Includes multiple security fixes mentioned in
https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/
(unfortunately, no CVE numbers as of yet)
- Directory Traversal to Arbitrary File Read
- Account Takeover Through Expired Link
- Server Side Request Forgery Through Deprecated Service
- Group Two-Factor Authentication Requirement Bypass
- Stored XSS in Merge Request Pages
- Stored XSS in Merge Request Submission Form
- Stored XSS in File View
- Stored XSS in Grafana Integration
- Contribution Analytics Exposed to Non-members
- Incorrect Access Control in Docker Registry via Deploy Tokens
- Denial of Service via Permission Checks
- Denial of Service in Design For Public Issue
- GitHub Tokens Displayed in Plaintext on Integrations Page
- Incorrect Access Control via LFS Import
- Unescaped HTML in Header
- Private Merge Request Titles Leaked via Widget
- Project Namespace Exposed via Vulnerability Feedback Endpoint
- Denial of Service Through Recursive Requests
- Project Authorization Not Being Updated
- Incorrect Permission Level For Group Invites
- Disclosure of Private Group Epic Information
- User IP Address Exposed via Badge images
- Update postgresql (GitLab Omnibus)
For some reason this untagged commit is the one referred to in the
main repository; this might be a mistake, but we'll have to package it
for now to follow upstream.
For some reason hydra seems to have issues downloading the
gitlab-workhorse source on macOS. Since we don't build the rails app
for macOS, the other components seem a bit useless there, so we
limit them to linux for now.
- gitlab-shell no longer requires ruby for anything else than the
install script, so the bundlerEnv stuff could be dropped
- gitlab-shell and gitlab-workhorse now report their versions
correctly
- Update GitLab to 12.3.4
- Update update.py to cope with the new upstream repository structure
- Refactor gitlab-shell to use buildGoPackage and bundlerEnv for
dependencies
- Refactor gitlab-workhorse to use buildGoPackage for dependencies
- Make update.py able to update gitlab-shell and gitlab-workhorse
dependencies
- Various fixes necessary for update to work
There ver very many conflicts, basically all due to
name -> pname+version. Fortunately, almost everything was auto-resolved
by kdiff3, and for now I just fixed up a couple evaluation problems,
as verified by the tarball job. There might be some fallback to these
conflicts, but I believe it should be minimal.
Hydra nixpkgs: ?compare=1538299
This is a major version bump but things were generally straightforward
save two wrinkles:
* it is necessary to ignore collisions in the gitlab bundler
environment as both `omniauth_oauth2_generic` and
`apollo_upload_server` provide a `console` executable.
* grpc had to be patched since its build system expects the `AR`
environment variable to contain not just the path to `ar` but
also the `rpc` flags (see the discussion in nixpkgs #63056).
