Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2019.0037
A vulnerability has been identified in GitLab Community
Edition (CE) and Enterprise Edition (EE)
17 January 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: GitLab Community Edition (CE)
GitLab Enterprise Edition (EE)
Operating System: Windows
Linux variants
Virtualisation
Impact/Access: Access Confidential Data -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2019-6240
Member content until: Saturday, February 16 2019
OVERVIEW
A vulnerability has been identified in GitLab Community Edition (CE)
and Enterprise Edition (EE) prior to versions 11.6.4, 11.5.7, and
11.4.14.
IMPACT
Gitlabs have provided the following information regarding this
vulnerability:
"Arbitrary repo read in Gitlab project import
The project import feature contained a lack of archive validation
which could result in an arbitrary repo read. The issue is now
mitigated in the latest release and is assigned CVE-2019-6240.
Thanks to @nyangawa of Chaitin Tech for responsibly reporting this
vulnerability to us." [1]
MITIGATION
GitLab versions 11.6.4, 11.5.7, and 11.4.14 have been released
which address these vulnerabilities. [1]
REFERENCES
[1] GitLab Critical Security Release: 11.6.4, 11.5.7, 11.4.14
https://about.gitlab.com/2019/01/16/critical-security-release-gitlab-11-dot-6-dot-4-released/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXEAeqWaOgq3Tt24GAQhV0BAA19Gad/8LPibue9fT+MkU2lOHCVk3gFOG
PVxjQ6qEjzdj3Ed7fTyK2sTpNhaqltc8sxVRxqrcI1y7qAlJLEp635JuytXNC2UW
T1vYv3hw3J16ltczWuujwrjcY/ORMRicgPF3sZkzZUZqij4+0hVWnc6Pg7/NhPSK
EwI033GnhuNLKFkxtV5Fz4bKVEDyLGhy4ytJ+s/jY0wnZ0WcLgii0pppW5nSktSb
2MBncDgn+gqHkdZpY/TGiT6D97Po2AHKxumKzWIt8/ivR4zYMtKjSwtXdtpEJyQB
lM6jPPE++WasHwFwX6v6Gl1EC4gufeQVCtAJIbPuBRqw6X7m3J0k8oYvq2Ua/pvU
+oRckdk2GjmpHbdOqpm9c0q6j7xTizqlLKXo953+DfRyt85i2YHKMuLLzV+oLVqX
g3gz43ZhrLduASfB5J1Z85K0zjqZ6GBfSgRZUIu0D8Fl0wr57ixcqBWfEEu9M7Mn
8aqf2Xtih45iOkgjwg8cgo8IIArYVZ4JlGRITBn21woQQRh2WeF0kAzPMOKSuglh
i28I/3UiaIUDcFu2LaY2K73+9kMQ2wDu4UBdKLbtz22dhkkPecyuHV6pHq1vfLfK
wXs2di6P3ypmQR1nMi0rHp2DxCBpsOqF8RSheXNs9YJXfr1JzhV2f1WnezbDT4tq
krI0xFoBemc=
=4Rlr
-----END PGP SIGNATURE-----