Jan 23, 2017 - Robert Speicher    

GitLab 8.16.1, 8.15.5, 8.14.7, and 8.13.12 Security Release

Today we are releasing versions 8.16.1, 8.15.5, 8.14.7, and 8.13.12 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes, and we recommend that all affected GitLab installations be upgraded to one of these versions.

Prevent users from creating notes on resources they can't access

An attacker was able to use the API to post comments on resources that they would not otherwise be able to view, which would "subscribe" them to the notifications for that resource and allow them to receive future updates about it, which may contain sensitive information. See #26249 and #26250 for more details.

Prevent users from deleting system deploy keys via the project deploy key API

An attacker was able to delete a system-level deploy key by deleting it from a project they owned via the Deploy Key API. See #26243 for more details.

Ensure export files are removed after a namespace is deleted

If a user performed a project export and then deleted (or moved) its containing namespace, an attacker could claim the namespace and access the existing project export if less than an hour had passed. We now ensure that project exports are immediately removed along with the namespace. See #26242 for more details.

Thanks to Jobert Abma of HackerOne for responsibly disclosing these issues to us.

Upgrade omniauth gem to 1.3.2

OmniAuth 1.3.1 improperly stored POST data in callback parameters. See the issue for more details.

Upgrade barometer

These versions have no migrations and should not require any downtime.

Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-migrations file.

Updating

To update, check out our update page.

Enterprise Edition

Interested in GitLab Enterprise Edition? Check out the features exclusive to EE.

Access to GitLab Enterprise Edition is included with a subscription. No time to upgrade GitLab yourself? Subscribers receive upgrade and installation services.

For the latest and most detailed news follow @gitlab on Twitter. Future blog posts suggestions RSS

Install GitLab in 2 minutes

With Ubuntu, Debian, CentOS and Raspbian packages or from source

Install GitLab Now

Try GitLab Enterprise Edition risk-free for 30 days.

No credit card required. Have questions? Contact us.