Today we are releasing versions 16.10.2, 16.9.4, 16.8.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.
GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook and security FAQ. You can see all of GitLab release blog posts here.
For security fixes, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched.
We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance in our blog post.
Recommended Action
We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.
Security fixes
Table of security fixes
| Title | Severity |
|---|---|
| Stored XSS injected in diff viewer | High |
| Stored XSS via autocomplete results | High |
| Redos on Integrations Chat Messages | Medium |
| Redos During Parse Junit Test Report | Medium |
Stored XSS injected in diff viewer
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. A payload may lead to a stored XSS while using the diff viewer, allowing attackers to perform arbitrary actions on behalf of victims.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7).
It is now mitigated in the latest release and is assigned CVE-2024-3092.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
Stored XSS via autocomplete results
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 to 16.8.6 all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. Using the autocomplete for issues references feature a crafted payload may lead to a stored XSS, allowing attackers to perform arbitrary actions on behalf of victims.
This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7).
It is now mitigated in the latest release and is assigned CVE-2024-2279.
Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program.
Redos on Integrations Chat Messages
A denial of service vulnerability was identified in GitLab CE/EE, versions 16.7.7 prior to 16.8.6, 16.9 prior to 16.9.4 and 16.10 prior to 16.10.2 which allows an attacker to spike the GitLab instance resources usage resulting in service degradation via chat integration feature.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3).
It is now mitigated in the latest release and is assigned CVE-2023-6489.
Thanks Anonymizer for reporting this vulnerability through our HackerOne bug bounty program.
Redos During Parse Junit Test Report
An issue has been discovered in GitLab EE affecting all versions before 16.8.6, all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. It was possible for an attacker to cause a denial of service using malicious crafted content in a junit test report file.
This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3).
It is now mitigated in the latest release and is assigned CVE-2023-6678.
Thanks Anonymizer for reporting this vulnerability through our HackerOne bug bounty program.
Bug fixes
16.10.2
- Quarantine flaky atomic processing ResetSkippedJobsService specs
- Fix include_optional_metrics_in_service_ping during migration to 16.10
- Use alpine:latest instead of alpine:edge in CI images [16.10]
- [16.10] Backport Delete callback should use namespace_id
- [16.10] Backport handle null owner when indexing projects
- Backport Zoekt: Retry indexing if too many requests to 16.10
- Backport https://gitlab.com/gitlab-org/gitlab/-/merge_requests/148596
- Fix URL validator for mirror services when using localhost
- Backport !148105 into 16.10
- Cherry-pick 'fix-omnibus-gitconfig-deprecation' into '16-10-stable'
16.9.4
- Quarantine flaky atomic processing ResetSkippedJobsService specs
- Use alpine:latest instead of alpine:edge in CI images [16.9]
16.8.6
- Quarantine flaky atomic processing ResetSkippedJobsService specs
- Use alpine:latest instead of alpine:edge in CI images [16.8]
Updating
To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page.
Receive Patch Notifications
To receive patch blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our patch release RSS feed or our RSS feed for all releases.
We’re combining patch and security releases
This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here.
We want to hear from you
Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.
Share your feedback