Bug 209225 - [security] www/gitlab: Update to 8.7.1
Summary: [security] www/gitlab: Update to 8.7.1
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Kurt Jaeger
URL:
Keywords: patch, patch-ready, security
Depends on:
Blocks:
 
Reported: 2016-05-03 08:02 UTC by Torsten Zühlsdorff
Modified: 2016-05-03 13:52 UTC (History)
3 users (show)

See Also:


Attachments
patch with update to 8.7.1 - for ports/HEAD (6.07 KB, patch)
2016-05-03 08:02 UTC, Torsten Zühlsdorff
no flags Details | Diff
patch with update to 8.5.11 - for ports/quarterly (3.39 KB, patch)
2016-05-03 08:30 UTC, Torsten Zühlsdorff
no flags Details | Diff
patch with update to 8.5.12 - for ports/quarterly (4.77 KB, patch)
2016-05-03 13:38 UTC, Torsten Zühlsdorff
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Torsten Zühlsdorff 2016-05-03 08:02:50 UTC
Created attachment 169905 [details]
patch with update to 8.7.1 - for ports/HEAD

Hello,

attached a patch for bring the port to its current version 8.7.1.

Buildtests are done for 9.3, 10.0, 10.2 and 10.3 amd64 and i386. Also an update and installation was performed to test the major features of the software. 

This is an important security upgrade which fixes cve-2016-4340 and other issues:
https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/

I will provide an patch for the quartly-version of gitlab. The attached patch is not suitable for quarterly, just for head!

Greetings,
Torsten
Comment 1 Kurt Jaeger freebsd_committer 2016-05-03 08:09:22 UTC
testbuilds@work
Comment 2 Torsten Zühlsdorff 2016-05-03 08:30:31 UTC
Created attachment 169906 [details]
patch with update to 8.5.11 - for ports/quarterly

Attached the patch for quarterly. It bumps its version to 8.5.11. I also fixed an issue in the patch files, which renders gitlab currently not usable. Tests were done like above.

Greetings,
Torsten
Comment 3 commit-hook freebsd_committer 2016-05-03 13:06:16 UTC
A commit references this bug:

Author: pi
Date: Tue May  3 13:05:27 UTC 2016
New revision: 414528
URL: https://svnweb.freebsd.org/changeset/ports/414528

Log:
  www/gitlab: 8.5.5 -> 8.5.11 to fix CVE-2016-4340

  Changes:
    https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/

  PR:		209225
  Submitted by:	Torsten Zuehlsdorff <ports@toco-domains.de> (maintainer)
  Approved by:	ports-secteam (feld)

Changes:
  branches/2016Q2/www/gitlab/Makefile
  branches/2016Q2/www/gitlab/distinfo
  branches/2016Q2/www/gitlab/files/patch-Gemfile
  branches/2016Q2/www/gitlab/pkg-plist
Comment 4 commit-hook freebsd_committer 2016-05-03 13:08:18 UTC
A commit references this bug:

Author: pi
Date: Tue May  3 13:08:06 UTC 2016
New revision: 414529
URL: https://svnweb.freebsd.org/changeset/ports/414529

Log:
  www/gitlab: 8.7.0 -> 8.7.1

  Changes:
    https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/

  PR:		209225
  Submitted by:	Torsten Zuehlsdorff <ports@toco-domains.de> (maintainer)
  Security:	CVE-2016-4340

Changes:
  head/www/gitlab/Makefile
  head/www/gitlab/distinfo
  head/www/gitlab/pkg-message
  head/www/gitlab/pkg-plist
Comment 5 commit-hook freebsd_committer 2016-05-03 13:28:21 UTC
A commit references this bug:

Author: junovitch
Date: Tue May  3 13:27:45 UTC 2016
New revision: 414530
URL: https://svnweb.freebsd.org/changeset/ports/414530

Log:
  Document gitlab privilege escalation via "impersonate" feature

  PR:		209225
  Reported by:	Torsten Zuehlsdorff <ports@toco-domains.de>
  Security:	CVE-2016-4340
  Security:	https://vuxml.FreeBSD.org/freebsd/be72e773-1131-11e6-94fa-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml
Comment 6 Jason Unovitch freebsd_committer 2016-05-03 13:29:31 UTC
(In reply to Torsten Zühlsdorff from comment #2)
Hi!

I see in the Gitlab announcement that "8.5.0 through 8.5.11" is affected.  Shouldn't this patch for quarterly be 8.5.12?
Comment 7 Torsten Zühlsdorff 2016-05-03 13:38:53 UTC
Created attachment 169927 [details]
patch with update to 8.5.12 - for ports/quarterly

> I see in the Gitlab announcement that "8.5.0 through 8.5.11" is affected. 
> Shouldn't this patch for quarterly be 8.5.12?

You're right. I mixed up the versions in the hurry i am today. :/ Good catch, thank you very much! Attached a patch to the correct version (double checked).

Greetings,
Torsten
Comment 8 commit-hook freebsd_committer 2016-05-03 13:43:23 UTC
A commit references this bug:

Author: pi
Date: Tue May  3 13:42:23 UTC 2016
New revision: 414532
URL: https://svnweb.freebsd.org/changeset/ports/414532

Log:
  www/gitlab: 8.5.11 -> 8.5.12 to really fix CVE-2016-4340

  Changes:
    https://about.gitlab.com/2016/05/02/cve-2016-4340-patches/

  PR:		209225
  Submitted by:	Torsten Zuehlsdorff <ports@toco-domains.de> (maintainer)
  Approved by:	ports-secteam (junovitch)

Changes:
  branches/2016Q2/www/gitlab/Makefile
  branches/2016Q2/www/gitlab/distinfo
  branches/2016Q2/www/gitlab/pkg-plist
Comment 9 Jason Unovitch freebsd_committer 2016-05-03 13:52:29 UTC
(In reply to Torsten Zühlsdorff from comment #7)
Super, thanks!

And thanks for the quick action Kurt.  Looks like we got all the updates covered so I'll go ahead and close this now.