ArchLinux: 202101-10: gitlab: multiple issues
Summary
- CVE-2020-26414 (denial of service)
An issue has been discovered in GitLab affecting all versions starting
from 12.4. The regex used for package names is written in a way that
makes execution time have quadratic growth based on the length of the
malicious input string. The issue is mitigated in GitLab version
13.7.2, 13.6.4, and 13.5.6.
- CVE-2021-22166 (denial of service)
An attacker could cause a Prometheus denial of service in GitLab 13.7+
by sending an HTTP request with a malformed method. The issue is
mitigated in GitLab version 13.7.2.
- CVE-2021-22167 (information disclosure)
An issue has been discovered in GitLab affecting all versions starting
from 12.1. Incorrect headers within a specific project page allow
attackers to have temporary read access to a public repository with
project features restricted only to members. The issue is mitigated in
GitLab version 13.7.2, 13.6.4, and 13.5.6.
- CVE-2021-22168 (denial of service)
A regular expression denial of service issue has been discovered in the
NuGet API affecting all versions of GitLab starting from version 12.8.
The issue is mitigated in GitLab version 13.7.2, 13.6.4, and 13.5.6.
- CVE-2021-22171 (authentication bypass)
Insufficient validation of authentication parameters in GitLab Pages
for GitLab 11.5+ would allow stealing a user's API access token. The
issue is mitigated in GitLab version 13.7.2, 13.6.4, and 13.5.6.
Note: A way to bypass the fix released in GitLab version 13.7.2,
13.6.4, and 13.5.6 has been found and was subsequently fixed in version
13.7.4, 13.6.5, and 13.5.7.
Resolution
Upgrade to 13.7.2-1.
# pacman -Syu "gitlab>=13.7.2-1"
The problems have been fixed upstream in version 13.7.2.
References
https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/ https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/#regular-expression-denial-of-service-in-package-uploads https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/#prometheus-denial-of-service-via-http-request-with-custom-method https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/#unauthorized-user-is-able-to-access-private-repository-information-under-specific-conditions https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/#regular-expression-denial-of-service-in-nuget-api https://about.gitlab.com/releases/2021/01/07/security-release-gitlab-13-7-2-released/#ability-to-steal-a-users-api-access-token-through-gitlab-pages https://gitlab.com/gitlab-org/gitlab-foss/-/commit/fa70ce1068babe592d348497c772f1b5160cbb6e https://gitlab.com/gitlab-org/gitlab-foss/-/commit/e861919633e0aac16509c0415f71eda69902bff9 https://security.archlinux.org/CVE-2020-26414 https://security.archlinux.org/CVE-2021-22166 https://security.archlinux.org/CVE-2021-22167 https://security.archlinux.org/CVE-2021-22168 https://security.archlinux.org/CVE-2021-22171
Workaround
None.