Jul 4, 2016 - Robert Speicher

GitLab 8.9.4, 8.8.7, and 8.7.9 released

Today we are releasing versions 8.9.4, 8.8.7, and 8.7.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).

All versions contain two security fixes, and 8.9.4 additionally contains fixes for another batch of regressions. We recommend that all GitLab installations be upgraded to one of these versions.

Please read on for more details.

  • CE/EE: Fix privilege escalation issue with OAuth external users.
  • CE/EE: Ensure references to private repos aren't shown to logged-out users.
  • CE/EE: Updated breakpoint for sidebar pinning. (!5019)
  • CE/EE: Expiry date on pinned nav cookie. (!5009)
  • CE/EE: Fix wrong line in changelog. (!5008)
  • CE/EE: Handle external issues in IssueReferenceFilter. (!4988)
  • CE/EE: Fix restore warning message. (!4980)
  • CE/EE: Do not show build retry link when build is active. (!4967)
  • CE/EE: Fixed commit avatar alignment. (!4933)
  • CE/EE: Fixed URL on label button when filtering. (!4897)
  • CE/EE: File Browser navigation fixes. (!4891)
  • CE/EE: Resolve "Sub nav isn't showing on file view". (!4890)
  • CE/EE: Fixed search field blur not removing focus. (!4704)
  • EE: Improve how File Lock feature works with nested items. (!497)

Information disclosure via references

Certain GitLab Flavored Markdown references could expose the existence of a private project to logged-out users. See the issue for more details.

Thanks to Ron Arts for responsibly disclosing this issue to us.

Privilege escalation for external users via OAuth

If an external user logged in via an OAuth provider that was not in the external_providers configuration setting, they would erroneously be set to internal. See the issue for more details.

Thanks to Niels Keurentjes for responsibly disclosing this issue to us.

Upgrade barometer

These versions do not include any migrations, and should not require any downtime.

Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-migrations file.

Updating

To update, check out our update page.

Sign up for security notices

Want to be alerted to new security patches as soon as they're available? Sign up for our Security Newsletter.

Enterprise Edition

Interested in GitLab Enterprise Edition? Check out the features exclusive to EE.

Access to GitLab Enterprise Edition is included with a subscription. No time to upgrade GitLab yourself? Subscribers receive upgrade and installation services.

For the latest and most detailed news follow @gitlab on Twitter. Future blog posts suggestions.

Install GitLab in 2 minutes

With Ubuntu, Debian, CentOS and Raspbian packages or from source

Install GitLab Now

Try GitLab Enterprise Edition risk-free for 30 days.

No credit card required. Have questions? Contact us.