George Nachman
2018-10-05 20:16:51 UTC
I have received the following communication from Gitlab. If you have
contributed to an issue that was marked private then your information
shared in that issue may have been compromised.
If you have posted debug logs or com.googlecode.iterm2.plist settings files
that contain private information, you may want to take precautions like
changing your passwords.
Please share this information with others who may be interested. Gitlab is
not notifying participants in issues â only maintainers â so the burden is
on me and the rest of the community to get the word out.
Mail from Gitlab follows:
Possible disclosure of private events in public projects
View this email in your browser (
https://mailchi.mp/gitlab/possible-disclosure-of-private-events-in-public-projects?e=60190f7a9a
)
Dear gnachman,
You are receiving this email because you have a public project on
GitLab.com with confidential issues. On September 20, 2018, we were
notified by HackerOne hacker ngalog (https://hackerone.com/ngalog/ (
https://gitlab.us3.list-manage.com/track/click?u=195066e322642c622c0ecdde3&id=4f267b7134&e=60190f7a9a)
) of a bug in GitLab Events API code that resulted in exposure of
confidential issues within all public projects. The issue was introduced in
GitLab 9.3 on June 22nd 2017, and mitigated with the release of 11.3 on
October 1st 2018.
During that time window, incorrect implementation of authorization in the
Events API allowed unauthorized and unauthenticated parties to access
details of private events that belonged to public projects. The problem
affected public projects exclusively (private projects were not affected)
across all deployments of GitLab within the affected version bracket.
Events related to the following target types were exposed:
* Issue (confidential issues)
* Milestone (private milestones)
* Merge_request (private merge requests and their comments)
* Note (private notes)
* Snippet (private snippets)
We investigated 4 months of retained GitLab.com logs, and found no evidence
that unauthorized parties accessed any of your private events. However, we
wanted to err on the side of caution by notifying you.
We apologize for this. We take your information and your data extremely
seriously. In keeping with our company value of transparency, we also
believe in communicating about such incidents clearly and promptly. We will
do everything we can to learn from this incident, and use it to improve
upon our security even further. This blog post has full details on the
incident, impact, and mitigations:
https://about.gitlab.com/2018/10/01/events-api-security-issue/ (
https://gitlab.us3.list-manage.com/track/click?u=195066e322642c622c0ecdde3&id=f45e82b2c6&e=60190f7a9a
)
If you have any further questions, please contact ***@gitlab.com.
Sincerely,
Kathy wang
GitLab Security Team
Copyright © 2018 GitLab, All rights reserved.
Our mailing address is:
GitLab
268 Bush St #350 <https://support.gitlab.com/hc/requests/350>
San Francisco, CA 94104
--
Jennifer "JJ" Cordz
Marketing Operations, GitLab
***@GitLab.com
https://about.gitlab.com
contributed to an issue that was marked private then your information
shared in that issue may have been compromised.
If you have posted debug logs or com.googlecode.iterm2.plist settings files
that contain private information, you may want to take precautions like
changing your passwords.
Please share this information with others who may be interested. Gitlab is
not notifying participants in issues â only maintainers â so the burden is
on me and the rest of the community to get the word out.
Mail from Gitlab follows:
Possible disclosure of private events in public projects
View this email in your browser (
https://mailchi.mp/gitlab/possible-disclosure-of-private-events-in-public-projects?e=60190f7a9a
)
Dear gnachman,
You are receiving this email because you have a public project on
GitLab.com with confidential issues. On September 20, 2018, we were
notified by HackerOne hacker ngalog (https://hackerone.com/ngalog/ (
https://gitlab.us3.list-manage.com/track/click?u=195066e322642c622c0ecdde3&id=4f267b7134&e=60190f7a9a)
) of a bug in GitLab Events API code that resulted in exposure of
confidential issues within all public projects. The issue was introduced in
GitLab 9.3 on June 22nd 2017, and mitigated with the release of 11.3 on
October 1st 2018.
During that time window, incorrect implementation of authorization in the
Events API allowed unauthorized and unauthenticated parties to access
details of private events that belonged to public projects. The problem
affected public projects exclusively (private projects were not affected)
across all deployments of GitLab within the affected version bracket.
Events related to the following target types were exposed:
* Issue (confidential issues)
* Milestone (private milestones)
* Merge_request (private merge requests and their comments)
* Note (private notes)
* Snippet (private snippets)
We investigated 4 months of retained GitLab.com logs, and found no evidence
that unauthorized parties accessed any of your private events. However, we
wanted to err on the side of caution by notifying you.
We apologize for this. We take your information and your data extremely
seriously. In keeping with our company value of transparency, we also
believe in communicating about such incidents clearly and promptly. We will
do everything we can to learn from this incident, and use it to improve
upon our security even further. This blog post has full details on the
incident, impact, and mitigations:
https://about.gitlab.com/2018/10/01/events-api-security-issue/ (
https://gitlab.us3.list-manage.com/track/click?u=195066e322642c622c0ecdde3&id=f45e82b2c6&e=60190f7a9a
)
If you have any further questions, please contact ***@gitlab.com.
Sincerely,
Kathy wang
GitLab Security Team
Copyright © 2018 GitLab, All rights reserved.
Our mailing address is:
GitLab
268 Bush St #350 <https://support.gitlab.com/hc/requests/350>
San Francisco, CA 94104
--
Jennifer "JJ" Cordz
Marketing Operations, GitLab
***@GitLab.com
https://about.gitlab.com
--
You received this message because you are subscribed to the Google Groups "iterm2-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to iterm2-discuss+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "iterm2-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to iterm2-discuss+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.