Attachment #176817 for bug #214360

View | Details | Raw Unified | Return to bug 214360
Collapse All | Expand All




  * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
  <vuln vid="10968dfd-a687-11e6-b2d3-60a44ce6887b">
    <topic>gitlab -- Directory traversal via "import/export" feature</topic>
    <affects>
      <package>
	<name>rubygem-gitlab</name>
	<range><ge>8.10.0</ge><le>8.10.12</le></range>
	<range><ge>8.11.0</ge><le>8.11.9</le></range>
	<range><ge>8.12.0</ge><le>8.12.7</le></range>
	<range><ge>8.13.0</ge><le>8.13.2</le></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>GitLab reports:</p>
	<blockquote cite="https://about.gitlab.com/2016/11/02/cve-2016-9086-patches/">
	<p>The import/export feature did not properly check for symbolic links
	   in user-provided archives and therefore it was possible for an
	   authenticated user to retrieve the contents of any file
	   accessible to the GitLab service account. This included
	   sensitive files such as those that contain secret tokens used
	   by the GitLab service to authenticate users.</p>
	</blockquote>
      </body>
    </description>
    <references>
	<url>https://about.gitlab.com/2016/11/02/cve-2016-9086-patches/</url>
	<cvename>CVE-2016-9086</cvename>
    </references>
    <dates>
      <discovery>2016-11-02</discovery>
      <entry>2016-11-09</entry>
    </dates>
  </vuln>

  <vuln vid="ae9cb9b8-a203-11e6-a265-3065ec8fd3ec">
    <topic>chromium -- out-of-bounds memory access</topic>
    <affects>

Return to bug 214360

Lines 58-63 Link Here

(-)security/vuxml/vuln.xml (+34 lines)
58	* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)	58	* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
59	-->	59	-->
60	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">	60	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
		61	<vuln vid="10968dfd-a687-11e6-b2d3-60a44ce6887b">
		62	<topic>gitlab -- Directory traversal via "import/export" feature</topic>
		63	<affects>
		64	<package>
		65	<name>rubygem-gitlab</name>
		66	<range><ge>8.10.0</ge><le>8.10.12</le></range>
		67	<range><ge>8.11.0</ge><le>8.11.9</le></range>
		68	<range><ge>8.12.0</ge><le>8.12.7</le></range>
		69	<range><ge>8.13.0</ge><le>8.13.2</le></range>
		70	</package>
		71	</affects>
		72	<description>
		73	<body xmlns="http://www.w3.org/1999/xhtml">
		74	<p>GitLab reports:</p>
		75	<blockquote cite="https://about.gitlab.com/2016/11/02/cve-2016-9086-patches/">
		76	<p>The import/export feature did not properly check for symbolic links
		77	in user-provided archives and therefore it was possible for an
		78	authenticated user to retrieve the contents of any file
		79	accessible to the GitLab service account. This included
		80	sensitive files such as those that contain secret tokens used
		81	by the GitLab service to authenticate users.</p>
		82	</blockquote>
		83	</body>
		84	</description>
		85	<references>
		86	<url>https://about.gitlab.com/2016/11/02/cve-2016-9086-patches/</url>
		87	<cvename>CVE-2016-9086</cvename>
		88	</references>
		89	<dates>
		90	<discovery>2016-11-02</discovery>
		91	<entry>2016-11-09</entry>
		92	</dates>
		93	</vuln>
		94
61	<vuln vid="ae9cb9b8-a203-11e6-a265-3065ec8fd3ec">	95	<vuln vid="ae9cb9b8-a203-11e6-a265-3065ec8fd3ec">
62	<topic>chromium -- out-of-bounds memory access</topic>	96	<topic>chromium -- out-of-bounds memory access</topic>
63	<affects>	97	<affects>