Jan 23, 2017 - Robert Speicher    

GitLab 8.16.1, 8.15.5, 8.14.7, and 8.13.12 Security Release

Learn more about GitLab Release 8.16.1, 8.15.5, 8.14.7, and 8.13.12 for GitLab Community Edition (CE) and Enterprise Edition (EE)

Today we are releasing versions 8.16.1, 8.15.5, 8.14.7, and 8.13.12 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes, and we recommend that all affected GitLab installations be upgraded to one of these versions.

Prevent users from creating notes on resources they can't access

An attacker was able to use the API to post comments on resources that they would not otherwise be able to view, which would "subscribe" them to the notifications for that resource and allow them to receive future updates about it, which may contain sensitive information. See #26249 and #26250 for more details.

Prevent users from deleting system deploy keys via the project deploy key API

An attacker was able to delete a system-level deploy key by deleting it from a project they owned via the Deploy Key API. See #26243 for more details.

Ensure export files are removed after a namespace is deleted

If a user performed a project export and then deleted (or moved) its containing namespace, an attacker could claim the namespace and access the existing project export if less than an hour had passed. We now ensure that project exports are immediately removed along with the namespace. See #26242 for more details.

Thanks to Jobert Abma of HackerOne for responsibly disclosing these issues to us.

Upgrade omniauth gem to 1.3.2

OmniAuth 1.3.1 improperly stored POST data in callback parameters. See the issue for more details.

Upgrade barometer

These versions have no migrations and should not require any downtime.

Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-migrations file.

Updating

To update, check out our update page.

Enterprise Edition

Interested in GitLab Enterprise Edition? Check out the features exclusive to EE.

Access to GitLab Enterprise Edition is included with a subscription. No time to upgrade GitLab yourself? Subscribers receive upgrade and installation services.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.

Share your feedback

Take GitLab for a spin

See what your team could do with The DevSecOps Platform.

Get free trial

Have a question? We're here to help.

Talk to an expert
Edit this page View source