ASA-202104-1 log generated external raw

[ASA-202104-1] gitlab: multiple issues
Arch Linux Security Advisory ASA-202104-1 ========================================= Severity: Critical Date : 2021-04-29 CVE-ID : CVE-2021-22205 CVE-2021-28965 Package : gitlab Type : multiple issues Remote : Yes Link : Summary ======= The package gitlab before version 13.10.3-1 is vulnerable to multiple issues including arbitrary code execution and incorrect calculation. Resolution ========== Upgrade to 13.10.3-1. # pacman -Syu "gitlab>=13.10.3-1" The problems have been fixed upstream in version 13.10.3. Workaround ========== None. Description =========== - CVE-2021-22205 (arbitrary code execution) An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that is passed to a file parser which resulted in a remote command execution. The issue is fixed in GitLab versions 13.10.3, 13.9.6 and 13.8.8. - CVE-2021-28965 (incorrect calculation) When parsing and serializing a crafted XML document, the REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one. The impact of this issue highly depends on context, but it may lead to a vulnerability in some programs that are using REXML. The issue is fixed in version 3.2.5 of the REXML gem. Impact ====== An attacker can crash or execute arbitrary code on the affected server by providing a maliciously crafted XML or image file. References ==========