to read arbitrary files on the server.
CVE-2021-22205: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
CVE-2021-22206: An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials are exposed that allows other maintainers to be able to view the credentials in plain-text,
CVE-2021-22208: An issue has been discovered in GitLab affecting versions starting with 13.5 up to 13.9.7. Improper permission check could allow the change of timestamp for issue creation or update.
CVE-2021-22209: An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.
CVE-2021-22210: An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2. When querying the repository branches through API, GitLab was ignoring a query parameter and returning a considerable amount of results.
CVE-2021-22211: An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7. GitLab Dependency Proxy, under certain circumstances, can impersonate a user resulting in possibly incorrect access handling.
CVE-2021-22213: A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Safari
CVE-2021-22214: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited
CVE-2021-22216: A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a very long issue or merge request description
CVE-2021-22217: A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a specially crafted issue or merge request
CVE-2021-22218: All versions of GitLab CE/EE starting with 12.8 were affected by an issue in the handling of x509 certificates that could be used to spoof author of signed commits.
CVE-2021-22219: GitLab CE/EE since version 9.5 allows a high privilege user to obtain sensitive information from log files because the sensitive information was not correctly registered for log masking.
CVE-2021-22220: An issue has been discovered in GitLab affecting all versions starting with 13.10. GitLab was vulnerable to a stored XSS in blob viewer of notebooks.
CVE-2021-22221: An issue has been discovered in GitLab affecting all versions starting from 12.9.0 before 13.10.5, all versions starting from 13.11.0 before 13.11.5, all versions starting from 13.12.0 before 13.12.2. Insufficient expired password validation in various operations allow user to maintain limited access after their password expired

Created: 2021-02-19 Last update: 2021-06-15 12:00

lintian reports 59 errors and 83 warnings high

Lintian reports 59 errors and 83 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-01-27 Last update: 2021-04-11 10:16

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 20-day delay is over. Check why.

Created: 2020-12-22 Last update: 2021-06-25 07:04

1 bug tagged help in the BTS normal

The BTS contains 1 bug tagged help, please consider helping the maintainer in dealing with it.

Created: 2019-11-16 Last update: 2021-06-25 07:01

4 bugs tagged patch in the BTS normal

The BTS contains patches fixing 4 bugs, consider including or untagging them.

Created: 2020-10-19 Last update: 2021-06-25 07:01

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 13.12.4+ds1-1, distribution experimental) and new commits in its VCS. You should consider whether it's time to make an upload.

https://salsa.debian.org/api/v4/projects/ruby-team%2Fgitlab/pipelines?scope=finished&per_page=1 API request failed: 403 Forbidden at /srv/qa.debian.org/data/vcswatch/vcswatch line 411.

Created: 2021-03-08 Last update: 2021-06-21 21:36

testing migrations

excuses:
- Migrates after: gitaly, ruby-carrierwave, ruby-jquery-atwho-rails
- Migration status for gitlab (- to 13.4.7-2): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- Updating gitlab introduces new bugs: #915050, #983480, #983915, #983924, #984828
- autopkgtest for gitlab/13.4.7-2: amd64: Regression ♻ , arm64: Regression ♻ , armhf: Regression ♻ , i386: Regression ♻ , ppc64el: Regression ♻
- blocked by freeze: is not in testing
- Depends: gitlab gitaly
- Depends: gitlab ruby-carrierwave
- Depends: gitlab ruby-jquery-atwho-rails
- Additional info:
- Cannot be tested by piuparts (not a blocker) - (no link yet)
- 190 days old (needed 20 days)
- Not considered

news

[rss feed]

[2021-03-05] Accepted gitlab 13.7.8+ds1-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-03-02] Accepted gitlab 13.7.7-2 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-03-01] Accepted gitlab 13.7.7-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-02-25] Accepted gitlab 13.6.7-4 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-02-24] Accepted gitlab 13.6.7-3 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-02-19] Accepted gitlab 13.6.7-2 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-02-11] Accepted gitlab 13.6.7-1 (source all) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-02-04] Accepted gitlab 13.6.6-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-01-08] Accepted gitlab 13.5.6-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-12-17] Accepted gitlab 13.4.7-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-12-08] Accepted gitlab 13.4.7-1 (source all) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-12-06] Accepted gitlab 13.4.6-3 (source) into unstable (Sruthi Chandran)
[2020-12-03] Accepted gitlab 13.4.6-2 (source) into unstable (Sruthi Chandran)
[2020-11-27] Accepted gitlab 13.4.6-1 (source) into experimental (Sruthi Chandran)
[2020-11-07] Accepted gitlab 13.3.9-1 (source all) into unstable (Abraham Raji) (signed by: Praveen Arimbrathodiyil)
[2020-11-02] Accepted gitlab 13.3.8-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-10-11] Accepted gitlab 13.2.10-1 (source all) into unstable (Abraham Raji) (signed by: Praveen Arimbrathodiyil)
[2020-09-06] Accepted gitlab 13.2.8-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-09-03] Accepted gitlab 13.2.8-1 (source all) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-08-20] Accepted gitlab 13.2.6-3 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-08-20] Accepted gitlab 13.2.6-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-08-19] Accepted gitlab 13.2.6-1 (source all) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-08-18] Accepted gitlab 13.2.5-1 (source all) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-08-11] Accepted gitlab 13.2.3-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-08-09] Accepted gitlab 13.2.3-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-08-08] Accepted gitlab 13.1.6-1 (source all) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-07-16] Accepted gitlab 13.1.4-2 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-07-12] Accepted gitlab 13.1.4-1 (source all) into experimental, experimental (Debian FTP Masters) (signed by: Praveen Arimbrathodiyil)
[2020-07-12] Accepted gitlab 13.1.3-1 (source all) into experimental, experimental (Debian FTP Masters) (signed by: Praveen Arimbrathodiyil)
[2020-07-12] Accepted gitlab 13.1.2-1 (source all) into experimental, experimental (Debian FTP Masters) (signed by: Praveen Arimbrathodiyil)

bugs [bug history graph]

all: 48
RC: 5
I&N: 35
M&W: 7
F&P: 1
patch: 4
help: 1

links

homepage
lintian (59, 83)
buildd: logs, exp, clang
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debci