GitLab 8.12.3, 8.11.8, 8.10.11 and 8.9.11 released

Today we are releasing versions 8.12.3, 8.11.8, 8.10.11 and 8.9.11 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Version 8.12.3 contains some security fixes for GitLab, plus fixes for minor regressions. Version 8.11.8, 8.10.11, and 8.9.11 only contain the security fixes.

If you're wondering what happened to 8.12.2, good eye! That version was accidentally packaged without including some fixes for the CE version.

Please read on for more details.

• CE/EE: Enforce the fork_project permission in Projects::CreateService.
• CE/EE: Set a restrictive CORS policy for the API.
• CE/EE: API: Disable Rails session auth for non-GET/HEAD requests.
• CE/EE: Escape HTML nodes in builds commands in CI linter.
• CE/EE: Send ajax request for label update only if they are changed. (!5071)
• CE/EE: Pass the full project path for resolve buttons. (!6129)
• CE/EE: Fix list issues not loading with spaces in filtered values. (!6258)
• CE/EE: Fix LDAP omniauth regression (Closes: #22357). (!6462)
• CE/EE: Fix awards dropdown search text from repeating. (!6498)
• CE/EE: Fix issue with rails reserved keyword type exporting/importing services. (!6499)
• CE/EE: Fix snippets pagination. (!6500)
• CE/EE: Wrap List-Unsubscribe link in angle brackets. (!6511)
• CE/EE: Fix the "Commits" section of the cycle analytics summary. (!6513)
• CE/EE: Fix Import/Export milestone and 1to1 models issue. (!6521)
• CE/EE: Bump Gitlab Shell to support low IO priority for storage moves. (!6525)
• CE/EE: Add v-cloak to resolve disc button. (!6528)
• CE/EE: Be nice to Docker Clients talking to JWT/auth. (!6536)
• CE/EE: Fix IssuesController#show degradation including project on loaded notes. (!6540)
• CE/EE: Fix pipelines table headers. (!6542)
• CE/EE: Do not regenerate the lfs_token every time git-lfs-authenticate is called. (!6551)
• CE/EE: Change the v-cloak attr to hash rocket and string 'true'. (!6553)

• CE/EE: Fix duplicate master entries in the merge request versions dropdown. (!6567)

• EE: ES: Fix internal data exposure. (8.12.2 only)
• EE: Add missing URL param to ajax call. (!760)
• EE: Ignore unknown project ID in RepositoryUpdateMirrorWorker. (!754)

• EE: Fix prevent_secrets checkbox on admin view. (!761)

• Omnibus GitLab Update openssl to 1.0.2j to get the latest security fixes. (!1006)
• Omnibus GitLab Update to latest cacerts file. (!1007)

Information disclosure through Global Code Search

The new Global Code Search feature introduced in GitLab 8.12.0 was returning titles of projects, milestones, issues, and merge requests from internal projects to anonymous. See #1046 for more information.

Thanks to Christian Bönning for reporting this issue.

API: Restrictive CORS policy

Previous versions set Access-Control-Allow-Credentials: true for all origins in their CORS policy. Combined with #18302, this resulted in a JavaScript request spoofing vulnerability. See #22450 for more information.

API: CSRF protection

Issue #18302 also introduced a vulnerability allowing third-party websites to spoof API requests using forms, which is mitigated in these releases. See #22435 for more information.

Wrong permission enforcement in ForkService

A user with the "Guest" role could fork a project, and therefore gain access to the code, even though this was restricted to the "Reporter" level and above. See #18028 for more information.

Upgrade barometer

This version has no migrations and should not require any downtime.

Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-migrations file.

Updating

To update, check out our update page.

Sign up for security notices

Want to be alerted to new security patches as soon as they're available? Sign up for our Security Newsletter.

Enterprise Edition

Interested in GitLab Enterprise Edition? Check out the features exclusive to EE.

Access to GitLab Enterprise Edition is included with a subscription. No time to upgrade GitLab yourself? Subscribers receive upgrade and installation services.