Gitlab¶à¸öÇå¾²Îó²îΣº¦Í¨¸æ

Ðû²¼Ê±¼ä 2019-12-11

Îó²î±àºÅºÍ¼¶±ð


CVE±àºÅ£ºCVE-2019-19604£¬£¬£¬£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬£¬£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2019-19628£¬£¬£¬£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬£¬£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨

CVE±àºÅ£ºCVE-2019-19629£¬£¬£¬£¬Î£ÏÕ¼¶±ð£º¸ßΣ£¬£¬£¬£¬CVSS·ÖÖµ£º¹Ù·½Î´ÆÀ¶¨


Ó°Ïì°æ±¾


ËùÓеÄGitLabOmnibus°æ±¾

GitLab EE 11.3 ¼°¸ü¸ßµÄ°æ±¾

GitLab EE 10.5 ¼°¸ü¸ßµÄ°æ±¾


Îó²î¸ÅÊö


GitlabÊÇÒ»¸öÓÃÓÚ¿ÍÕ»ÖÎÀíϵͳµÄ¿ªÔ´ÏîÄ¿£¬£¬£¬£¬Ê¹ÓÃGit×÷Ϊ´úÂëÖÎÀí¹¤¾ß£¬£¬£¬£¬²¢ÔÚ´Ë»ù´¡ÉϴÆðÀ´µÄWebЧÀÍ¡£¡£ ¡£¡£


CVE-2019-19604

git×ÓÄ£¿£¿£¿£¿£¿é¸üвÙ×÷¿ÉÒÔµ¼ÖÂÖ´ÐÐ.gitmodulesÎļþÖнç˵µÄí§ÒâshellÏÂÁî¡£¡£ ¡£¡£


CVE-2019-19628

ÓÉÓÚMaven°ü×¢²á±íµÄ²ÎÊý´¦Öóͷ£ÎÊÌ⣬£¬£¬£¬¿ÉÄܻᵼÖÂȨÏÞÌáÉýºÍijЩÌõ¼þϵÄÔ¶³Ì´úÂëÖ´ÐÐÎó²î¡£¡£ ¡£¡£


CVE-2019-19629

µ±½«¹«¹²ÏîĿתÒƵ½Ë½ÓÐ×éʱ£¬£¬£¬£¬Ë½ÓдúÂ뽫ͨ¹ýElasticsearch¼¯³ÉÌṩµÄGroupSearch API»ñÈ¡¡£¡£ ¡£¡£


Îó²îÑéÖ¤


EXP:CVE-2019-19604

https://gitlab.com/gitlab-com/gl-security/disclosures/blob/master/003_git_submodule/advisory.md£»£»£»£»


CVE-2019-19628£¬£¬£¬£¬CVE-2019-19628


ÔÝÎÞEXP/POC¡£¡£ ¡£¡£


ÐÞ¸´½¨Òé


ÉÏÊöÊÜÓ°Ïì°æ±¾µÄ×°Öþ¡¿ìÉý¼¶µ½×îа汾¡£¡£ ¡£¡£ÈçÐè¸üУ¬£¬£¬£¬Çëµ½¹ÙÍøÏÂÔØ£ºhttps://about.gitlab.com/update£»£»£»£»

GitLabÒªº¦Çå¾²°æ±¾£º12.5.4¡¢12.4.6ºÍ12.3.9£»£»£»£»

¸üÐÂGitÒÀÀµ¹Øϵµ½2.22.2£»£»£»£»

ÈôÊÇÎÞ·¨Éý¼¶£¬£¬£¬£¬Çë˼Á¿½ûÓÃElasticearch¡£¡£ ¡£¡£


²Î¿¼Á´½Ó


https://about.gitlab.com/blog/2019/12/10/critical-security-release-gitlab-12-5-4-released/