Today we are releasing versions 9.0.4, 8.17.5, and 8.16.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain several security fixes, including security upgrades for Mattermost, a fix for script injection using class attributes, a fix for a private project name disclosure vulnerability, a fix for a file path disclosure vulnerability, and fixes for two open redirect vulnerabilities. We recommend that all GitLab installations be upgraded to one of these versions.
Please read on for more details.
Security Upgrade for Mattermost versions 3.7 and 3.6
Mattermost has not yet released full details, however an important security release was published and Mattermost has advised all users to upgrade immediately. GitLab versions 8.16 and 8.17 have been upgraded to Mattermost 3.6.5 and GitLab version 9.0 has been upgraded to Mattermost 3.7.3. #2179
class attribute in Markdown code
Private project name disclosure in merge requests
Timo Schmid from ERNW reported an information disclosure vulnerability in GitLab merge requests that allowed an attacker to disclose the names of private repositories. #29364
Path disclosure in project import/export
Timo Schmid from ERNW also reported an information disclosure vulnerability in the GitLab project import feature that allowed an attacker to disclose the full path names for GitLab export directories when imports are allowed from GitLab export files. Paths could also be disclosed by repeatedly attempting to create a project export file. #29363
Open redirect vulnerabilities in the GitLab dashboard
Eaden McKee via HackerOne reported three open redirect vulnerabilities in GitLab
dashboard pages. The todos, issues, and merge request dashboards were vulnerable.
By including a
host field in the URL an attacker could redirect a GitLab user
to the website of their choosing. #29651
Open redirect vulnerability in project import status
Yasin Soliman via HackerOne reported an open redirect vulnerability in the GitLab
project import status page. By including a specially crafted
in the URL an attacker could redirect a GitLab user to the website of their choosing. #29651
- GitLab CE+EE Omnibus (with Mattermost enabled) 7.14-8.16.8, 8.17.0-8.17.4, 9.0.0-9.0.3
class attribute in Markdown code:
- GitLab CE+EE 8.0.0-8.16.8, 8.17.0-8.17.4, 9.0.0-9.0.3
Private project name disclosure in merge requests:
- GitLab CE+EE 7.1.0-8.16.8, 8.17.0-8.17.4, 9.0.0-9.0.3
Path disclosure in project import/export:
- GitLab CE+EE 8.8.0-8.16.8, 8.17.0-8.17.4, 9.0.0-9.0.3
Open redirects in dashboards:
- GitLab CE+EE 8.16.0-8.16.8, 8.17.0-8.17.4, 9.0.0-9.0.3
Open redirect in project import status:
- GitLab CE+EE 8.6.0-8.16.8, 8.17.0-8.17.4, 9.0.0-9.0.3
We recommend that all installations running a version mentioned above be upgraded as soon as possible. No workarounds are available for these vulnerabilities.
These versions do not include any migrations and will not require downtime.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a
To update, check out our update page.
Interested in GitLab Enterprise Edition? Check out the features exclusive to EE.
Access to GitLab Enterprise Edition is included with a subscription. No time to upgrade GitLab yourself? Subscribers receive upgrade and installation services.
We want to hear from you
Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.Share your feedback