New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gitlab: 12.8.1 -> 12.8.2 #81803
gitlab: 12.8.1 -> 12.8.2 #81803
Conversation
Includes multiple security fixes mentioned in https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ (unfortunately, no CVE numbers as of yet) - Directory Traversal to Arbitrary File Read - Account Takeover Through Expired Link - Server Side Request Forgery Through Deprecated Service - Group Two-Factor Authentication Requirement Bypass - Stored XSS in Merge Request Pages - Stored XSS in Merge Request Submission Form - Stored XSS in File View - Stored XSS in Grafana Integration - Contribution Analytics Exposed to Non-members - Incorrect Access Control in Docker Registry via Deploy Tokens - Denial of Service via Permission Checks - Denial of Service in Design For Public Issue - GitHub Tokens Displayed in Plaintext on Integrations Page - Incorrect Access Control via LFS Import - Unescaped HTML in Header - Private Merge Request Titles Leaked via Widget - Project Namespace Exposed via Vulnerability Feedback Endpoint - Denial of Service Through Recursive Requests - Project Authorization Not Being Updated - Incorrect Permission Level For Group Invites - Disclosure of Private Group Epic Information - User IP Address Exposed via Badge images - Update postgresql (GitLab Omnibus)
@GrahamcOfBorg build gitlab |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested manually without issues 👍
I didn't backport 12.8.1 to 19.09, should 19.09 still get new major releases as well? |
yes, we should still backport security releases to 19.09, I think we support older versions ~1 month after the release date of the current release. |
Includes multiple security fixes mentioned in https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ (unfortunately, no CVE numbers as of yet) - Directory Traversal to Arbitrary File Read - Account Takeover Through Expired Link - Server Side Request Forgery Through Deprecated Service - Group Two-Factor Authentication Requirement Bypass - Stored XSS in Merge Request Pages - Stored XSS in Merge Request Submission Form - Stored XSS in File View - Stored XSS in Grafana Integration - Contribution Analytics Exposed to Non-members - Incorrect Access Control in Docker Registry via Deploy Tokens - Denial of Service via Permission Checks - Denial of Service in Design For Public Issue - GitHub Tokens Displayed in Plaintext on Integrations Page - Incorrect Access Control via LFS Import - Unescaped HTML in Header - Private Merge Request Titles Leaked via Widget - Project Namespace Exposed via Vulnerability Feedback Endpoint - Denial of Service Through Recursive Requests - Project Authorization Not Being Updated - Incorrect Permission Level For Group Invites - Disclosure of Private Group Epic Information - User IP Address Exposed via Badge images - Update postgresql (GitLab Omnibus) (cherry-picked from commit c25756f)
Includes multiple security fixes mentioned in https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/ (unfortunately, no CVE numbers as of yet) - Directory Traversal to Arbitrary File Read - Account Takeover Through Expired Link - Server Side Request Forgery Through Deprecated Service - Group Two-Factor Authentication Requirement Bypass - Stored XSS in Merge Request Pages - Stored XSS in Merge Request Submission Form - Stored XSS in File View - Stored XSS in Grafana Integration - Contribution Analytics Exposed to Non-members - Incorrect Access Control in Docker Registry via Deploy Tokens - Denial of Service via Permission Checks - Denial of Service in Design For Public Issue - GitHub Tokens Displayed in Plaintext on Integrations Page - Incorrect Access Control via LFS Import - Unescaped HTML in Header - Private Merge Request Titles Leaked via Widget - Project Namespace Exposed via Vulnerability Feedback Endpoint - Denial of Service Through Recursive Requests - Project Authorization Not Being Updated - Incorrect Permission Level For Group Invites - Disclosure of Private Group Epic Information - User IP Address Exposed via Badge images - Update postgresql (GitLab Omnibus) (cherry-picked from commit c25756f)
Thanks!
|
This needs to be backported to 20.03 and 19.09
Includes multiple security fixes mentioned in
https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/
(unfortunately, no CVE numbers as of yet)
Motivation for this change
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)