Mar 29, 2017 - Brian Neel    

GitLab 9.0.2 Released

GitLab 9.0.2 security release

Today we are releasing version 9.0.2 for GitLab Community Edition (CE) and Enterprise Edition (EE).

This version contains two important security fixes for the recently introduced nested groups feature of GitLab 9.0. We recommend that all GitLab installations running version 9.0 be upgraded as soon as possible.

These security vulnerabilities do not affect GitLab versions prior to 9.0.

Please read on for more details.

An internal code review discovered that when subgroups containing projects were renamed GitLab would improperly attempt to move the uploads directory of any top-level project of the same name. GitLab was not properly including the full path of projects in subgroups when moving the upload directories. This vulnerability could allow a user to rename upload directories for projects that they did not own, effectively breaking all links to those uploads.

Private group name disclosure via nested groups parent_id in new/update

Yasin Soliman via HackerOne reported that it was possible to disclose the names of private groups by attempting to create subgroups within them. This attack requires identifying the numeric ID of the private group, however these numeric IDs are predictable and easy to guess.

Versions affected

GitLab CE+EE 9.0.0 - 9.0.1

We recommend that all installations listed above be upgraded as soon as possible. No workarounds are available for these vulnerabilities.

Upgrade barometer

This version has no new migrations and should not require any downtime.

Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-migrations file.

Updating

To update, check out our update page.

Enterprise Edition

Interested in GitLab Enterprise Edition? Check out the features exclusive to EE. Access to GitLab Enterprise Edition is included with a subscription. No time to upgrade GitLab yourself? Subscribers receive upgrade and installation services.

For the latest and most detailed news follow @gitlab on Twitter. Future blog posts suggestions RSS

Install GitLab in 2 minutes

With Ubuntu, Debian, CentOS, and Raspbian packages or from source

Install GitLab Now

Try GitLab Enterprise Edition risk-free for 30 days.

No credit card required. Have questions? Contact us.