Debian Security Advisory

DSA-4206-1 gitlab -- security update

Date Reported:
21 May 2018
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2017-0920, CVE-2018-8971.
More information:

Several vulnerabilities have been discovered in Gitlab, a software platform to collaborate on code:

  • CVE-2017-0920

    It was discovered that missing validation of merge requests allowed users to see names to private projects, resulting in information disclosure.

  • CVE-2018-8971

    It was discovered that the Auth0 integration was implemented incorrectly.

For the stable distribution (stretch), these problems have been fixed in version 8.13.11+dfsg1-8+deb9u2. The fix for CVE-2018-8971 also requires ruby-omniauth-auth0 to be upgraded to version 2.0.0-0+deb9u1.

We recommend that you upgrade your gitlab packages.

For the detailed security status of gitlab please refer to its security tracker page at: