New blog post on the GitLab blog by Dominic Couture! Check it out here:
I tried to find the actual commits that fixed the security bugs. The topic “The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code.” links to CVE - CVE-2023-0756 which in turn links to https://gitlab.com/gitlab-org/gitlab/-/issues/390910 . However, this link returns 404.
Could you please include links to patches already in the changelog next time, and in future make sure the links you submit to CVE are permalinks that stays working for public for a while.
Thanks in advance!
Hi @kalvdans Welcome to the GitLab Community forum!
According to GitLab’s vulnerability disclosure policy:
All vulnerabilities will be made public via our issue tracker 30 days after releasing the fix.
This disclosure policy ensures self-managed users have a 30-day window where they can patch their instance against the vulnerability before all the vulnerability details have been publicly disclosed.
The version containing a fix for this vulnerability was released on May 2nd, so the vulnerability report issue should be made public on June 2nd. After that, all the links in CVE-2023-0756 will work and remain working.