HomeThat World

gitlab: 12.8.1 -> 12.8.2 (#81803)

Authored by Milan <mil@nyantec.com> on Mar 5 2020, 3:37 PM.

Description

gitlab: 12.8.1 -> 12.8.2 (#81803)

Includes multiple security fixes mentioned in
https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/
(unfortunately, no CVE numbers as of yet)

  • Directory Traversal to Arbitrary File Read
  • Account Takeover Through Expired Link
  • Server Side Request Forgery Through Deprecated Service
  • Group Two-Factor Authentication Requirement Bypass
  • Stored XSS in Merge Request Pages
  • Stored XSS in Merge Request Submission Form
  • Stored XSS in File View
  • Stored XSS in Grafana Integration
  • Contribution Analytics Exposed to Non-members
  • Incorrect Access Control in Docker Registry via Deploy Tokens
  • Denial of Service via Permission Checks
  • Denial of Service in Design For Public Issue
  • GitHub Tokens Displayed in Plaintext on Integrations Page
  • Incorrect Access Control via LFS Import
  • Unescaped HTML in Header
  • Private Merge Request Titles Leaked via Widget
  • Project Namespace Exposed via Vulnerability Feedback Endpoint
  • Denial of Service Through Recursive Requests
  • Project Authorization Not Being Updated
  • Incorrect Permission Level For Group Invites
  • Disclosure of Private Group Epic Information
  • User IP Address Exposed via Badge images
  • Update postgresql (GitLab Omnibus)

Details

Committed
GitHub <noreply@github.com>Mar 5 2020, 3:37 PM
Pushed
sorpaasSun, Mar 22, 6:16 PM
sorpaasSun, Mar 22, 6:14 PM
Parents
rNIXPKGS93fd4b7f0074: Merge pull request #79062 from marsam/update-rclone
Branches
Unknown
Tags
Unknown

Event Timeline

GitHub <noreply@github.com> committed rNIXPKGSc25756f91ccf: gitlab: 12.8.1 -> 12.8.2 (#81803) (authored by Milan <mil@nyantec.com>).Mar 5 2020, 3:37 PM