Today we are releasing versions 8.14.3, 8.13.8, and 8.12.11 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain an important security fix for a critical denial-of-service and data corruption vulnerability, and we strongly recommend that all affected GitLab installations be upgraded to one of these versions immediately.
Please read on for more details.
Denial-of-Service and Data Corruption Vulnerability in Issue and Merge Request Trackers
Jobert Abma of HackerOne reported a critical vulnerability in the GitLab Issue and Merge Request trackers that could allow a user with access to any project to delete all issues and merge requests from all GitLab projects. For GitLab instances with publicly available projects this vulnerability could be exploited by an unauthenticated user.
This issue is the result of un-sanitized user input being passed to an internal function that expects only trusted data. This code was introduced in GitLab 8.13.0. Please see the issue for more details.
This issue has been assigned CVE-2016-9469.
Versions affected
- 8.14.0 through 8.14.2
- 8.13.0 through 8.13.7
We strongly recommend that all installations running a version mentioned above be upgraded as soon as possible.
Workarounds
If you're unable to upgrade right away, you can secure your GitLab installation against this vulnerability using one of the workarounds outlined below until you have time to upgrade.
You only need to apply one of these workarounds.
Securing via Omnibus configuration
For Omnibus installations using the bundled Nginx web server, edit
/etc/gitlab/gitlab.rb
and add the following line:
nginx['custom_gitlab_server_config'] = "if ($args ~* 'state=delete|state=destroy') { return 404; }\n"
Then run sudo gitlab-ctl reconfigure
for the changes to take effect.
Securing via web server configuration
If you are using an external web server with Omnibus or have installed GitLab from source, add the following lines to your web server's configuration file.
For Nginx:
if ($args ~* 'state=delete|state=destroy') { return 403; }
For Apache with mod_rewrite:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^.*(state=destroy).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(state=delete).* [NC]
RewriteRule ^(.*)$ - [F,L]
Then reload the server for changes to take effect.
Securing via HAProxy configuration
Add the following lines to your configuration and restart the service:
acl bad_filter_uri path_sub,url_dec -i state=destroy state=delete
http-request deny if bad_filter_uri
Securing via patch
To temporarily patch just the critical vulnerability, apply the following diff:
diff --git a/app/finders/issuable_finder.rb b/app/finders/issuable_finder.rb
index e42d5af..2c9412b 100644
--- a/app/finders/issuable_finder.rb
+++ b/app/finders/issuable_finder.rb
@@ -7,7 +7,7 @@
# current_user - which user use
# params:
# scope: 'created-by-me' or 'assigned-to-me' or 'all'
-# state: 'open' or 'closed' or 'all'
+# state: 'opened' or 'closed' or 'all'
# group_id: integer
# project_id: integer
# milestone_title: string
@@ -183,10 +183,13 @@ class IssuableFinder
end
def by_state(items)
- params[:state] ||= 'all'
-
- if items.respond_to?(params[:state])
- items.public_send(params[:state])
+ case params[:state].to_s
+ when 'closed'
+ items.closed
+ when 'merged'
+ items.respond_to?(:merged) ? items.merged : items.closed
+ when 'opened'
+ items.opened
else
items
end
Verifying the workaround
- Browse to a project
- Open the project's issue tracker
- Choose the "closed" tab
- Adjust the "state" field in your browser's address bar to "deleteme"
- Verify you receive a
403 Forbidden
error
Note: If you only applied the patch you will receive no errors here.
Git Security Patch
Omnibus packages for these versions contain a security patch for git 2.7.4 that prevents malicious repositories from using HTTP redirects to steal or corrupt data. More information on this patch can be found here.
Other fixes in 8.14.3
- CE/EE: Revert signin tab order fix. (!7538)
- CE/EE: Allow dots in group names to pass validation for Create Group and Edit Group forms (!7723)
- CE/EE: Pass commit data to ProcessCommitWorker (!7744)
- CE/EE: Resolve "Merge request dashboard page takes over a minute to load" (!7760)
- CE/EE: Fix GitHub importer to import PR where source repo/fork was renamed/deleted (!7865)
- CE/EE: Fix URL rewritting in the Help section (!7875)
-
CE/EE: Fixes ActionView::Template::Error: undefined method
text?
for nil:NilClass (!7893) - EE: Save some queries on issuable dashboard. (!935)
- EE: Expose add-ons associated to the license in /license endpoint. (!907)
Upgrade barometer
These versions do include a single migration, and will require brief downtime of typically less than one minute.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a /etc/gitlab/skip-auto-migrations
file.
Updating
To update, check out our update page.
Enterprise Edition
Interested in GitLab Enterprise Edition? Check out the features exclusive to EE.
Access to GitLab Enterprise Edition is included with a subscription. No time to upgrade GitLab yourself? Subscribers receive upgrade and installation services.
We want to hear from you
Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.
Share your feedback