Commit Graph

59 Commits

Author SHA1 Message Date
Florian Klink
38a4af7d19 gitlab: 13.0.4 -> 13.0.6
CI Token Access Control

An authorization issue discovered in the mirroring logic allowed read access to private repositories. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned.

https://about.gitlab.com/releases/2020/06/10/critical-security-release-13-0-6-released/
2020-06-11 00:27:11 +02:00
talyz
0b5c534598
gitlab: 13.0.3 -> 13.0.4
https://about.gitlab.com/releases/2020/06/03/critical-security-release-13-0-4-released/
2020-06-04 14:32:45 +02:00
Robin Gloster
79454f15ac
gitlab: 12.10.8 -> 13.0.3
https://about.gitlab.com/releases/2020/05/22/gitlab-13-0-released/
https://about.gitlab.com/releases/2020/05/27/security-release-13-0-1-released/
https://about.gitlab.com/releases/2020/05/29/gitlab-13-0-3-released/

The gitaly gitlab-shell config has moved into gitaly.toml. See
https://gitlab.com/gitlab-org/gitaly/-/issues/2182 for more info.
2020-06-04 14:32:39 +02:00
Robin Gloster
af05325f10
gitlab: 12.10.6 -> 12.10.8 2020-05-31 03:11:57 +02:00
Milan Pässler
f61370214c gitlab: 12.8.10 -> 12.10.6 2020-05-18 18:34:46 +02:00
Florian Klink
fdd0d0de1f gitlab: 12.8.9 -> 12.8.10 2020-04-30 23:16:50 +02:00
Florian Klink
d1902923fa gitlab: 12.8.8 -> 12.8.9
See
https://about.gitlab.com/releases/2020/04/14/critical-security-release-gitlab-12-dot-9-dot-3-released/
for details.
2020-04-27 10:31:36 +02:00
Florian Klink
8ab04fd87b gitlab: 12.8.7 -> 12.8.8 2020-03-27 10:08:59 +01:00
Kim Lindberger
3a173c1d75
gitlab: 12.8.6 -> 12.8.7 (#82838)
https://about.gitlab.com/releases/2020/03/16/gitlab-12-8-7-released/
2020-03-24 18:45:39 +01:00
Florian Klink
ab3b836350 gitlab: 12.8.5 -> 12.8.6
https://about.gitlab.com/releases/2020/03/11/critical-security-release-gitlab-12-dot-8-dot-6-released/
2020-03-12 02:57:39 +01:00
Milan
f391999026
gitlab: 12.8.2 -> 12.8.5 (#82142)
https://about.gitlab.com/releases/2020/03/09/gitlab-12-8-5-released/
2020-03-09 17:23:51 +01:00
Milan
c25756f91c
gitlab: 12.8.1 -> 12.8.2 (#81803)
Includes multiple security fixes mentioned in
https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/
(unfortunately, no CVE numbers as of yet)

 - Directory Traversal to Arbitrary File Read
 - Account Takeover Through Expired Link
 - Server Side Request Forgery Through Deprecated Service
 - Group Two-Factor Authentication Requirement Bypass
 - Stored XSS in Merge Request Pages
 - Stored XSS in Merge Request Submission Form
 - Stored XSS in File View
 - Stored XSS in Grafana Integration
 - Contribution Analytics Exposed to Non-members
 - Incorrect Access Control in Docker Registry via Deploy Tokens
 - Denial of Service via Permission Checks
 - Denial of Service in Design For Public Issue
 - GitHub Tokens Displayed in Plaintext on Integrations Page
 - Incorrect Access Control via LFS Import
 - Unescaped HTML in Header
 - Private Merge Request Titles Leaked via Widget
 - Project Namespace Exposed via Vulnerability Feedback Endpoint
 - Denial of Service Through Recursive Requests
 - Project Authorization Not Being Updated
 - Incorrect Permission Level For Group Invites
 - Disclosure of Private Group Epic Information
 - User IP Address Exposed via Badge images
 - Update postgresql (GitLab Omnibus)
2020-03-05 16:37:21 +01:00
talyz
7d8a2004cf gitlab: 12.7.6 -> 12.8.1
https://about.gitlab.com/releases/2020/02/22/gitlab-12-8-released/
https://about.gitlab.com/releases/2020/02/24/gitlab-12-8-1-released/
2020-03-03 21:19:01 +01:00
Florian Klink
0a87568b03 gitlab: 12.7.5 -> 12.7.6 2020-02-13 22:18:27 +01:00
Florian Klink
0142bd49cc gitlab: 12.7.4 -> 12.7.5
https://about.gitlab.com/releases/2020/01/31/gitlab-12-7-5-released/
2020-02-01 17:07:55 +01:00
Florian Klink
cb02372211 gitlab: 12.6.4 -> 12.7.4
- CVE-2020-7966
 - CVE-2020-8114
 - CVE-2020-7973
 - CVE-2020-6833
 - CVE-2020-7971
 - CVE-2020-7967
 - CVE-2020-7972
 - CVE-2020-7968
 - CVE-2020-7979
 - CVE-2020-7969
 - CVE-2020-7978
 - CVE-2020-7974
 - CVE-2020-7977
 - CVE-2020-7976
 - CVE-2019-16779
 - CVE-2019-18978
 - CVE-2019-16892
2020-01-31 12:34:57 +01:00
Florian Klink
57560cc028 gitlab: 12.6.2 -> 12.6.4 2020-01-13 21:49:34 +01:00
Florian Klink
d075e33bf5 gitlab: 12.6.1 -> 12.6.2
- CVE-2019-20146
 - CVE-2019-20143
 - CVE-2019-20147
 - CVE-2019-20145
 - CVE-2019-20142
 - CVE-2019-20148
 - CVE-2020-5197
2020-01-02 23:09:53 +01:00
talyz
0825e382c0 gitlab: 12.6.0 -> 12.6.1 2019-12-28 14:00:04 +01:00
talyz
ff28cfa6d3 gitlab: 12.5.5 -> 12.6.0 2019-12-23 00:39:33 +01:00
talyz
7d602d3d36 gitlab: 12.5.4 -> 12.5.5 2019-12-17 22:18:10 +01:00
Florian Klink
5bf07d665f gitlab: 12.5.3 -> 12.5.4
https://about.gitlab.com/blog/2019/12/10/critical-security-release-gitlab-12-5-4-released/

Insufficient parameter sanitization for Maven package registry could lead to privilege escalation and remote code execution vulnerabilities under certain conditions. The issue is now mitigated in the latest release and is assigned CVE-2019-19628.

When transferring a public project to a private group, private code would be disclosed via the Group Search API provided by Elasticsearch integration. The issue is now mitigated in the latest release and is assigned CVE-2019-19629.

The Git dependency has been upgraded to 2.22.2 in order to apply security fixes detailed here.

CVE-2019-19604 was identified by the GitLab Security Research team. For more information on that issue, please visit the GitLab Security Research Advisory

closes #75506.
2019-12-11 15:16:36 +01:00
Milan Pässler
a43003d633 gitlab: 12.5.2 -> 12.5.3 2019-12-04 11:30:40 +01:00
Florian Klink
00f4760cdc gitlab: 12.5.0 -> 12.5.2 2019-11-28 00:17:30 +01:00
talyz
ce2aa10765 gitlab: 12.4.3 -> 12.5.0 2019-11-26 17:32:01 +01:00
Milan Pässler
f53fe02ff0 gitlab: 12.4.2 -> 12.4.3 2019-11-21 09:35:56 +00:00
talyz
a779d7751e gitlab: 12.4.1 -> 12.4.2 2019-11-06 10:56:20 +01:00
talyz
2e8417b52a gitlab: 12.4.0 -> 12.4.1 2019-10-31 18:55:08 +01:00
talyz
5081a6cd56 gitlab: 12.3.5 -> 12.4.0
- gitlab-shell no longer requires ruby for anything else than the
  install script, so the bundlerEnv stuff could be dropped

- gitlab-shell and gitlab-workhorse now report their versions
  correctly
2019-10-28 14:56:37 +01:00
talyz
9be76d0b6a gitlab: 12.3.4 -> 12.3.5 2019-10-08 16:35:50 +02:00
talyz
afa3abf632 gitlab: Refactor for new repo structure
GitLab recently restructured their repos; whereas previously they had
one gitlab-ce and one gitlab-ee repo, they're now one and the
same. All proprietary components are put into the ee subdirectory -
removing it gives us the foss / community version of GitLab. For more
info, see
https://about.gitlab.com/2019/02/21/merging-ce-and-ee-codebases/

This gives us the opportunity to simplify things quite a bit, since we
don't have to keep track of two separate versions of either the base
data or rubyEnv.
2019-10-08 15:52:11 +02:00
talyz
f3eb063ecf gitlab: 12.1.6 -> 12.3.4
- Update GitLab to 12.3.4

- Update update.py to cope with the new upstream repository structure

- Refactor gitlab-shell to use buildGoPackage and bundlerEnv for
  dependencies

- Refactor gitlab-workhorse to use buildGoPackage for dependencies

- Make update.py able to update gitlab-shell and gitlab-workhorse
  dependencies

- Various fixes necessary for update to work
2019-10-04 18:03:05 +02:00
Florian Klink
362076c581 gitlab-ee: 12.0.3 -> 12.1.6 2019-08-14 14:51:59 +02:00
Florian Klink
8ce1c4c26a gitlab-ce: 12.0.3 -> 12.1.6 2019-08-14 14:51:00 +02:00
Ben Gamari
363b352af3 gitlab: 11.10.8 -> 12.0.3
This is a major version bump but things were generally straightforward
save two wrinkles:

 * it is necessary to ignore collisions in the gitlab bundler
   environment as both `omniauth_oauth2_generic` and
   `apollo_upload_server` provide a `console` executable.

 * grpc had to be patched since its build system expects the `AR`
   environment variable to contain not just the path to `ar` but
   also the `rpc` flags (see the discussion in nixpkgs #63056).
2019-07-14 23:03:39 +02:00
Florian Klink
580be224c7 gitlab-ee: 11.10.5 -> 11.10.8 2019-07-05 00:44:10 +02:00
Florian Klink
c57a9d7f9a gitlab-ce: 11.10.5 -> 11.10.8 2019-07-05 00:44:10 +02:00
Marek Mahut
bf01a3ba94 gitlab: 11.10.4 -> 11.10.5 2019-06-13 01:45:13 +02:00
Florian Klink
d237c8a182 gitlab-ee: 11.9.11 -> 11.10.4 2019-05-03 20:22:08 +02:00
Florian Klink
02124aa8fb gitlab-ce: 11.9.11 -> 11.10.4 2019-05-03 20:21:55 +02:00
Florian Klink
5d6f6d5d94 gitlab-ee: 11.9.8 -> 11.9.11 2019-05-01 14:48:58 +02:00
Florian Klink
b9df035cb7 gitlab-ce: 11.9.8 -> 11.9.11 2019-05-01 14:48:27 +02:00
Florian Klink
33423e52c6 gitlab-ee: 11.9.1 -> 11.9.8 2019-04-22 23:41:32 +02:00
Florian Klink
04b5eb10c0 gitlab-ce: 11.9.1 -> 11.9.8 2019-04-22 23:41:32 +02:00
Florian Klink
ec319793b4 gitlab: 11.9.0 -> 11.9.1 2019-03-26 21:00:04 +01:00
Ben Gamari
d8c16f11a6 gitlab: 11.8.2 -> 11.9.0 2019-03-25 15:25:11 -04:00
Ben Gamari
0ba98bb64c gitlab: 11.7.5 -> 11.8.2 2019-03-25 15:25:06 -04:00
Florian Klink
f4a7c16bd9 gitlab-ee: 11.7.4 -> 11.7.5 2019-02-17 13:43:52 +01:00
Florian Klink
7f6351a21d gitlab: 11.7.4 -> 11.7.5 2019-02-17 13:43:38 +01:00
Jeff Slight
8c043d3c7b gitlab: 11.6.3 -> 11.7.4 2019-02-06 00:30:29 +01:00