Apr 11, 2016 - GitLab  

GitLab 8.5.10, 8.4.8, and 8.3.7 Released

Learn more about GitLab Release 8.5.10, 8.4.8, and 8.3.7 for GitLab Community Edition (CE) and Enterprise Edition (EE)

Earlier today we released version 8.6.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).

We've backported the Two-factor Authentication security fix mentioned in that release post to previous months' releases, and are releasing versions 8.5.10, 8.4.8, and 8.3.7.

  • CE/EE: Prevent Two-factor Authentication spoofing

Two-factor Authentication spoofing

Jobert Abma of HackerOne alerted us to a security vulnerability related to the two-factor authentication (2FA) method used in GitLab CE and EE.

It was possible for an attacker to bypass password authentication of users that have 2FA enabled, and consequently sign in as a different user without knowing their password, if he could guess the user's current six-digit 2FA validation code.

It was also possible to enumerate users and check if they have 2FA enabled, because GitLab responded with a different error for each case.

Upgrade barometer

This version does not include any new migrations, and should not require any downtime.

Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-migrations file.


To update, check out our update page.

Enterprise Edition

Interested in GitLab Enterprise Edition? Check out the features exclusive to EE.

Access to GitLab Enterprise Edition is included with a subscription. No time to upgrade GitLab yourself? Subscribers receive upgrade and installation services.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.

Share your feedback

Take GitLab for a spin

See what your team could do with The DevSecOps Platform.

Get free trial

Have a question? We're here to help.

Talk to an expert
Edit this page View source