Created attachment 169905 [details] patch with update to 8.7.1 - for ports/HEAD Hello, attached a patch for bring the port to its current version 8.7.1. Buildtests are done for 9.3, 10.0, 10.2 and 10.3 amd64 and i386. Also an update and installation was performed to test the major features of the software. This is an important security upgrade which fixes cve-2016-4340 and other issues: https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/ I will provide an patch for the quartly-version of gitlab. The attached patch is not suitable for quarterly, just for head! Greetings, Torsten
testbuilds@work
Created attachment 169906 [details] patch with update to 8.5.11 - for ports/quarterly Attached the patch for quarterly. It bumps its version to 8.5.11. I also fixed an issue in the patch files, which renders gitlab currently not usable. Tests were done like above. Greetings, Torsten
A commit references this bug: Author: pi Date: Tue May 3 13:05:27 UTC 2016 New revision: 414528 URL: https://svnweb.freebsd.org/changeset/ports/414528 Log: www/gitlab: 8.5.5 -> 8.5.11 to fix CVE-2016-4340 Changes: https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/ PR: 209225 Submitted by: Torsten Zuehlsdorff <ports@toco-domains.de> (maintainer) Approved by: ports-secteam (feld) Changes: branches/2016Q2/www/gitlab/Makefile branches/2016Q2/www/gitlab/distinfo branches/2016Q2/www/gitlab/files/patch-Gemfile branches/2016Q2/www/gitlab/pkg-plist
A commit references this bug: Author: pi Date: Tue May 3 13:08:06 UTC 2016 New revision: 414529 URL: https://svnweb.freebsd.org/changeset/ports/414529 Log: www/gitlab: 8.7.0 -> 8.7.1 Changes: https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/ PR: 209225 Submitted by: Torsten Zuehlsdorff <ports@toco-domains.de> (maintainer) Security: CVE-2016-4340 Changes: head/www/gitlab/Makefile head/www/gitlab/distinfo head/www/gitlab/pkg-message head/www/gitlab/pkg-plist
A commit references this bug: Author: junovitch Date: Tue May 3 13:27:45 UTC 2016 New revision: 414530 URL: https://svnweb.freebsd.org/changeset/ports/414530 Log: Document gitlab privilege escalation via "impersonate" feature PR: 209225 Reported by: Torsten Zuehlsdorff <ports@toco-domains.de> Security: CVE-2016-4340 Security: https://vuxml.FreeBSD.org/freebsd/be72e773-1131-11e6-94fa-002590263bf5.html Changes: head/security/vuxml/vuln.xml
(In reply to Torsten Zühlsdorff from comment #2) Hi! I see in the Gitlab announcement that "8.5.0 through 8.5.11" is affected. Shouldn't this patch for quarterly be 8.5.12?
Created attachment 169927 [details] patch with update to 8.5.12 - for ports/quarterly > I see in the Gitlab announcement that "8.5.0 through 8.5.11" is affected. > Shouldn't this patch for quarterly be 8.5.12? You're right. I mixed up the versions in the hurry i am today. :/ Good catch, thank you very much! Attached a patch to the correct version (double checked). Greetings, Torsten
A commit references this bug: Author: pi Date: Tue May 3 13:42:23 UTC 2016 New revision: 414532 URL: https://svnweb.freebsd.org/changeset/ports/414532 Log: www/gitlab: 8.5.11 -> 8.5.12 to really fix CVE-2016-4340 Changes: https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/ PR: 209225 Submitted by: Torsten Zuehlsdorff <ports@toco-domains.de> (maintainer) Approved by: ports-secteam (junovitch) Changes: branches/2016Q2/www/gitlab/Makefile branches/2016Q2/www/gitlab/distinfo branches/2016Q2/www/gitlab/pkg-plist
(In reply to Torsten Zühlsdorff from comment #7) Super, thanks! And thanks for the quick action Kurt. Looks like we got all the updates covered so I'll go ahead and close this now.