Security Fixes Necessary to Support Native Debian Package

Our GitLab package maintainer, Praveen, has discovered some security fixes in the latest effort to update the GitLab package to Debian.

Here's the email we got from him:

We have backported some of the security bug fixes to 8.13 branch but we need help to complete some remaining ones. These patches are for the nodejs code in front end, but 8.13 is still using the browserified files directly via rails assets pipeline.

Current status is here https://pad.disroot.org/p/gitlab_security_bp

If we can't fix them, we will need to remove the package from the stable release.

See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888508 for the discussions with security team.

It is vital that we keep supporting his work to stay on Debian as a native package.