View | Details | Raw Unified | Return to bug 214360
Collapse All | Expand All

(-)security/vuxml/vuln.xml (+34 lines)
Lines 58-63 Link Here
58
  * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
58
  * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
59
-->
59
-->
60
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
60
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
61
  <vuln vid="10968dfd-a687-11e6-b2d3-60a44ce6887b">
62
    <topic>gitlab -- Directory traversal via "import/export" feature</topic>
63
    <affects>
64
      <package>
65
	<name>rubygem-gitlab</name>
66
	<range><ge>8.10.0</ge><le>8.10.12</le></range>
67
	<range><ge>8.11.0</ge><le>8.11.9</le></range>
68
	<range><ge>8.12.0</ge><le>8.12.7</le></range>
69
	<range><ge>8.13.0</ge><le>8.13.2</le></range>
70
      </package>
71
    </affects>
72
    <description>
73
      <body xmlns="http://www.w3.org/1999/xhtml">
74
	<p>GitLab reports:</p>
75
	<blockquote cite="https://about.gitlab.com/2016/11/02/cve-2016-9086-patches/">
76
	<p>The import/export feature did not properly check for symbolic links
77
	   in user-provided archives and therefore it was possible for an
78
	   authenticated user to retrieve the contents of any file
79
	   accessible to the GitLab service account. This included
80
	   sensitive files such as those that contain secret tokens used
81
	   by the GitLab service to authenticate users.</p>
82
	</blockquote>
83
      </body>
84
    </description>
85
    <references>
86
	<url>https://about.gitlab.com/2016/11/02/cve-2016-9086-patches/</url>
87
	<cvename>CVE-2016-9086</cvename>
88
    </references>
89
    <dates>
90
      <discovery>2016-11-02</discovery>
91
      <entry>2016-11-09</entry>
92
    </dates>
93
  </vuln>
94
61
  <vuln vid="ae9cb9b8-a203-11e6-a265-3065ec8fd3ec">
95
  <vuln vid="ae9cb9b8-a203-11e6-a265-3065ec8fd3ec">
62
    <topic>chromium -- out-of-bounds memory access</topic>
96
    <topic>chromium -- out-of-bounds memory access</topic>
63
    <affects>
97
    <affects>

Return to bug 214360