CVE-2017-12426

Name	CVE-2017-12426
Description	GitLab Community Edition (CE) and Enterprise Edition (EE) before 8.17.8, 9.0.x before 9.0.13, 9.1.x before 9.1.10, 9.2.x before 9.2.10, 9.3.x before 9.3.10, and 9.4.x before 9.4.4 might allow remote attackers to execute arbitrary code via a crafted SSH URL in a project import.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs	872190

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
gitlab	unknown	(unstable)	9.5.4+dfsg-7	unimportant		872190

Notes

https://gitlab.com/gitlab-org/gitlab-ce/issues/35212
The fix for git for CVE-2017-1000117 mitgates the issue in gitlab itself.
The CVE is for the issue when importing a project via crafted SSH URLs,
which becomes ineffective with a fixed git version itself.