Today we are releasing versions 8.9.2, 8.8.6, and 8.7.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain security fixes, and we recommend that all GitLab installations be upgraded to one of these versions.
Please read on for more details.
Information disclosure via Snippet search
It was possible for guests to find snippets set to "Internal" via search. See the issue for more details. This vulnerability affected both the default search backend and the Elasticsearch backend in GitLab EE, and both have been fixed.
Thanks to Teun Beijers for responsibly disclosing this issue to us.
Information disclosure via "Request Access to Group" feature
It was possible for a user to see a list of private projects in a group simply by requesting access to it. See the issue for more details. This feature was only introduced in GitLab 8.9, so versions 8.8 and 8.7 were not affected by this vulnerability.
Thanks to Colin Dean for responsibly disclosing this issue to us.
Security fix in
We've upgraded our version of
ruby-saml to address CVE-2016-5697. See the
merge request for more details.
These versions do not include any migrations, and should not require any downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a
To update, check out our update page.
Sign up for security notices
Want to be alerted to new security patches as soon as they're available? Sign up for our Security Newsletter.
Interested in GitLab Enterprise Edition? Check out the features exclusive to EE.
Access to GitLab Enterprise Edition is included with a subscription. No time to upgrade GitLab yourself? Subscribers receive upgrade and installation services.
We want to hear from you
Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.Share your feedback