GitLab 10.1.2, 10.0.6, and 9.5.10 released

Today we are releasing versions 10.1.2, 10.0.6, and 9.5.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain several security fixes, including updates for several third party applications shipped with GitLab Omnibus packages, a fix for a Server-side Request Forgery (SSRF) bypass, the re-introduction of a GitLab Geo security fix that was omitted from GitLab 10.1 releases, and some security header additions to the GitLab API.

We recommend that all GitLab installations be upgraded to one of these versions.

Please read on for more details.

Security vulnerabilities in curl

The version of curl included with GitLab Omnibus packages has been updated to patch several security vulnerabilities. #2905

Versions affected

GitLab Omnibus CE+EE 9.5.9 and earlier, 10.0.0–10.0.5, 10.1.0–10.1.1

SSRF vulnerability via project import

edio via HackerOne discovered that GitLab SSRF protections in project imports did not properly translate IP addresses written in decimal, octal, or other formats. This could allow a malicious user to send project import requests to services running on the local interface of a GitLab instance, possibly resulting in unexpected behavior. #33310

Versions affected

GitLab CE+EE 9.5.9 and earlier, 10.0.0–10.0.5, 10.1.0–10.1.1

Missing X-Content-Type-Options header in API Responses

During an external security audit performed by Recurity-Labs it was discovered that the GitLab API did not include an HTTP X-Content-Type-Options header. The lack of this header could make it easier for attackers to exploit other, undiscovered, vulnerabilities using the GitLab API. #36099

Versions affected

GitLab CE+EE 9.5.9 and earlier, 10.0.0–10.0.5, 10.1.0–10.1.1

Mattermost updates

Mattermost has recently released important security fixes for the Mattermost versions included with GitLab CE+EE Omnibus packages. Details will be made available on Mattermost's website according to their responsible disclosure policy.

Versions affected

GitLab Omnibus CE+EE 9.5.9 and earlier, 10.0.0–10.0.5, 10.1.0–10.1.1 running Mattermost

GitLab Geo JSON web tokens do not expire

An internal code review discovered that the GitLab Geo JSON web tokens (JWT) used to replicate data between Geo instances were not configured to expire. Without expiration these tokens could be used forever and presented an increased risk of compromise should a token be accidentally disclosed. Geo web tokens are now configured to expire after two minutes. #3787

Versions affected

GitLab EE 8.9–9.5.9, 10.0.0–10.0.5, 10.1.0–10.1.1

Security risk in recommended GitLab Geo configuration could give all users access to all repositories

The GitLab 9.5.4 security release contained a fix for a GitLab Geo vulnerability that could allow any user of a GitLab Geo instance to clone any repository on the secondary Geo instance. This patch was included in the later 9.5 and 10.0 releases but was mistakenly excluded from the 10.1.0 and 10.1.1 releases. #3899

Versions affected

GitLab EE 10.1.0–10.1.1

MySQL fix for Pivotal users

This security release also contains a non-security fix for a bug involving MySQL that could prevent GitLab users who use GitLab PCF tile from upgrading. The fix itself is not a security fix but has been included to allow GitLab Pivotal users to apply these security updates. #38372

---

We recommend that all installations running a version mentioned above be upgraded as soon as possible. No workarounds are available for these vulnerabilities.

Upgrade barometer

These versions do not include any migrations and will not require downtime.

Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-migrations file.

Updating

To update, check out our update page.

Enterprise Edition

Interested in GitLab Enterprise Edition? Check out the features exclusive to EE.

Access to GitLab Enterprise Edition is included with a subscription. No time to upgrade GitLab yourself? Subscribers receive upgrade and installation services.