Alert GCSA-22007 - Aggiornamento di sicurezza per GitLab

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

******************************************************************

alert ID: GCSA-22007
data: 13 gennaio 2022
titolo: Aggiornamento di sicurezza per GitLab

******************************************************************

:: Descrizione del problema

GitLab ha rilasciamo nuove versioni della propria piattaforma
con le quali risolve alcune vulnerabilita'.

Il produttore consiglia di aggiornare immediatamente
tutte le installazioni.

Maggiori informazioni sono disponibili alla sezione "Riferimenti".


:: Software interessato

GitLab Community Edition (CE)
GitLab Enterprise Edition (EE)

versioni precedenti alle 14.6.2, 14.5.3, e 14.4.5


:: Impatto

Esecuzione remota di codice arbitrario (RCE)
Cross-Site Request Forgery (CSRF)
Cross-Site Scripting (XSS)
Denial of Service (DoS)
Accesso a dati riservati (ID)
Provide Misleading Information (Spoofing)
Bypass delle funzionalita' di sicurezza (SFB)


:: Soluzioni

Aggiornare alle ultime versioni

GitLab 14.6.2, 14.5.3, e 14.4.5

https://about.gitlab.com/update


:: Riferimenti

GitLab Critical Security Release
https://about.gitlab.com/releases/2022/01/11/security-release-gitlab-14-6-2-released/

GitLab instance: security best practices
https://about.gitlab.com/blog/2020/05/20/gitlab-instance-security-best-practices/

Mitre's CVE ID
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0172
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0154
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0152
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0151
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0125
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0124
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0093
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0090
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39946
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39942
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39927


GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCYeBfNQAKCRDBnEyTZRJg
Qo2kAJwJfQW0CPhVZ2yzi+gqnq0L+ESIMwCgu01E7BsNl6Uz02ht6dBMz49XfOU=
=TRfS
-----END PGP SIGNATURE-----