Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
fc925583
Commit
fc925583
authored
Jun 07, 2019
by
Achilleas Pipinellis
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add type to frontmatter
parent
5e05ec3b
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
17 additions
and
4 deletions
+17
-4
doc/security/README.md
doc/security/README.md
+1
-0
doc/security/crime_vulnerability.md
doc/security/crime_vulnerability.md
+7
-3
doc/security/information_exclusivity.md
doc/security/information_exclusivity.md
+5
-1
doc/security/password_length_limits.md
doc/security/password_length_limits.md
+4
-0
No files found.
doc/security/README.md
View file @
fc925583
---
comments
:
false
type
:
index
---
# Security
...
...
doc/security/crime_vulnerability.md
View file @
fc925583
---
type
:
reference
---
# How we manage the TLS protocol CRIME vulnerability
> CRIME ("Compression Ratio Info-leak Made Easy") is a security exploit against
...
...
@@ -7,7 +11,7 @@ authentication cookies, it allows an attacker to perform session hijacking on an
authenticated web session, allowing the launching of further attacks.
(
[
CRIME
](
https://en.wikipedia.org/w/index.php?title=CRIME&oldid=692423806
)
)
##
#
Description
## Description
The TLS Protocol CRIME Vulnerability affects compression over HTTPS, therefore
it warns against using SSL Compression (for example gzip) or SPDY which
...
...
@@ -24,7 +28,7 @@ Although SPDY is enabled in Omnibus installations, CRIME relies on compression
(the 'C') and the default compression level in NGINX's SPDY module is 0
(no compression).
##
#
Nessus
## Nessus
The Nessus scanner,
[
reports a possible CRIME vulnerability
][
nessus
]
in GitLab
similar to the following format:
...
...
@@ -50,7 +54,7 @@ attack nor does it check if compression is enabled. With just this approach, it
cannot tell that SPDY's compression is disabled and not subject to the CRIME
vulnerability.
##
#
References
## References
-
Nginx
[
"Module ngx_http_spdy_module"
][
ngx-spdy
]
-
Tenable Network Security, Inc.
[
"Transport Layer Security (TLS) Protocol CRIME Vulnerability"
][
nessus
]
...
...
doc/security/information_exclusivity.md
View file @
fc925583
---
type
:
concepts
---
# Information exclusivity
Git is a distributed version control system (DVCS).
...
...
doc/security/password_length_limits.md
View file @
fc925583
---
type
:
reference, howto
---
# Custom password length limits
If you want to enforce longer user passwords you can create an extra Devise initializer with the steps below.
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment