gitlab - Debian Package Tracker

general

source: gitlab (main)
version: 16.0.8+ds1-2
maintainer: Debian Ruby Team (archive) (DMD)
uploaders: Cédric Boutillier [DMD] – Pirate Praveen [DMD] – Balasankar C [DMD] – Sruthi Chandran [DMD] – Utkarsh Gupta [DMD]
arch: all any
std-ver: 4.6.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

unstable: 16.0.8+ds1-2

versioned links

16.0.7+ds1-5: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
16.0.8+ds1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
16.0.8+ds1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

gitlab (4 bugs: 0, 4, 0, 0)
gitlab-workhorse

action needed

Debci reports failed tests high

unstable: fail (log)
The tests ran in 0:00:27
Last run: 2023-09-24T00:45:39.000Z
Previous status: fail

testing: fail (log)
The tests ran in 0:12:14
Last run: 2019-01-19T01:29:51.000Z
Previous status: fail

stable: fail (log)
The tests ran in 0:00:22
Last run: 2019-07-25T19:45:07.000Z
Previous status: unknown

Created: 2018-12-15 Last update: 2023-10-05 03:35

24 security issues in sid high

There are 24 open security issues in sid.

24 important issues:

CVE-2023-0120: An issue has been discovered in GitLab affecting all versions starting from 10.0 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was possible to edit labels description by an unauthorised user.
CVE-2023-0632: An issue has been discovered in GitLab affecting all versions starting from 15.2 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible by using crafted payloads to search Harbor Registry.
CVE-2023-1210: An issue has been discovered in GitLab affecting all versions starting from 12.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible to leak a user's email via an error message for groups that restrict membership by email domain.
CVE-2023-1279: An issue has been discovered in GitLab affecting all versions starting from 4.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 where it was possible to create a URL that would redirect to a different project.
CVE-2023-1555: An issue has been discovered in GitLab affecting all versions starting from 15.2 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. A namespace-level banned user can access the API.
CVE-2023-2232: An issue has been discovered in GitLab affecting all versions starting from 15.10 before 16.1, leading to a ReDoS vulnerability in the Jira prefix
CVE-2023-3205: An issue has been discovered in GitLab affecting all versions starting from 15.11 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. An authenticated user could trigger a denial of service when importing or cloning malicious content.
CVE-2023-3210: An issue has been discovered in GitLab affecting all versions starting from 15.11 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. An authenticated user could trigger a denial of service when importing or cloning malicious content.
CVE-2023-3413: An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to read the source code of a project through a fork created before changing visibility to only project members.
CVE-2023-3900: An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. An invalid 'start_sha' value on merge requests page may lead to Denial of Service as Changes tab would not load.
CVE-2023-3917: Denial of Service in pipelines affecting all versions of Gitlab EE and CE prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows attacker to cause pipelines to fail.
CVE-2023-3920: An issue has been discovered in GitLab affecting all versions starting from 11.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that a maintainer to create a fork relationship between existing projects contrary to the documentation.
CVE-2023-3922: An issue has been discovered in GitLab affecting all versions starting from 8.15 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to hijack some links and buttons on the GitLab UI to a malicious page.
CVE-2023-3979: An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that upstream members to collaborate with you on your branch get permission to write to the merge request’s source branch.
CVE-2023-4018: An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was possible to create model experiments in public projects.
CVE-2023-4378: An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. A malicious Maintainer can, under specific circumstances, leak the sentry token by changing the configured URL in the Sentry error tracking settings page. This was as a result of an incomplete fix for CVE-2022-4365.
CVE-2023-4522: An issue has been discovered in GitLab affecting all versions starting from 16.2.0. Committing directories containing LF character results in 500 errors when viewing the commit
CVE-2023-4532: An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. Users were capable of linking CI/CD jobs of private projects which they are not a member of.
CVE-2023-4630: An issue has been discovered in GitLab affecting all versions starting from 10.6 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which any user can read limited information about any project's imports.
CVE-2023-4638:
CVE-2023-4647: An issue has been discovered in GitLab affecting all versions starting from 15.2 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which the projects API pagination can be skipped, potentially leading to DoS on certain instances.
CVE-2023-4998:
CVE-2023-5198: An issue has been discovered in GitLab affecting all versions prior to 16.2.7, all versions starting from 16.3 before 16.3.5, and all versions starting from 16.4 before 16.4.1. It was possible for a removed project member to write to protected branches using deploy keys.
CVE-2023-5207: A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An authenticated attacker could perform arbitrary pipeline execution under the context of another user.

Created: 2023-07-05 Last update: 2023-10-05 02:05

A new upstream version is available: 16.4.1 high

A new upstream version 16.4.1 is available, you should consider packaging it.

Created: 2023-06-12 Last update: 2023-10-05 00:37

Failed to analyze the VCS repository. Please troubleshoot and fix the issue. high

vcswatch reports that there is an error with this package's VCS, or the debian/changelog file inside it. Please check the error shown below and try to fix it. You might have to update the VCS URL in the debian/control file to point to the correct repository.

Repository size 1077346304 exceeds 1 GiB, blocking it

Created: 2023-07-07 Last update: 2023-10-04 22:00

lintian reports 25 errors and 57 warnings high

Lintian reports 25 errors and 57 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2023-06-12 Last update: 2023-09-24 02:32

Build log checks report 1 error high

Build log checks report 1 error

Created: 2023-09-16 Last update: 2023-09-16 16:41

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2023-09-13 Last update: 2023-10-05 02:31

debian/patches: 15 patches to forward upstream low

Among the 21 debian patches available in version 16.0.8+ds1-1 of the package, we noticed the following issues:

15 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-06-12 Last update: 2023-09-24 08:10

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.2 instead of 4.6.1).

Created: 2023-06-12 Last update: 2023-10-05 02:12

testing migrations

excuses:
- Migrates after: gitaly, golang-github-form3tech-oss-jwt-go
- Migration status for gitlab (- to 16.0.8+ds1-2): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Updating gitlab would introduce bugs in testing: #1009942, #983915
- ∙ ∙ gitlab unsatisfiable Build-Depends(-Arch) on armel: golang-gitlab-gitlab-org-gitaly-dev (>= 16.0.8~)
- ∙ ∙ gitlab unsatisfiable Build-Depends(-Arch) on mips64el: golang-gitlab-gitlab-org-gitaly-dev (>= 16.0.8~)
- ∙ ∙ missing build on amd64
- ∙ ∙ missing build on arm64
- ∙ ∙ missing build on armel
- ∙ ∙ missing build on armhf
- ∙ ∙ missing build on i386
- ∙ ∙ missing build on mips64el
- ∙ ∙ missing build on ppc64el
- ∙ ∙ missing build on s390x
- ∙ ∙ missing build on all
- ∙ ∙ arch:all not built yet, autopkgtest delayed
- ∙ ∙ Too young, only 0 of 5 days old
- ∙ ∙ Build-Depends(-Arch): gitlab gitaly
- ∙ ∙ Build-Depends(-Arch): gitlab golang-github-form3tech-oss-jwt-go
- ∙ ∙ Built-Using: gitlab gitaly
- Additional info:
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/g/gitlab.html
- Not considered

news

[rss feed]

[2023-10-04] Accepted gitlab 16.0.8+ds1-2 (source) into unstable (Mohammed Bilal)
[2023-09-23] Accepted gitlab 16.0.8+ds1-1 (source) into unstable (Mohammed Bilal)
[2023-07-11] Accepted gitlab 16.0.7+ds1-5 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-07-11] Accepted gitlab 16.0.7+ds1-4 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-07-10] Accepted gitlab 16.0.7+ds1-3 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-07-10] Accepted gitlab 16.0.7+ds1-2 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-07-09] Accepted gitlab 16.0.7+ds1-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-07-07] Accepted gitlab 15.11.11+ds1-1 (source) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-07-01] Accepted gitlab 15.11.6+ds1-1 (source amd64 all) into experimental (Pirate Praveen) (signed by: Mohammed Bilal)
[2023-06-11] Accepted gitlab 15.10.8+ds1-2 (source amd64 all) into unstable (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-06-09] Accepted gitlab 15.10.8+ds1-1 (source) into experimental (Mohammed Bilal)
[2023-05-29] Accepted gitlab 15.10.7+ds1-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-05-23] Accepted gitlab 15.9.8+ds1-2 (source amd64 all) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-05-12] Accepted gitlab 15.9.8+ds1-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-04-04] Accepted gitlab 15.8.5+ds1-1 (source) into experimental (Vinay Keshava)
[2023-03-22] Accepted gitlab 15.8.4+ds1-3 (source amd64 all) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-03-22] Accepted gitlab 15.8.4+ds1-2 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-03-18] Accepted gitlab 15.8.4+ds1-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-03-13] Accepted gitlab 15.7.8+ds1-11 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-03-12] Accepted gitlab 15.7.8+ds1-10 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-03-09] Accepted gitlab 15.7.8+ds1-8 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-03-08] Accepted gitlab 15.7.8+ds1-7 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-03-08] Accepted gitlab 15.7.8+ds1-6 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-03-07] Accepted gitlab 15.7.8+ds1-5 (source amd64 all) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-03-05] Accepted gitlab 15.7.8+ds1-2 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-03-05] Accepted gitlab 15.7.8+ds1-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-02-28] Accepted gitlab 15.6.8+ds1-2 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-02-27] Accepted gitlab 15.6.8+ds1-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2023-02-19] Removed 13.4.7-2 from unstable (Debian FTP Masters)
[2023-02-05] Accepted gitlab 15.6.6+ds1-2 (source) into experimental (Mohammed Bilal)

bugs [bug history graph]

all: 4
RC: 0
I&N: 4
M&W: 0
F&P: 0
patch: 2

links

homepage
lintian (25, 57)
buildd: logs, checks, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci