Today we are releasing version 8.7.4 for GitLab Community Edition (CE) and Enterprise Edition (EE). This release includes two security fixes and as such we strongly recommend that all affected users upgrade their GitLab installations as soon as possible.
It includes the following fixes:
ProjectImportDatarecord only if Project is not a mirror (!370)
rake gitlab:db:drop_tablesnow drops tables with cascade (!4020)
IF EXISTSas a precaution (!4100)
It also includes the following security fixes:
The URI scheme of user-supplied links was not being properly sanitized. See the issue for more details.
GitLab Enterprise Edition versions 8.7.0 through 8.7.3 contain an LDAP group sync bug that can lead to GitLab users being added to GitLab groups they do not belong to. We do not know if it is possible for a malicious GitLab user to reliably exploit this bug. Regardless of exploitability, when this bug strikes it makes unwanted changes to your project access controls.
Versions of GitLab EE prior to 8.7.0 are not affected by this bug. All versions of GitLab CE are not affected by this bug. If you are not using LDAP group synchronization in GitLab EE, you are not affected by this bug.
We recommend all users of GitLab EE 8.7.0 through 8.7.3 upgrade to 8.7.4 as soon as possible.
This version does not include any new migrations, and should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a
To update, check out our update page.
Interested in GitLab Enterprise Edition? Check out the features exclusive to EE.
Access to GitLab Enterprise Edition is included with a subscription. No time to upgrade GitLab yourself? Subscribers receive upgrade and installation services.