gitlab - Debian Package Tracker

general

source: gitlab (contrib)
version: 13.4.7-2
maintainer: Debian Ruby Team (archive) (DMD)
uploaders: Sruthi Chandran [DMD] – Cédric Boutillier [DMD] – Balasankar C [DMD] – Utkarsh Gupta [DMD] – Pirate Praveen [DMD]
arch: all
std-ver: 4.5.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-bpo: 11.4.9+dfsg-2~bpo9+1
unstable: 13.4.7-2
exp: 13.7.8+ds1-1
NEW/experimental: 14.0.10-1

versioned links

11.4.9+dfsg-2~bpo9+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
13.4.7-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
13.7.8+ds1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

gitlab (50 bugs: 6, 37, 7, 0)

action needed

Debci reports failed tests high

unstable: fail (log)
The tests ran in 0:02:43
Last run: 2021-09-19T04:49:56.000Z
Previous status: fail

testing: fail (log)
The tests ran in 0:12:14
Last run: 2019-01-19T01:29:51.000Z
Previous status: fail

stable: fail (log)
The tests ran in 0:00:22
Last run: 2019-07-25T19:45:07.000Z
Previous status: unknown

Created: 2018-12-15 Last update: 2021-09-28 20:38

Problems while searching for a new upstream version high

uscan had problems while searching for a new upstream version:

In debian/watch no matching files for watch line
  https://gemwatch.debian.net/elasticsearch-model .*/elasticsearch-model-(6.1.*).tar.gz ignore

Created: 2020-06-29 Last update: 2021-09-28 15:02

A new upstream version is available: 14.3.0 high

A new upstream version 14.3.0 is available, you should consider packaging it.

Created: 2020-08-25 Last update: 2021-09-28 15:02

67 security issues in sid high

There are 67 open security issues in sid.

67 important issues:

CVE-2020-26414: An issue has been discovered in GitLab affecting all versions starting from 12.4. The regex used for package names is written in a way that makes execution time have quadratic growth based on the length of the malicious input string.
CVE-2021-22167: An issue has been discovered in GitLab affecting all versions starting from 12.1. Incorrect headers in specific project page allows attacker to have a temporary read access to the private repository
CVE-2021-22168: A regular expression denial of service issue has been discovered in NuGet API affecting all versions of GitLab starting from version 12.8.
CVE-2021-22171: Insufficient validation of authentication parameters in GitLab Pages for GitLab 11.5+ allows an attacker to steal a victim's API token if they click on a maliciously crafted link
CVE-2021-22172: Improper authorization in GitLab 12.8+ allows a guest user in a private project to view tag data that should be inaccessible on the releases page
CVE-2021-22175: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled
CVE-2021-22176: An issue has been discovered in GitLab affecting all versions starting with 3.0.1. Improper access control allows demoted project members to access details on authored merge requests
CVE-2021-22177: Potential DoS was identified in gitlab-shell in GitLab CE/EE version 12.6.0 or above, which allows an attacker to spike the server resource utilization via gitlab-shell command.
CVE-2021-22178: An issue has been discovered in GitLab affecting all versions starting from 13.2. Gitlab was vulnerable to SRRF attack through the Prometheus integration.
CVE-2021-22179: A vulnerability was discovered in GitLab versions before 12.2. GitLab was vulnerable to a SSRF attack through the Outbound Requests feature.
CVE-2021-22180: An issue has been discovered in GitLab affecting all versions starting from 13.4. Improper access control allows unauthorized users to access details on analytic pages.
CVE-2021-22181: A denial of service vulnerability in GitLab CE/EE affecting all versions since 11.8 allows an attacker to create a recursive pipeline relationship and exhaust resources.
CVE-2021-22183: An issue has been discovered in GitLab affecting all versions starting with 11.8. GitLab was vulnerable to a stored XSS in the epics page, which could be exploited with user interactions.
CVE-2021-22184: An information disclosure issue in GitLab starting from version 12.8 allowed a user with access to the server logs to see sensitive information that wasn't properly redacted.
CVE-2021-22186: An authorization issue in GitLab CE/EE version 9.4 and up allowed a group maintainer to modify group CI/CD variables which should be restricted to group owners
CVE-2021-22188: An issue has been discovered in GitLab affecting all versions starting with 13.0. Confidential issue titles in Gitlab were readable by an unauthorised user via branch logs.
CVE-2021-22189: Starting with version 13.7 the Gitlab CE/EE editions were affected by a security issue related to the validation of the certificates for the Fortinet OTP that could result in authentication issues.
CVE-2021-22190: A path traversal vulnerability via the GitLab Workhorse in all versions of GitLab could result in the leakage of a JWT token
CVE-2021-22192: An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorized authenticated users to execute arbitrary code on the server.
CVE-2021-22193: An issue has been discovered in GitLab affecting all versions starting with 7.1. A member of a private group was able to validate the use of a specific name for private project.
CVE-2021-22194: In all versions of GitLab, marshalled session keys were being stored in Redis.
CVE-2021-22196: An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4. It was possible to exploit a stored cross-site-scripting in merge request via a specifically crafted branch name.
CVE-2021-22197: An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 where an infinite loop exist when an authenticated user with specific rights access a MR having source and target branch pointing to each other
CVE-2021-22198: An issue has been discovered in GitLab CE/EE affecting all versions from 13.8 and above allowing an authenticated user to delete incident metric images of public projects.
CVE-2021-22199: An issue has been discovered in GitLab affecting all versions starting with 12.9. GitLab was vulnerable to a stored XSS if scoped labels were used.
CVE-2021-22200: An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.6. Under a special condition it was possible to access data of an internal repository through a public project fork as an anonymous user.
CVE-2021-22201: An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9. A specially crafted import file could read files on the server.
CVE-2021-22202: An issue has been discovered in GitLab CE/EE affecting all previous versions. If the victim is an admin, it was possible to issue a CSRF in System hooks through the API.
CVE-2021-22203: An issue has been discovered in GitLab CE/EE affecting all versions starting with 13.7.9. A specially crafted Wiki page allowed attackers to read arbitrary files on the server.
CVE-2021-22205: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that were passed to a file parser which resulted in a remote command execution.
CVE-2021-22206: An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials are exposed that allows other maintainers to be able to view the credentials in plain-text,
CVE-2021-22208: An issue has been discovered in GitLab affecting versions starting with 13.5 up to 13.9.7. Improper permission check could allow the change of timestamp for issue creation or update.
CVE-2021-22209: An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.
CVE-2021-22210: An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2. When querying the repository branches through API, GitLab was ignoring a query parameter and returning a considerable amount of results.
CVE-2021-22211: An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7. GitLab Dependency Proxy, under certain circumstances, can impersonate a user resulting in possibly incorrect access handling.
CVE-2021-22213: A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Safari
CVE-2021-22214: When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited
CVE-2021-22216: A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a very long issue or merge request description
CVE-2021-22217: A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a specially crafted issue or merge request
CVE-2021-22218: All versions of GitLab CE/EE starting with 12.8 were affected by an issue in the handling of x509 certificates that could be used to spoof author of signed commits.
CVE-2021-22219: GitLab CE/EE since version 9.5 allows a high privilege user to obtain sensitive information from log files because the sensitive information was not correctly registered for log masking.
CVE-2021-22220: An issue has been discovered in GitLab affecting all versions starting with 13.10. GitLab was vulnerable to a stored XSS in blob viewer of notebooks.
CVE-2021-22221: An issue has been discovered in GitLab affecting all versions starting from 12.9.0 before 13.10.5, all versions starting from 13.11.0 before 13.11.5, all versions starting from 13.12.0 before 13.12.2. Insufficient expired password validation in various operations allow user to maintain limited access after their password expired
CVE-2021-22223: Client-Side code injection through Feature Flag name in GitLab CE/EE starting with 11.9 allows a specially crafted feature flag name to PUT requests on behalf of other users via clicking on a link
CVE-2021-22224: A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim
CVE-2021-22225: Insufficient input sanitization in markdown in GitLab version 13.11 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown
CVE-2021-22226: Under certain conditions, some users were able to push to protected branches that were restricted to deploy keys in GitLab CE/EE since version 13.9
CVE-2021-22227: A reflected cross-site script vulnerability in GitLab before versions 13.11.6, 13.12.6 and 14.0.2 allowed an attacker to send a malicious link to a victim and trigger actions on their behalf if they clicked it
CVE-2021-22228: An issue has been discovered in GitLab affecting all versions. Improper access control allows unauthorised users to access project details using Graphql.
CVE-2021-22229: An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.8. Under a special condition it was possible to access data of an internal repository through project fork done by a project member.
CVE-2021-22230: Improper code rendering while rendering merge requests could be exploited to submit malicious code. This vulnerability affects GitLab CE/EE 9.3 and later through 13.11.6, 13.12.6, and 14.0.2.
CVE-2021-22231: A denial of service in user's profile page is found starting with GitLab CE/EE 8.0 that allows attacker to reject access to their profile page via using a specially crafted username.
CVE-2021-22232: HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE
CVE-2021-22234: An issue has been discovered in GitLab CE/EE affecting all versions starting with 13.11, 13.12 and 14.0. A specially crafted design image allowed attackers to read arbitrary files on the server.
CVE-2021-22236: Due to improper handling of OAuth client IDs, new subscriptions generated OAuth tokens on an incorrect OAuth client application. This vulnerability is present in GitLab CE/EE since version 14.1.
CVE-2021-22237: Under specialized conditions, GitLab may allow a user with an impersonation token to perform Git actions even if impersonation is disabled. This vulnerability is present in GitLab CE/EE versions before 13.12.9, 14.0.7, 14.1.2
CVE-2021-22238: An issue has been discovered in GitLab affecting all versions starting with 13.3. GitLab was vulnerable to a stored XSS by using the design feature in issues.
CVE-2021-22239: An unauthorized user was able to insert metadata when creating new issue on GitLab CE/EE 14.0 and later.
CVE-2021-22241: An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0. It was possible to exploit a stored cross-site-scripting via a specifically crafted default branch name.
CVE-2021-22242: Insufficient input sanitization in Mermaid markdown in GitLab CE/EE version 11.4 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown
CVE-2021-22243: Under specialized conditions, GitLab CE/EE versions starting 7.10 may allow existing GitLab users to use an invite URL meant for another email address to gain access into a group.
CVE-2021-22245: Improper validation of commit author in GitLab CE/EE affecting all versions allowed an attacker to make several pages in a project impossible to view
CVE-2021-22246: A vulnerability was discovered in GitLab versions before 14.0.2, 13.12.6, 13.11.6. GitLab Webhook feature could be abused to perform denial of service attacks.
CVE-2021-22247: Improper authorization in GitLab CE/EE affecting all versions since 13.0 allows guests in private projects to view CI/CD analytics
CVE-2021-22250: Improper authorization in GitLab CE/EE affecting all versions since 13.3 allowed users to view and delete impersonation tokens that administrators created for their account
CVE-2021-22254: Under very specific conditions a user could be impersonated using Gitlab shell. This vulnerability affects GitLab CE/EE 13.1 and later through 14.1.2, 14.0.7 and 13.12.9.
CVE-2021-22256: Improper authorization in GitLab CE/EE affecting all versions since 12.6 allowed guest users to create issues for Sentry errors and track their status

Created: 2021-02-19 Last update: 2021-09-11 06:00

lintian reports 60 errors and 54 warnings high

Lintian reports 60 errors and 54 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2021-01-27 Last update: 2021-09-06 18:32

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2020-12-22 Last update: 2021-09-28 20:34

1 bug tagged help in the BTS normal

The BTS contains 1 bug tagged help, please consider helping the maintainer in dealing with it.

Created: 2019-11-16 Last update: 2021-09-28 20:31

4 bugs tagged patch in the BTS normal

The BTS contains patches fixing 4 bugs, consider including or untagging them.

Created: 2021-08-14 Last update: 2021-09-28 20:31

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 14.0.10-2, distribution experimental) and new commits in its VCS. You should consider whether it's time to make an upload.

https://salsa.debian.org/api/v4/projects/ruby-team%2Fgitlab/pipelines?scope=finished&per_page=1 API request failed: 403 Forbidden at /srv/qa.debian.org/data/vcswatch/vcswatch line 415.

Created: 2021-03-08 Last update: 2021-09-27 10:01

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.0 instead of 4.5.1).

Created: 2021-08-18 Last update: 2021-08-18 14:03

testing migrations

excuses:
- Migrates after: gitaly, gitlab-workhorse, ruby-jquery-atwho-rails
- Migration status for gitlab (- to 13.4.7-2): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- Updating gitlab introduces new bugs: #915050, #983480, #983915, #983924, #984828, #991744, #995073
- autopkgtest for gitlab/13.4.7-2: amd64: Regression ♻ , arm64: Regression ♻ , armhf: Regression ♻ , i386: Regression ♻ , ppc64el: Regression ♻
- Depends: gitlab gitaly
- Depends: gitlab gitlab-workhorse
- Depends: gitlab ruby-jquery-atwho-rails
- Additional info:
- Cannot be tested by piuparts (not a blocker) - (no link yet)
- 286 days old (needed 5 days)
- Not considered

news

[rss feed]

[2021-03-05] Accepted gitlab 13.7.8+ds1-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-03-02] Accepted gitlab 13.7.7-2 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-03-01] Accepted gitlab 13.7.7-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-02-25] Accepted gitlab 13.6.7-4 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-02-24] Accepted gitlab 13.6.7-3 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-02-19] Accepted gitlab 13.6.7-2 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-02-11] Accepted gitlab 13.6.7-1 (source all) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-02-04] Accepted gitlab 13.6.6-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-01-08] Accepted gitlab 13.5.6-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-12-17] Accepted gitlab 13.4.7-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-12-08] Accepted gitlab 13.4.7-1 (source all) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-12-06] Accepted gitlab 13.4.6-3 (source) into unstable (Sruthi Chandran)
[2020-12-03] Accepted gitlab 13.4.6-2 (source) into unstable (Sruthi Chandran)
[2020-11-27] Accepted gitlab 13.4.6-1 (source) into experimental (Sruthi Chandran)
[2020-11-07] Accepted gitlab 13.3.9-1 (source all) into unstable (Abraham Raji) (signed by: Praveen Arimbrathodiyil)
[2020-11-02] Accepted gitlab 13.3.8-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-10-11] Accepted gitlab 13.2.10-1 (source all) into unstable (Abraham Raji) (signed by: Praveen Arimbrathodiyil)
[2020-09-06] Accepted gitlab 13.2.8-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-09-03] Accepted gitlab 13.2.8-1 (source all) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-08-20] Accepted gitlab 13.2.6-3 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-08-20] Accepted gitlab 13.2.6-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-08-19] Accepted gitlab 13.2.6-1 (source all) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-08-18] Accepted gitlab 13.2.5-1 (source all) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-08-11] Accepted gitlab 13.2.3-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-08-09] Accepted gitlab 13.2.3-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-08-08] Accepted gitlab 13.1.6-1 (source all) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-07-16] Accepted gitlab 13.1.4-2 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-07-12] Accepted gitlab 13.1.4-1 (source all) into experimental, experimental (Debian FTP Masters) (signed by: Praveen Arimbrathodiyil)
[2020-07-12] Accepted gitlab 13.1.3-1 (source all) into experimental, experimental (Debian FTP Masters) (signed by: Praveen Arimbrathodiyil)
[2020-07-12] Accepted gitlab 13.1.2-1 (source all) into experimental, experimental (Debian FTP Masters) (signed by: Praveen Arimbrathodiyil)

bugs [bug history graph]

all: 52
RC: 7
I&N: 37
M&W: 7
F&P: 1
patch: 4
help: 1

links

homepage
lintian (60, 54)
buildd: logs, exp, clang
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debci