GitLab Patch Release: 17.5.2, 17.4.4, 17.3.7

2024-11-13T00:00:00+00:00

Today we are releasing versions 17.5.2, 17.4.4, 17.3.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p>

These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p>

GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook</a> and security FAQ</a>. You can see all of GitLab release blog posts here</a>.</p>

For security fixes, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p>

We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p>

Recommended Action</h3>
We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p>
When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p>
Security fixes</h2>
Table of security fixes</h3>

Title</th> Severity</th> </tr> </thead>

Unauthorized access to Kubernetes cluster agent</a></td> High</td> </tr>
Device OAuth flow allows for cross window forgery</a></td> Medium</td> </tr>
Denial of Service by importing malicious crafted FogBugz import payload</a></td> Medium</td> </tr>
Stored XSS through javascript URL in Analytics dashboards</a></td> Medium</td> </tr>
HTML injection in vulnerability Code flow could lead to XSS on self hosted instances</a></td> Medium</td> </tr>
Information disclosure through an API endpoint</a></td> Medium</td> </tr> </tbody> </table>
Unauthorized access to Kubernetes cluster agent</h3>
An issue was discovered in GitLab CE/EE affecting all versions starting from 16.0 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and starting from 17.5 prior to 17.5.2, which could have allowed unauthorized access to the Kubernetes agent in a cluster under specific configurations. This is a high severity issue (`CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H</code></a>, 8.5). It is now mitigated in the latest release and is assignedCVE-2024-9693</a>.</p>`
`This vulnerability was found internally by a GitLab team member Tiger Watson</a>.</p>`
Device OAuth flow allows for cross window forgery</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed an attacker gaining full API access as the victim via the Device OAuth flow. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N</code></a>, 6.8). It is now mitigated in the latest release and is assigned CVE-2024-7404</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Denial of Service by importing malicious crafted FogBugz import payload</h3> A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions starting from 7.14.1 prior to 17.3.7, 17.4 prior to 17.4.4, and 17.5 prior to 17.5.2. A denial of service could occur upon importing maliciously crafted content using the Fogbugz importer. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>, 6.5). We have requested a CVE ID and will update this blog post when it is assigned.</p> Thanks a92847865</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Stored XSS through javascript URL in Analytics dashboards</h3> An issue has been discovered in GitLab CE/EE affecting all versions from 16 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. The vulnerability could allow an attacker to inject malicious JavaScript code in Analytics Dashboards through a specially crafted URL. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</code></a>, 6.1). It is now mitigated in the latest release and is assigned CVE-2024-8648</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> HTML injection in vulnerability Code flow could lead to XSS on self hosted instances</h3> An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. Improper output encoding could lead to XSS if CSP is not enabled. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N</code></a>, 5.4). It is now mitigated in the latest release and is assigned CVE-2024-8180</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Information disclosure through an API endpoint</h3> An issue has been discovered in GitLab EE affecting all versions starting from 17.3 before 17.3.7, all versions starting from 17.4 before 17.4.4, all versions starting from 17.5 before 17.5.2 in which an unauthenticated user may be able to read some information about an MR in a private project, under certain circumstances. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code></a>, 5.3). It is now mitigated in the latest release and is assigned CVE-2024-10240</a>.</p> This vulnerability has been discovered internally by GitLab team member Patrick Bajao</a>.</p> Mattermost Security Updates October 28, 2024</h3> Mattermost has been updated to versions 10.1.2, which contains several patches and security fixes.</p> Bug fixes</h2> 17.5.2</h3> Security patch upgrade alert: Only expose to admins 17-5</a></li> [backport] Add epic to the scope and fix the flaky spec</a></li> [Backport] Fix indexing subgroup associations</a></li> Skip creating tables as partitions if any partition exists</a></li> Add knn index setting for workitem index for opensearch clusters</a></li> [Backport]Fix new project group templates pagination</a></li> Update pdf worker file path in pdf viewer</a></li> [backport] Fix issue label facet can overwrite selected labels</a></li> Fix workitem job in 17-5-stable-ee branch</a></li> [Backport] Go-get: return 404 error code when personal token is invalid</a></li> Add param filtering to avoid error while saving project settings</a></li> Skip multi-version upgrade migration spec on default branches</a></li> Fix group wiki activity events breaking the user feed</a></li> Destroy merge train car after branch deletion</a></li> Backport: Remove permissions JSONB column from the condition</a></li> </ul> 17.4.4</h3> Backport fix for incorrect error classification to 17.4</a></li> Backport 17-4: Update GoCloud to a version that supports s3ForcePathStyle</a></li> Use dump from 17.3.5 since 17.3 is the previous required stop</a></li> Security patch upgrade alert: Only expose to admins 17-4</a></li> Fix workitem job in 17-4-stable-ee branch</a></li> Don't run e2e:test-product-analytics</a></li> Ensure auto_merge_enabled is set when validating merge trains</a></li> Destroy merge train car after branch deletion</a></li> Fix broken merge train merge when target branch deleted</a></li> Backport: Remove permissions JSONB column from the condition</a></li> Update pdf worker file path in pdf viewer</a></li> </ul> 17.3.7</h3> Backport dragonboat's file permission error to 17.3</a></li> Use dump from 16.11.8 since 16.11 is the previous required stop</a></li> Fix workitem job in 17-3-stable-ee branch</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Patch Notifications</h2> To receive patch blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our patch release RSS feed</a> or our RSS feed for all releases</a>.</p> We’re combining patch and security releases</h2> This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here</a>.</p> GitLab Patch Release: 17.5.1, 17.4.3, 17.3.6 2024-10-23T00:00:00+00:00 Today we are releasing versions 17.5.1, 17.4.3, 17.3.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p> GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook</a> and security FAQ</a>. You can see all of GitLab release blog posts here</a>.</p> For security fixes, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Security fixes</h2> Table of security fixes</h3> Title</th> Severity</th> </tr> </thead> HTML injection in Global Search may lead to XSS</a></td> High</td> </tr> DoS via XML manifest file import</a></td> Medium</td> </tr> </tbody> </table> HTML injection in Global Search may lead to XSS</h3> An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. An attacker could inject HTML into the Global Search field on a diff view leading to XSS. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code></a>, 8.7). It is now mitigated in the latest release and is assigned CVE-2024-8312</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> DoS via XML manifest file import</h3> An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. A denial of service could occur via importing a malicious crafted XML manifest file. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-6826</a>.</p> Thanks a92847865</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Update regarding helm charts, devkit and analytics stack</h3> Helm charts</code>, devkit</code> and analytics stack</code> have been patched to no longer support dynamic funnels.</p> Bump Ingress NGINX Controller image to 1.11.2</h3> The GitLab chart bundles a forked Ingress NGINX Controller subchart. We've updated its image version to 1.11.2.</p> Bug fixes</h2> 17.5.1</h3> Security patch upgrade alert: Only expose to admins</a></li> Backport: Ensure postgresql_new is included in GitLab CE</a></li> </ul> 17.4.3</h3> Resolve "UBI FIPS: Error in bashrc due to hardening script" (17.4)</a></li> Backport: fix: Allow non-root user to run the bundle-certificates script 17.4</a></li> Backport gocloud.dev update to 17.4</a></li> Backport bundle fetch fsck fix to 17.4</a></li> Backport Stable Branch Danger Checks to 17-4-stable-ee</a></li> Add version to pdf.js file in webpack builds</a></li> Backport: Skip rspec fail-fast jobs if pipeline:skip-rspec-fail-fast label is set</a></li> Backport fix Zoekt global code search</a></li> Set author on issuable to current user if it is not already set</a></li> Backport LabKit v1.21.2 update to fix broken dependency</a></li> Fix broken duo chat spec after free access cutoff [17.4]</a></li> Backport: Ensure postgresql_new is included in GitLab CE</a></li> </ul> 17.3.6</h3> Resolve "UBI FIPS: Error in bashrc due to hardening script" (17.3)</a></li> Backport CreateRepositoryFromURL error handling to 17.3</a></li> Set author on issuable to current user if it is not already set</a></li> Fix broken duo chat spec after free access cutoff [17.3]</a></li> Backport Stable Branch Danger Checks to 17-3-stable-ee</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Patch Notifications</h2> To receive patch blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our patch release RSS feed</a> or our RSS feed for all releases</a>.</p> We’re combining patch and security releases</h2> This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here</a>.</p> GitLab 17.5 released with Duo Quick Chat AI code assistance. 2024-10-17T00:00:00+00:00 Today, we are excited to announce the release of GitLab 17.5 with code assistance in IDEs from GitLab Duo Quick Chat</a>, self-hosted models for GitLab Duo Code Suggestions</a>, export code suggestion usage events</a>, MR conversations with GitLab Duo Chat</a> and much more!</p> These are just a few highlights from the 125+ improvements in this release. Read on to check out all of the great updates below.</p> To the wider GitLab community, thank you for the 200 contributions you provided to GitLab 17.5! At GitLab, everyone can contribute</a> and we couldn't have done it without you!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 17.6 release kickoff video.</p> GitLab Critical Patch Release: 17.4.2, 17.3.5, 17.2.9 2024-10-09T00:00:00+00:00 Today we are releasing versions 17.4.2, 17.3.5, 17.2.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</strong></p> GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook</a> and security FAQ</a>. You can see all of GitLab release blog posts here</a>.</p> For security fixes, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Security fixes</h2> Table of security fixes</h3> Title</th> Severity</th> </tr> </thead> Run pipelines on arbitrary branches</a></td> Critical</td> </tr> An attacker can impersonate arbitrary user</a></td> High</td> </tr> SSRF in Analytics Dashboard</a></td> High</td> </tr> Viewing diffs of MR with conflicts can be slow</a></td> High</td> </tr> HTMLi in OAuth page</a></td> High</td> </tr> Deploy Keys can push changes to an archived repository</a></td> Medium</td> </tr> Guests can disclose project templates</a></td> Medium</td> </tr> GitLab instance version disclosed to unauthorized users</a></td> Low</td> </tr> </tbody> </table> Run pipelines on arbitrary branches</h3> An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N</code></a>, 9.6). It is now mitigated in the latest release and is assigned CVE-2024-9164</a>.</p> Thanks pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> An attacker can impersonate arbitrary user</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 11.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows an attacker to trigger a pipeline as another user under certain circumstances. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N</code></a>, 8.2). It is now mitigated in the latest release and is assigned CVE-2024-8970</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> SSRF in Analytics Dashboard</h3> An issue has been discovered in GitLab EE affecting all versions starting from 15.10 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. Instances with Product Analytics Dashboard configured and enabled could be vulnerable to SSRF attacks. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N</code></a>, 8.2). It is now mitigated in the latest release and is assigned CVE-2024-8977</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Viewing diffs of MR with conflicts can be slow</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 13.6 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, were viewing diffs of MR with conflicts can be slow. This is a high severity issue (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></a>, 7.5). It is now mitigated in the latest release and is assigned CVE-2024-9631</a>.</p> Thanks a92847865</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> HTMLi in OAuth page</h3> A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 17.1 prior 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2. When authorising a new application, it can be made to render as HTML under specific circumstances. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N</code></a>, 7.3). It is now mitigated in the latest release and is assigned CVE-2024-6530</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Deploy Keys can push changes to an archived repository</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.2.9, starting from 17.3 prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows deploy keys to push to an archived repository. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N</code></a>, 4.9). It is now mitigated in the latest release and is assigned CVE-2024-9623</a>.</p> Thanks stevenorman</a> for reporting this vulnerability.</p> Guests can disclose project templates</h3> An issue has been discovered discovered in GitLab EE/CE affecting all versions starting from 11.4 before 17.2.9, all versions starting from 17.3 before 17.3.5, all versions starting from 17.4 before 17.4.2 It was possible for guest users to disclose project templates using the API. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>, 4.3). It is now mitigated in the latest release and is assigned CVE-2024-5005</a>.</p> Thanks js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> GitLab instance version disclosed to unauthorized users</h3> An issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.2.9, from 17.3 prior to 17.3.5, and from 17.4 prior to 17.4.2. It was possible for an unauthenticated attacker to determine the GitLab version number for a GitLab instance. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N</code></a>, 3.7). It is now mitigated in the latest release and is assigned CVE-2024-9596</a>.</p> This issue was discovered internally by GitLab team member Paul Gascou-Vaillancourt</a>.</p> Bug fixes</h2> 17.4.2</h3> Backport: fix: Specify an absolute directory for SCHEMA_VERSIONS_DIR to 17-4-stable</a></li> Backport grpc-go v1.67.1 upgrade to 17.4</a></li> Update expected vulnerability in enable_advanced_sast_spec.rb</a></li> Skip multi-version upgrade job for stable branch MRs</a></li> Backport 17.4 Fix label filter by name for search</a></li> Restrict duo pro assignment email to duo pro for sm</a></li> Drop project_id not null constraint ci_deleted_objects</a></li> [Backport] Go-get: fix 401 error for unauthenticated requests</a></li> </ul> 17.3.5</h3> Backport: fix: Specify an absolute directory for SCHEMA_VERSIONS_DIR to 17-3-stable</a></li> Backport: fix: Allow non-root user to run the bundle-certificates script 17.3</a></li> Skip multi-version upgrade job for stable branch MRs</a></li> Ensure restricted visibility levels is an array - 17.3 backport</a></li> </ul> 17.2.9</h3> Skip multi-version upgrade job for stable branch MRs</a></li> Ensure restricted visibility levels is an array - 17.2 backport</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Patch Notifications</h2> To receive patch blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our patch release RSS feed</a> or our RSS feed for all releases</a>.</p> We’re combining patch and security releases</h2> This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here</a>.</p> GitLab Patch Release: 17.4.1, 17.3.4, 17.2.8 2024-09-25T00:00:00+00:00 Today we are releasing versions 17.4.1, 17.3.4, 17.2.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p> GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook</a> and security FAQ</a>. You can see all of GitLab release blog posts here</a>.</p> For security fixes, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below be upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Security fixes</h2> Table of security fixes</h3> Title</th> Severity</th> </tr> </thead> Maintainer can leak Dependency Proxy password by changing Dependency Proxy URL via crafted POST request</a></td> Medium</td> </tr> AI feature reads unsanitized content, allowing for attacker to hide prompt injection</a></td> Low</td> </tr> Project reference can be exposed in system notes</a></td> Low</td> </tr> </tbody> </table> Maintainer can leak Dependency Proxy password by changing Dependency Proxy URL via crafted POST request</h3> An information disclosure issue has been discovered in GitLab EE affecting all versions starting from 16.5 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. A maintainer could obtain a Dependency Proxy password by editing a certain Dependency Proxy setting via a POST request. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code></a>, 5.5). It is now mitigated in the latest release and is assigned CVE-2024-4278</a>.</p> Thanks ac7n0w</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> AI feature reads unsanitized content, allowing for attacker to hide prompt injection</h3> An issue has been discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. An AI feature was found to read unsanitized content in a way that could've allowed an attacker to hide prompt injection. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N</code></a>, 3.1). It is now mitigated in the latest release and is assigned CVE-2024-4099</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Project reference can be exposed in system notes</h3> An information disclosure issue has been discovered in Gitlab EE/CE affecting all versions from 15.6 prior to 17.2.8, 17.3 prior to 17.3.4, and 17.4 prior to 17.4.1. In specific conditions it was possible to disclose the path of a private project to an unauthorized user. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N</code></a>, 2.6). It is now mitigated in the latest release and is assigned CVE-2024-8974</a>.</p> This vulnerability has been discovered internally by GitLab team member Lukas Eipert</a>.</p> Mattermost Security Updates August 27, 2024</h3> Mattermost has been updated to version 9.11.1, which contains several patches and security fixes.</p> Bug fixes</h2> 17.4.1</h3> Improve OpenSSL callout message</a></li> Change urgency of API project/:id/share to low</code></a></li> Check commit message for issue close pattern setting</a></li> Backport: Fixes issues with incorrectly displaying VR button</a></li> Backport 'Fix incorrect gitlab-shell-check filename' into 17.4</a></li> Update OpenSSL v3 callout to delay update to GitLab 17.7</a></li> </ul> 17.3.4</h3> Improve OpenSSL callout message</a></li> Fix Code Review AI features policies to check duo features enabled toggle</a></li> Update OpenSSL v3 callout to delay update to GitLab 17.7</a></li> </ul> 17.2.8</h3> Improve OpenSSL callout message</a></li> Update OpenSSL v3 callout to delay update to GitLab 17.7</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Patch Notifications</h2> To receive patch blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our patch release RSS feed</a> or our RSS feed for all releases</a>.</p> We’re combining patch and security releases</h2> This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here</a>.</p> GitLab Critical Patch Release: 16.10.10, 16.9.11, 16.8.10, 16.7.10, 16.6.10, 16.5.10, 16.4.7, 16.3.9, 16.2.11, 16.1.8, 16.0.10 2024-09-25T00:00:00+00:00 Today we are releasing versions 16.10.10, 16.9.11, 16.8.10, 16.7.10, 16.6.10, 16.5.10, 16.4.7, 16.3.9, 16.2.11, 16.1.8, and 16.0.10 for GitLab Community Edition (CE) and Enterprise Edition (EE). This extends the security fixes previously added to 17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10.</p> These versions contain backports of an important security fix which was previously released for GitLab versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10</a>. We strongly recommend that all affected self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook</a> and security FAQ</a>. You can see all of GitLab release blog posts here</a>.</p> For security fixes, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Special thanks goes to Roger Meier (@bufferoverflow) who originally created the merge request in Canonical.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issue described below be upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Security fixes</h2> Table of security fixes</h3> Title</th> Severity</th> </tr> </thead> SAML authentication bypass</a></td> Critical</td> </tr> </tbody> </table> SAML authentication bypass</h3> Updates dependencies omniauth-saml</code> to version 2.2.1 and ruby-saml</code> to 1.17.0 to mitigate CVE-2024-45409</a>. This security vulnerability applies only to instances which have configured SAML based authentication.</p> Self Managed GitLab: Known Mitigations</h4> The following mitigation for self-managed GitLab installations prevents successful exploitation of CVE-2024-45409</a>:</p> Enable GitLab two-factor authentication</a> for all user accounts</a> on the GitLab self-managed instance (NOTE: Enabling identity provider multi-factor authentication does not mitigate this vulnerability) and</strong></li> Do not allow the SAML two-factor bypass</a> option in GitLab.</li> </ol> Self Managed GitLab: Identifying & Detecting Exploitation Attempts</h4> Evidence of attempted or successful exploitation of Ruby-SAML (CVE-2024-45409</a>) will be present in the GitLab application_json</a> and auth_json</a> log files.</p> Unsuccessful Exploit Attempt - Hunting</h5> Unsuccessful exploitation attempts may generate a ValidationError</code> from the RubySaml</code> library. This could be for a variety of reasons related to the complexity of crafting a working exploit.</p> Two examples are shown below, but the error may manifest with other descriptions. The common string to search for is RubySaml::ValidationError</code> inside the application_json log.</p> Invalid ticket due to incorrect callback URL Example log event:</li> {"severity":"ERROR","time":"2024-xx-xx","correlation_id":"xx","message":"(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, The response was received at https://domain.com/users/auth/saml/incorrect_callback instead of https://domain.com/users/auth/saml/callback"}</code></li> </ol> </li> Invalid ticket due to a certificate signing issue Example log event:</li> "message":"(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Fingerprint mismatch"</code></li> </ol> </li> </ol> Successful Exploitation - Hunting</h5> Successful exploitation attempts will trigger SAML related log events. However, there may be differences that make an exploit attempt unique from legitimate SAML authentication events.</p> A successful exploitation attempt will log whatever extern_id value is set by the attacker attempting exploitation. Therefore, identifying a unique extern_uid that is not common in your organization could be an indicator of potential exploitation.</p> Example exploit authentication event in the application_json log file, with a extern_id set in exploit PoC code: Log event:</li> {"severity":"INFO","time":"2024-xx-xx","correlation_id":"xx","meta.caller_id":"OmniauthCallbacksController#saml","meta.remote_ip":"0.0.0.0","meta.feature_category":"system_access","meta.client_id":"ip/0.0.0.0","message":"(SAML) saving user exploit-test-user@domain.com from login with admin =\\u003e false, extern_uid =\\u003e exploit-test-user"}</code></li> </ol> </li> </ol> When crafting an exploit, there are many SAML assertions</a> an attacker would need to craft to perfectly replicate a legitimate login. These include both the key and value fields that you specify at your IdP, and may be unknown to unauthorized individuals - especially if you have customized these attributes.</p> You can review your auth_json log file to look for SAML responses with incorrect or missing information in the attributes</code> section.</p> Example of a SAML authentication event in the auth_json log file. "severity":"INFO","time":"2024-xx-xx","correlation_id":"xx","meta.caller_id":"OmniauthCallbacksController#saml","meta.remote_ip":"0.0.0.0","meta.feature_category":"system_access","meta.client_id":"ip/0.0.0.0","payload_type":"saml_response": {"issuer": ["xxx"],"name_id": "xxx","name_id_format": "xxx","name_id_spnamequalifier": null,"name_id_namequalifier": null,"destination": "xxx","audiences": ["xxx"],"attributes": {"first_name": ["xxx"],"last_name": ["yyy"], "email": ["zzz"]}}</code></li> </ol> </li> </ol> Detecting Exploitation Attempts</h5> For self managed customers forwarding GitLab application_json logs to a SIEM, creating detections to detect Ruby-SAML (CVE-2024-45409</a>) exploitation attempts is possible. Our team is sharing two threat detections rules, written in Sigma format, to detect potential exploitation.</p> Note:</strong> These detections may need to be tuned and modified to customer environments in order to deliver effective results, and due to varying configurations of different customer environments, customers should validate the legitimacy and accuracy of any events identified by these detections.</p> Users with more than 1 unique extern_uid over time</h5> This detection is designed to identify an authenticated SAML user with more than one extern_uid values linked to authentication events, a potential indication of malicious authentications with an attacker set extern_uid field.</p> title: Multiple extern_ids description: Detects when their are multiple extern_id's associated with a user. author: Gitlab Security Engineering date: 09/15/2024 schedule: "/10 * * " pseudocode: | select log source application.log where 7d < event_time < now() where severity="INFO" and meta_caller_id="Groups::OmniauthCallbacksController#group_saml" regex(message, "saving user (?<user_email>\S+) .extern_uid \S+ (?<extern_id>[\S]+)") count extern_id by user_email as total_extern_ids where total_extern_ids > 1 verify: Review Gitlab application logs for the source IP of the SAML authentications. If there is a singular IP for all extern_ids this could point to a false positive. Cross reference the SAML authentication source IP/s with the known user's IP from sso authentication logs. tuning: N/A </code></pre></div> GitLab SAML authentication from a different IP address than other iDP events for the same user over time</h5> This detection is designed to correlate authentication events, grouped by user, against both GitLab SAML authentication events as well as other iDP authentication events in an effort to identify any change in user IP address, which could be an indication of attacker authentication sessions.</p> title: Gitlab SAML IP differs from SSO IP description: Detects when the source IP for the SAML authentication to Gitlab from application.log differs from the users known IP from SSO MFA logs. author: Gitlab Security Engineering date: 09/15/2024 schedule: "/10 * * " pseudocode: | select log source application.log where severity="INFO" and meta_caller_id="Groups::OmniauthCallbacksController#group_saml" regex(message, "saving user (?<user_email>\S+) ") #Create sub-query to bring in table from SSO authentication data select meta_remote_ip, user_email where user_email in ( select log source authentication where 1d < event_time < now() where event_type="user.authentication.auth_via_mfa" group by user_email, sso_source_ip ) where sso_source_ip!=meta_remote_ip verify: False positives can arise when the user is traveling. Review SSO authentication logs to see if the geo-location is similar to the SAML authentication to Gitlab. If any discrepancies are found, reach out to the user for verification. If the user is not traveling, temporarily lock the user's Gitlab account and review their activity through Gitlab's application logs. tuning: If the query is producing high false positives, consider using geolocation functions on IPs to compare the cities and countries that are generating the authentications. </code></pre></div> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Patch Notifications</h2> To receive patch blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our patch release RSS feed</a> or our RSS feed for all releases</a>.</p> We’re combining patch and security releases</h2> This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here</a>.</p> GitLab 17.4 released with improved context in GitLab Duo 2024-09-19T00:00:00+00:00 Today, we are excited to announce the release of GitLab 17.4 with more context-aware Code Suggestions using open tabs</a>, auto-merging when all checks pass</a>, extension marketplace in the Web IDE</a>, Advanced SAST generally available</a> and much more!</p> These are just a few highlights from the 140+ improvements in this release. Read on to check out all of the great updates below.</p> To the wider GitLab community, thank you for the 220+ contributions you provided to GitLab 17.4! At GitLab, everyone can contribute</a> and we couldn't have done it without you!</p> To preview what's coming in next month's release, check out our Upcoming Releases page</a>, which includes our 17.5 release kickoff video.</p> GitLab Critical Patch Release: 17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10 2024-09-17T00:00:00+00:00 Today we are releasing versions 17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> All GitLab Dedicated instances have been upgraded and customers do not need to take action.</strong></p> GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook</a> and security FAQ</a>. You can see all of GitLab release blog posts here</a>.</p> For security fixes, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Version 17.2.6 has been used to remediate GitLab Dedicated and hasn't been made public. Version 17.2.7 contains identical changes.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Security fixes</h2> Table of security fixes</h3> Title</th> Severity</th> </tr> </thead> SAML authentication bypass</a></td> Critical</td> </tr> </tbody> </table> SAML authentication bypass</h3> Updates dependencies omniauth-saml</code> to version 2.2.1 and ruby-saml</code> to 1.17.0 to mitigate CVE-2024-45409</a>. This security vulnerability applies only to instances which have configured SAML based authentication.</p> Self Managed GitLab: Known Mitigations</h4> The following mitigation for self-managed GitLab installations prevents successful exploitation of CVE-2024-45409</a>:</p> Enable GitLab two-factor authentication</a> for all user accounts</a> on the GitLab self-managed instance (NOTE: Enabling identity provider multi-factor authentication does not mitigate this vulnerability) and</strong></li> Do not allow the SAML two-factor bypass</a> option in GitLab.</li> </ol> Self Managed GitLab: Identifying & Detecting Exploitation Attempts</h4> Evidence of attempted or successful exploitation of Ruby-SAML (CVE-2024-45409</a>) will be present in the GitLab application_json</a> and auth_json</a> log files.</p> Unsuccessful Exploit Attempt - Hunting</h5> Unsuccessful exploitation attempts may generate a ValidationError</code> from the RubySaml</code> library. This could be for a variety of reasons related to the complexity of crafting a working exploit.</p> Two examples are shown below, but the error may manifest with other descriptions. The common string to search for is RubySaml::ValidationError</code> inside the application_json log.</p> Invalid ticket due to incorrect callback URL Example log event:</li> {"severity":"ERROR","time":"2024-xx-xx","correlation_id":"xx","message":"(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, The response was received at https://domain.com/users/auth/saml/incorrect_callback instead of https://domain.com/users/auth/saml/callback"}</code></li> </ol> </li> Invalid ticket due to a certificate signing issue Example log event:</li> "message":"(saml) Authentication failure! invalid_ticket: OneLogin::RubySaml::ValidationError, Fingerprint mismatch"</code></li> </ol> </li> </ol> Successful Exploitation - Hunting</h5> Successful exploitation attempts will trigger SAML related log events. However, there may be differences that make an exploit attempt unique from legitimate SAML authentication events.</p> A successful exploitation attempt will log whatever extern_id value is set by the attacker attempting exploitation. Therefore, identifying a unique extern_uid that is not common in your organization could be an indicator of potential exploitation.</p> Example exploit authentication event in the application_json log file, with a extern_id set in exploit PoC code: Log event:</li> {"severity":"INFO","time":"2024-xx-xx","correlation_id":"xx","meta.caller_id":"OmniauthCallbacksController#saml","meta.remote_ip":"0.0.0.0","meta.feature_category":"system_access","meta.client_id":"ip/0.0.0.0","message":"(SAML) saving user exploit-test-user@domain.com from login with admin =\\u003e false, extern_uid =\\u003e exploit-test-user"}</code></li> </ol> </li> </ol> When crafting an exploit, there are many SAML assertions</a> an attacker would need to craft to perfectly replicate a legitimate login. These include both the key and value fields that you specify at your IdP, and may be unknown to unauthorized individuals - especially if you have customized these attributes.</p> You can review your auth_json log file to look for SAML responses with incorrect or missing information in the attributes</code> section.</p> Example of a SAML authentication event in the auth_json log file. "severity":"INFO","time":"2024-xx-xx","correlation_id":"xx","meta.caller_id":"OmniauthCallbacksController#saml","meta.remote_ip":"0.0.0.0","meta.feature_category":"system_access","meta.client_id":"ip/0.0.0.0","payload_type":"saml_response": {"issuer": ["xxx"],"name_id": "xxx","name_id_format": "xxx","name_id_spnamequalifier": null,"name_id_namequalifier": null,"destination": "xxx","audiences": ["xxx"],"attributes": {"first_name": ["xxx"],"last_name": ["yyy"], "email": ["zzz"]}}</code></li> </ol> </li> </ol> Detecting Exploitation Attempts</h5> For self managed customers forwarding GitLab application_json logs to a SIEM, creating detections to detect Ruby-SAML (CVE-2024-45409</a>) exploitation attempts is possible. Our team is sharing two threat detections rules, written in Sigma format, to detect potential exploitation.</p> Note:</strong> These detections may need to be tuned and modified to customer environments in order to deliver effective results, and due to varying configurations of different customer environments, customers should validate the legitimacy and accuracy of any events identified by these detections.</p> Users with more than 1 unique extern_uid over time</h5> This detection is designed to identify an authenticated SAML user with more than one extern_uid values linked to authentication events, a potential indication of malicious authentications with an attacker set extern_uid field.</p> title: Multiple extern_ids description: Detects when their are multiple extern_id's associated with a user. author: Gitlab Security Engineering date: 09/15/2024 schedule: "/10 * * * " pseudocode: | select log source application.log where 7d < event_time < now() where severity="INFO" and meta_caller_id="Groups::OmniauthCallbacksController#group_saml" regex(message, "saving user (?<user_email>\S+) .extern_uid \S+ (?<extern_id>[\S]+)") count extern_id by user_email as total_extern_ids where total_extern_ids > 1 verify: Review Gitlab application logs for the source IP of the SAML authentications. If there is a singular IP for all extern_ids this could point to a false positive. Cross reference the SAML authentication source IP/s with the known user's IP from sso authentication logs. tuning: N/A </code></pre></div> GitLab SAML authentication from a different IP address than other iDP events for the same user over time</h5> This detection is designed to correlate authentication events, grouped by user, against both GitLab SAML authentication events as well as other iDP authentication events in an effort to identify any change in user IP address, which could be an indication of attacker authentication sessions.</p> title: Gitlab SAML IP differs from SSO IP description: Detects when the source IP for the SAML authentication to Gitlab from application.log differs from the users known IP from SSO MFA logs. author: Gitlab Security Engineering date: 09/15/2024 schedule: "/10 * * " pseudocode: | select log source application.log where severity="INFO" and meta_caller_id="Groups::OmniauthCallbacksController#group_saml" regex(message, "saving user (?<user_email>\S+) ") #Create sub-query to bring in table from SSO authentication data select meta_remote_ip, user_email where user_email in ( select log source authentication where 1d < event_time < now() where event_type="user.authentication.auth_via_mfa" group by user_email, sso_source_ip ) where sso_source_ip!=meta_remote_ip verify: False positives can arise when the user is traveling. Review SSO authentication logs to see if the geo-location is similar to the SAML authentication to Gitlab. If any discrepancies are found, reach out to the user for verification. If the user is not traveling, temporarily lock the user's Gitlab account and review their activity through Gitlab's application logs. tuning: If the query is producing high false positives, consider using geolocation functions on IPs to compare the cities and countries that are generating the authentications. </code></pre></div> Bug fixes</h2> 17.3.3</h3> Improve OpenSSL 3 upgrading warning notes</a></li> Upgrade bundler for the GitLab Backup CLI gem</a></li> Update ruby-saml and omniauth-saml</a></li> </ul> 17.2.7</h3> Improve OpenSSL 3 upgrading warning notes</a></li> Update ruby-saml and omniauth-saml</a></li> </ul> 17.1.8</h3> Improve OpenSSL 3 upgrading warning notes</a></li> Update ruby-saml and omniauth-saml</a></li> </ul> 17.0.8</h3> Update ruby-saml and omniauth-saml</a></li> </ul> 16.11.10</h3> Update ruby-saml and omniauth-saml</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Patch Notifications</h2> To receive patch blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our patch release RSS feed</a> or our RSS feed for all releases</a>.</p> We’re combining patch and security releases</h2> This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here</a>.</p> GitLab Critical Patch Release: 17.3.2, 17.2.5, 17.1.7 2024-09-11T00:00:00+00:00 Today we are releasing versions 17.3.2, 17.2.5, 17.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab Dedicated customers do not need to take action.</p> GitLab releases fixes for vulnerabilities in patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook</a> and security FAQ</a>. You can see all of GitLab release blog posts here</a>.</p> For security fixes, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are committed to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Security fixes</h2> Table of security fixes</h3> Title</th> Severity</th> </tr> </thead> Execute environment stop actions as the owner of the stop action job</a></td> Critical</td> </tr> Prevent code injection in Product Analytics funnels YAML</a></td> High</td> </tr> SSRF via Dependency Proxy</a></td> High</td> </tr> Denial of Service via sending a a specific POST request</a></td> High</td> </tr> CI_JOB_TOKEN can be used to obtain GitLab session token</a></td> Medium</td> </tr> Variables from settings are not overwritten by PEP if a template is included</a></td> Medium</td> </tr> Guests can disclose the full source code of projects using custom group-level templates</a></td> Medium</td> </tr> IdentitiesController allows linking of arbitrary unclaimed provider identities</a></td> Medium</td> </tr> Open redirect in repo/tree/:id endpoint can lead to account takeover through broken OAuth flow</a></td> Medium</td> </tr> Open redirect in release permanent links can lead to account takeover through broken OAuth flow</a></td> Medium</td> </tr> Guest user with Admin group member permission can edit custom role to gain other permissions</a></td> Medium</td> </tr> Exposure of protected and masked CI/CD variables by abusing on-demand DAST</a></td> Medium</td> </tr> Credentials disclosed when repository mirroring fails</a></td> Medium</td> </tr> Commit information visible through release atom endpoint for guest users</a></td> Medium</td> </tr> Dependency Proxy Credentials are Logged in Plaintext in graphql Logs</a></td> Medium</td> </tr> User Application can spoof the redirect url</a></td> Low</td> </tr> Group Developers can view group runners information</a></td> Low</td> </tr> </tbody> </table> Execute environment stop actions as the owner of the stop action job</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 8.14 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, which allows an attacker to trigger a pipeline as an arbitrary user under certain circumstances. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code></a>, 9.9). It is now mitigated in the latest release and is assigned CVE-2024-6678</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Prevent code injection in Product Analytics funnels YAML</h3> An issue has been discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. Due to incomplete input filtering, it was possible to inject commands into a connected Cube server. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>, 8.5). It is now mitigated in the latest release and is assigned CVE-2024-8640</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> SSRF via Dependency Proxy</h3> A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting from 16.8 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It was possible for an attacker to make requests to internal resources using a custom Maven Dependency Proxy URL. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N</code></a>, 7.7). It is now mitigated in the latest release and is assigned CVE-2024-8635</a>.</p> This vulnerability was discovered internally by GitLab team member joernchen</a>.</p> Denial of Service via sending a specific POST request</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 16.4 prior to 17.1.7, starting from 17.2 prior to 17.2.5, starting from 17.3 prior to 17.3.2 which could cause Denial of Service via sending a specific POST request. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code></a>, 7.5). It is now mitigated in the latest release and is assigned CVE-2024-8124</a>.</p> Thanks sim4n6</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> CI_JOB_TOKEN can be used to obtain GitLab session token</h3> An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It may have been possible for an attacker with a victim's CI_JOB_TOKEN to obtain a GitLab session token belonging to the victim. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L</code></a>, 6.7). It is now mitigated in the latest release and is assigned CVE-2024-8641</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Variables from settings are not overwritten by PEP if a template is included</h3> An issue was discovered with pipeline execution policies in GitLab EE affecting all versions from 17.2 prior to 17.2.5, 17.3 prior to 17.3.2 which allows authenticated users to bypass variable overwrite protection via inclusion of a CI/CD template. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</code></a>, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-8311</a>.</p> This vulnerability has been discovered internally by GitLab team member Andy Schoenen</a>.</p> Guests can disclose the full source code of projects using custom group-level templates</h3> An issue has been discovered in GitLab EE affecting all versions starting from 11.2 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2. It was possible for a guest to read the source code of a private project by using group templates. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code></a>, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-4660</a>.</p> Thanks js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> IdentitiesController allows linking of arbitrary unclaimed provider identities</h3> An issue has been discovered in GitLab EE/CE affecting all versions from 16.9.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. An improper input validation error allows attacker to squat on accounts via linking arbitrary unclaimed provider identities when JWT authentication is configured. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</code></a>, 6.4). We have requested a CVE ID and will update this blog post when it is assigned.</p> This vulnerability was discovered internally by GitLab team member Joern Schneeweisz</a>.</p> Open redirect in repo/tree/:id endpoint can lead to account takeover through broken OAuth flow</h3> An issue has been discovered in GitLab EE affecting all versions starting from 11.1 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</code></a>, 6.4). It is now mitigated in the latest release and is assigned CVE-2024-4283</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Open redirect in release permanent links can lead to account takeover through broken OAuth flow</h3> An issue has been discovered in GitLab EE affecting all versions starting from 12.9 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</code></a>, 6.4). It is now mitigated in the latest release and is assigned CVE-2024-4612</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Guest user with Admin group member permission can edit custom role to gain other permissions</h3> A privilege escalation issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. A user assigned the Admin Group Member custom role could have escalated their privileges to include other custom roles. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N</code></a>, 5.5). It is now mitigated in the latest release and is assigned CVE-2024-8631</a>.</p> Thanks chotebabume</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Exposure of protected and masked CI/CD variables by abusing on-demand DAST</h3> An issue was discovered in GitLab EE starting with version 13.3 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2 that would allow an attacker to modify an on-demand DAST scan without permissions and leak variables. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N</code></a>, 5.3). It is now mitigated in the latest release and is assigned CVE-2024-2743</a>.</p> Thanks 0xn3va</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Credentials disclosed when repository mirroring fails</h3> An issue has been discovered discovered in GitLab CE/EE affecting all versions starting from 15.10 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2 will disclose user password from repository mirror configuration. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N</code></a>, 4.5). It is now mitigated in the latest release and is assigned CVE-2024-5435</a>.</p> Thanks gudanggaramfilter</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Commit information visible through release atom endpoint for guest users</h3> An issue was discovered in GitLab CE/EE affecting all versions starting with 17.0 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. An attacker as a guest user was able to access commit information via the release Atom endpoint, contrary to permissions. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>, 4.3). It is now mitigated in the latest release and is assigned CVE-2024-6389</a>.</p> Thanks ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Dependency Proxy Credentials are Logged in Plaintext in graphql Logs</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 17.1.7, starting from 17.2 prior to 17.2.5, and starting from 17.3 prior to 17.3.2, where dependency proxy credentials are retained in graphql Logs. This is a medium severity issue (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code></a>, 4.0). It is now mitigated in the latest release and is assigned CVE-2024-4472</a>.</p> Thanks ac7n0w</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> User Application can spoof the redirect url</h3> An issue has been discovered in GitLab CE/EE affecting all versions starting from 17.1 to 17.1.7, 17.2 prior to 17.2.5 and 17.3 prior to 17.3.2. A crafted URL could be used to trick a victim to trust an attacker controlled application. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N</code></a>, 3.5). It is now mitigated in the latest release and is assigned CVE-2024-6446</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Group Developers can view group runners information</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2, where group runners information was disclosed to unauthorised group members. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code></a>, 3.1). It is now mitigated in the latest release and is assigned CVE-2024-6685</a>.</p> Thanks ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Bug fixes</h2> 17.3.2</h3> UBI: Backport openssl gem pin to 17-3-stable</a></li> Backport "Disable allow_failure for release-environments pipeline"</a></li> Fix issue when resizing images in RTE</a></li> Backport fix for listing projects via API</a></li> Backport lock retries timeout for sliding list strategy to 17-3</code></a></li> backport archived filter regression bugfix</a></li> Ensure to update updated_at when updating access data</a></li> Backport OpenSSL v3 callout to 17.3</a></li> Quarantine pypi package registry spec</a></li> Fix Sidekiq crashing when GITLAB_LOG_LEVEL set to debug</a></li> [17.3 Backport] Bump OpenSSL to 3.2.0</a></li> Backport 17.3 - Remove elasticsearch call on init</a></li> Downgrade OpenSSL version to 1.1.1</a></li> [17.3 Backport] Deprecate CentOS 7</a></li> </ul> 17.2.5</h3> Backport "Disable allow_failure for release-environments pipeline"</a></li> Always build assets image when tagging</a></li> Update google-cloud-core and google-cloud-env gems</a></li> Backport to 17.2: Fixes Geo Replication Details incorrectly empty</a></li> Backport OpenSSL v3 callout to 17.2</a></li> Backport to 17.2: Fix JobArtifactState query timeout</a></li> CI: Add test basic package functionality before release (17.2 Backport)</a></li> Use latest builder images for check-packages pipeline (17.2 Backport)</a></li> [17.2 Backport] Deprecate CentOS 7</a></li> </ul> 17.1.7</h3> Backport "Disable allow_failure for release-environments pipeline"</a></li> Backport to 17.1: Fixes Geo Replication Details view</a></li> Backport OpenSSL v3 callout to 17.1</a></li> Backport to 17.1: Fix JobArtifactState query timeout</a></li> CI: Add test basic package functionality before release (17.1 Backport)</a></li> Use latest builder images for check-packages pipeline (17.1 Backport)</a></li> [17.1 Backport] Deprecate CentOS 7</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Patch Notifications</h2> To receive patch blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our patch release RSS feed</a> or our RSS feed for all releases</a>.</p> We’re combining patch and security releases</h2> This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here</a>.</p> GitLab Patch Release: 17.0.7 2024-09-11T00:00:00+00:00 Today we are releasing versions 17.0.7 for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a number of regressions and bugs. This patch release does not include any security fixes.</p> GitLab Community Edition and Enterprise Edition</h2> 17.0.7</h3> Backport 17.0: Release Environments - pipeline level resource group</a></li> Backport 17.0: Build assets image when running release environments</a></li> Backport 17.0 - Do not run release-environments on tagging</a></li> Backport canonical RE downstream pipeline removal</a></li> Update minimum Go version requirement for self-compiled (17.0)</a></li> Backport 17.0: Always build assets image when tagging</a></li> Backport gitlab-qa shm fix 17.0</a></li> CI: Add test basic package functionality before release (17.0 Backport)</a></li> Use latest builder images for check-packages pipeline (17.0 Backport)</a></li> [17.0 Backport] Deprecate CentOS 7</a></li> Backport to 17.0: Fix JobArtifactState query timeout</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> We’re combining patch and security releases</h2> This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here</a>.</p> GitLab Patch Release: 16.11.9 2024-09-11T00:00:00+00:00 Today we are releasing versions 16.11.9 for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a number of regressions and bugs. This patch release does not include any security fixes.</p> GitLab Community Edition and Enterprise Edition</h2> 16.11.9</h3> repository: Add empty vote in ApplyGitattributes</a></li> CI: Add test basic package functionality before release (16.11 Backport)</a></li> Use latest builder images for check-packages pipeline (16.11 Backport)</a></li> Private dotenv artifacts not accessible to downstream jobs</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> We’re combining patch and security releases</h2> This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here</a>.</p> GitLab Patch Release: 17.3.1, 17.2.4, 17.1.6 2024-08-21T00:00:00+00:00 Today we are releasing versions 17.3.1, 17.2.4, 17.1.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook</a> and security FAQ</a>. You can see all of GitLab release blog posts here</a>.</p> For security fixes, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Security fixes</h2> Table of security fixes</h3> Title</th> Severity</th> </tr> </thead> The GitLab Web Interface Does Not Guarantee Information Integrity When Downloading Source Code from Releases.</a></td> Medium</td> </tr> Denial of Service by importing maliciously crafted GitHub repository</a></td> Medium</td> </tr> Prompt injection in "Resolve Vulnerabilty" results in arbitrary command execution in victim's pipeline</a></td> Medium</td> </tr> An unauthorized user can perform certain actions through GraphQL after a group owner enables IP restrictions</a></td> Medium</td> </tr> </tbody> </table> The GitLab Web Interface Does Not Guarantee Information Integrity When Downloading Source Code from Releases.</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 8.2 prior to 17.1.6 starting from 17.2 prior to 17.2.4, and starting from 17.3 prior to 17.3.1, which allows an attacker to create a branch with the same name as a deleted tag. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N</code></a>, 5.7). It is now mitigated in the latest release and is assigned CVE-2024-6502</a>.</p> Thanks st4nly0n</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Denial of Service by importing maliciously crafted GitHub repository</h3> A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 17.1.6, 17.2 prior to 17.2.4, and 17.3 prior to 17.3.1. A denial of service could occur upon importing a maliciously crafted repository using the GitHub importer. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-8041</a>.</p> Thanks a92847865</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Prompt injection in "Resolve Vulnerabilty" results in arbitrary command execution in victim's pipeline</h3> An issue was discovered in GitLab EE affecting all versions starting from 17.0 prior to 17.1.6 starting from 17.2 prior to 17.2.4, and starting from 17.3 prior to 17.3.1, allows an attacker to execute arbitrary command in a victim's pipeline through prompt injection. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</code></a>, 6.4). It is now mitigated in the latest release and is assigned CVE-2024-7110</a>.</p> This vulnerability has been discovered internally by GitLab team member Dennis Appelt</a>.</p> An unauthorized user can perform certain actions through GraphQL after a group owner enables IP restrictions</h3> An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 17.1.6, all versions starting from 17.2 before 17.2.4, all versions starting from 17.3 before 17.3.1. Under certain conditions it may be possible to bypass the IP restriction for groups through GraphQL allowing unauthorized users to perform some actions at the group level. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code></a>, 4.3). It is now mitigated in the latest release and is assigned CVE-2024-3127</a>.</p> Thanks 0x777</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Mattermost Security Updates July 2, 2024</h3> Mattermost has been updated to versions 9.9.0, which contains several patches and security fixes.</p> Bug fixes</h2> 17.3.1</h3> Fix timeout when checking group dependencies (17.3 backport)</a></li> Resolve "Background migrations removed issues" (backport to 17.3)</a></li> Backport to 17.3: Fixes Geo Replication Details incorrectly empty</a></li> 17.3 Backport vulnerability migration bugfix</a></li> Add debian 10 (Buster) to deprecated OS list</a></li> Raise default PostgreSQL shared buffers minimum to 256 MB</a></li> Include language server version in code suggestions</a></li> Turn NotFound from Gitaly into 404 for InfoRefs</a></li> </ul> 17.2.4</h3> Backport 17.2: Build assets image when running release environments</a></li> Backport DORA DF score recalculation</a></li> Backport 17.2 - Do not run release-environments on tagging</a></li> Remove stong_memoization for cloud connector services</a></li> Check if columns exist before running credit card hashing background migration</a></li> Merge branch 'jennykim/remove-release-environment-canonical-pipeline' into 'master'</a></li> Fix empty dependency list page</a></li> Backport 17-2: handle empty repository.ff_merge</a></li> 17.2 backport for: Resolve "Background migrations removed in 17.1 cause upgrade issues"</a></li> Include language server version in code suggestions</a></li> Turn NotFound from Gitaly into 404 for InfoRefs)</a></li> </ul> 17.1.6</h3> Backport 17.1: Release Environments - pipeline level resource group</a></li> Backport 17.1: Build assets image when running release environments</a></li> Backport 17.1 - Do not run release-environments on tagging</a></li> Fix backport gitlab-qa shm fix to 17.1 stable branch version</a></li> Backport canonical RE downstream pipeline removal</a></li> Update minimum Go version requirement for self-compiled (17.1)</a></li> Backport 17-1: handle empty repository.ff_merge</a></li> Resolve "Background migrations removed issues" (backport to 17.1)</a></li> Fix: backport !157455 to 17-1-stable-ee</a></li> Include language server version in code suggestions</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Note: GitLab releases have skipped 17.2.3 and 17.1.5 . There are no patches with these version numbers.</p> Receive Patch Notifications</h2> To receive patch blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our patch release RSS feed</a> or our RSS feed for all releases</a>.</p> We’re combining patch and security releases</h2> This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here</a>.</p> GitLab 17.3 released with GitLab Duo Root Cause Analysis 2024-08-15T00:00:00+00:00 Today, we are excited to announce the release of GitLab 17.3 with GitLab Duo-powered root cause analysis for failed pipeline jobs</a>, AI-assisted vulnerability resolution</a>, AI impact analytics for Code Suggestions acceptance rate and GitLab Duo seats usage</a>, the ability to add multiple compliance frameworks to a single project</a>, and much more!</p> These are just a few highlights from the 160+ improvements in this release. Read on to check out all of the great updates below.</p> To the wider GitLab community, thank you for the 130+ contributions you provided to GitLab 17.3! At GitLab, everyone can contribute</a> and we couldn't have done it without you!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 17.4 release kickoff video.</p> GitLab Patch Release: 17.2.2, 17.1.4, 17.0.6 2024-08-07T00:00:00+00:00 Today we are releasing versions 17.2.2, 17.1.4, 17.0.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook</a> and security FAQ</a>. You can see all of GitLab release blog posts here</a>.</p> For security fixes, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Security fixes</h2> Table of security fixes</h3> Title</th> Severity</th> </tr> </thead> Privilege Escalation via LFS Tokens Granting Unrestricted Repository Access</a></td> Medium</td> </tr> Cross project access of Security policy bot</a></td> Medium</td> </tr> Advanced search ReDOS in highlight for code results</a></td> Medium</td> </tr> Denial of Service via banzai pipeline</a></td> Medium</td> </tr> Denial of service using adoc files</a></td> Medium</td> </tr> ReDoS in RefMatcher when matching branch names using wildcards</a></td> Medium</td> </tr> Path encoding can cause the Web interface to not render diffs correctly.</a></td> Medium</td> </tr> XSS while viewing raw XHTML files through API</a></td> Medium</td> </tr> Ambiguous tag name exploitation</a></td> Medium</td> </tr> Logs disclosings potentially sensitive data in query params</a></td> Medium</td> </tr> Password bypass on approvals using policy projects</a></td> Medium</td> </tr> ReDoS when parsing git push</a></td> Medium</td> </tr> Webhook deletion audit log can preserve auth credentials</a></td> Medium</td> </tr> </tbody> </table> Privilege Escalation via LFS Tokens Granting Unrestricted Repository Access</h3> A permission check vulnerability in GitLab CE/EE affecting all versions starting from 8.12 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allowed for LFS tokens to read and write to the user owned repositories. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N</code></a>, 6.8). It is now mitigated in the latest release and is assigned CVE-2024-3035</a>.</p> Thanks pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Cross project access of Security policy bot</h3> An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which allowed cross project access for Security policy bot. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N </code></a>, 4.4). It is now mitigated in the latest release and is assigned CVE-2024-6356</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Advanced search ReDOS in highlight for code results</h3> A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause catastrophic backtracking while parsing results from Elasticsearch. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code></a>, 4.3). We have requested a CVE ID and will update this blog post when it is assigned.</p> This vulnerability was discovered internally by GitLab team member Terri Chu</a>.</p> Denial of Service via banzai pipeline</h3> Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2 which allowed an attacker to cause resource exhaustion via banzai pipeline. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-5423</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Denial of service using adoc files</h3> A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 12.6 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause a denial of service using crafted adoc files. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-4210</a>.</p> Thanks gudanggaramfilter</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> ReDoS in RefMatcher when matching branch names using wildcards</h3> ReDoS flaw in RefMatcher when matching branch names using wildcards in GitLab EE/CE affecting all versions from 11.3 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2 allows denial of service via Regex backtracking. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code></a>, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-2800</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Path encoding can cause the Web interface to not render diffs correctly.</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which causes the web interface to fail to render the diff correctly when the path is encoded. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N</code></a>, 5.7). It is now mitigated in the latest release and is assigned CVE-2024-6329</a>.</p> Thanks st4nly0n</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> XSS while viewing raw XHTML files through API</h3> A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 prior 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if viewed under specific circumstances. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N </code></a>, 4.4). It is now mitigated in the latest release and is assigned CVE-2024-4207</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Ambiguous tag name exploitation</h3> An issue has been discovered in GitLab CE/EE affecting all versions before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N</code></a>, 5.3). It is now mitigated in the latest release and is assigned CVE-2024-3958</a>.</p> Thanks st4nly0n</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Logs disclosings potentially sensitive data in query params</h3> An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.0.6, all versions starting from 17.1 before 17.1.4, all versions starting from 17.2 before 17.2.2. Under certain conditions, access tokens may have been logged when an API request was made in a specific manner. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N</code></a>, 4.9). We have requested a CVE ID and will update this blog post when it is assigned.</p> This vulnerability was discovered internally by GitLab team member Dominic Couture</a>.</p> Password bypass on approvals using policy projects</h3> An issue was discovered in GitLab EE starting from version 16.7 before 17.0.6, version 17.1 before 17.1.4 and 17.2 before 17.2.2 that allowed bypassing the password re-entry requirement to approve a policy. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N</code></a>, 4.2). It is now mitigated in the latest release and is assigned CVE-2024-4784</a>.</p> Thanks vexin</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> ReDoS when parsing git push</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 11.10 prior to 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2, with the processing logic for parsing invalid commits can lead to a regular expression DoS attack on the server. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code></a>, 4.3). It is now mitigated in the latest release and is assigned CVE-2024-3114</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Webhook deletion audit log can preserve auth credentials</h3> An issue was discovered in GitLab EE affecting all versions starting from 17.0 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, where webhook deletion audit log preserved auth credentials. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N</code></a>, 4.1). It is now mitigated in the latest release and is assigned CVE-2024-7586</a>.</p> This vulnerability was discovered internally by GitLab Team Anton Smith</a>.</p> Bug fixes</h2> 17.2.2</h3> Backups: Fix parsing of existing backups in Azure storage (Backport 17.2)</a></li> Do not consider pool repos dangling on restore</a></li> Never return nil when search for CC service</a></li> Fix issue in RTE related to adding text before a mention</a></li> Backport 'Check if params data cannot be JSONified' into 17.2</a></li> Document Rake task to show/edit token expirations</a></li> Backport 17.2 - Introduce lock-free rescheduling for duplicate job</a></li> Ignore unknown sequences in sequence fix migration</a></li> Fix squished badges rendering in 17.2</a></li> Optimize CustomAbility specs to reduce build times</a></li> Backport Do not index associated issues that are epic work item type</a></li> bug: Fix template error due to divided by zero</a></li> Put groups_direct field in CI JWT tokens behind feature flag</a></li> Backport 'Fix cluster check metrics' into 17.2</a></li> Backport Beyond Identity bug fixes to 17.2</a></li> Enable project_daily_statistic_counter_attribute_fetch</code> FF by default</a></li> Backport 17.2: Release Environments - pipeline level resource group</a></li> Add require_personal_access_token_expiry application setting</a></li> Backport 17.2: Mark Cookie SameSite as default over HTTP</a></li> Pin QA CI tests to stable gitlab-org/gitlab branches</a></li> </ul> 17.1.4</h3> Backups: Fix parsing of existing backups in Azure storage (Backport 17.1)</a></li> Backport 17.1 - Introduce lock-free rescheduling for duplicate job</a></li> Table driven spec needs shorter spec titles backport</a></li> Optimize CustomAbility specs to reduce build times</a></li> Put groups_direct field in CI JWT tokens behind feature flag</a></li> Increase SQL query threashold on work_items test</a></li> Backport 'Check if params data cannot be JSONified' into 17.1</a></li> Backport Beyond Identity bug fixes to 17.1</a></li> Backport gitlab-qa shm fix to 17.1 stable branch</a></li> Add require_personal_access_token_expiry application setting</a></li> </ul> 17.0.6</h3> Backups: Fix parsing of existing backups in Azure storage (Backport 17.0)</a></li> Backport 17.0 - Introduce lock-free rescheduling for duplicate job</a></li> Table driven spec needs shorter spec titles backport</a></li> Put groups_direct field in CI JWT tokens behind feature flag</a></li> Add require_personal_access_token_expiry application setting</a></li> </ul> 16.11.8</h3> Add require_personal_access_token_expiry application setting</a></li> </ul> Add require_personal_access_token_expiry application setting</h3> This default enabled, optional setting added for admins of GitLab self-managed instances on versions 16.11 and above allow them to enable mandatory expiraton on all new personal, project and group access tokens. Expirations set for existing tokens are not affected by this setting. For usage information see Require expiration dates for new access tokens</a></p> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Patch Notifications</h2> To receive patch blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our patch release RSS feed</a> or our RSS feed for all releases</a>.</p> We’re combining patch and security releases</h2> This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here</a>.</p> GitLab Patch Release: 17.2.1, 17.1.3, 17.0.5 2024-07-24T00:00:00+00:00 Today we are releasing versions 17.2.1, 17.1.3, 17.0.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook</a> and security FAQ</a>. You can see all of GitLab release blog posts here</a>.</p> For security fixes, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Security fixes</h2> Table of security fixes</h3> Title</th> Severity</th> </tr> </thead> XSS via the Maven Dependency Proxy</a></td> High</td> </tr> Project level analytics settings leaked in DOM</a></td> Medium</td> </tr> Reports can access and download job artifacts despite use of settings to prevent it</a></td> Medium</td> </tr> Direct Transfer - Authorised project/group exports are accessible to other users</a></td> Medium</td> </tr> Bypassing tag check and branch check through imports</a></td> Low</td> </tr> Project Import/Export - Make project/group export files hidden to everyone except user who initiated it</a></td> Low</td> </tr> </tbody> </table> XSS via the Maven Dependency Proxy</h3> A cross site scripting vulnerability exists in GitLab CE/EE affecting all versions from 16.6 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1 allowing an attacker to execute arbitrary scripts under the context of the current logged in user. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 7.7)</p> This vulnerability has been discovered internally by GitLab team member Joern Schneeweisz</a>.</p> Project level analytics settings leaked in DOM</h3> An issue was discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.0.5, 17.1 prior to 17.1.3, 17.2 prior to 17.2.1 where certain project-level analytics settings could be leaked in DOM to group members with Developer or higher roles. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N </code>, 4.4). It is now mitigated in the latest release and is assigned CVE-2024-5067</a>.</p> Thanks yvvdwf</a> and zebraman</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Reports can access and download job artifacts despite use of settings to prevent it</h3> An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where job artifacts can be inappropriately exposed to users lacking the proper authorization level. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2024-7057</a>.</p> Thanks ricardobrito</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Direct Transfer - Authorised project/group exports are accessible to other users</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where it was possible to disclose limited information of an exported group or project to another user.</p> This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N</code>, 4.1 ).</p> This vulnerability was found internally by a GitLab team member James Nutt</a>.</p> Bypassing tag check and branch check through imports</h3> A resource misdirection vulnerability in GitLab CE/EE affecting all versions 12.0 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows an attacker to craft a repository import in such a way as to misdirect commits. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</code>, 2.7). It is now mitigated in the latest release and is assigned CVE-2024-0231</a>.</p> Thanks aaron_dewes</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Project Import/Export - Make project/group export files hidden to everyone except user who initiated it</h3> An information disclosure vulnerability in GitLab CE/EE in project/group exports affecting all versions from 15.4 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows unauthorized users to view the resultant export. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 2.6).</p> This vulnerability has been discovered internally by GitLab team member Martin Wortschack</a></p> Bug fixes</h2> 17.2.1</h3> Revert "Ensure page token is for the same tree"</a></li> Fix order-dependent Elasticsearch spec failure</a></li> Backport to run Release Environments on RC tag into '17-2-stable-ee'</a></li> Fix state leak in cluster_util_spec.rb</a></li> Ensure rspec helpers call curl with –fail</a></li> Run e2e:package-and-test-ee for MR targeting stable branches</a></li> Remove build-gdk-image, e2e:test-on-gdk, and retag-gdk-image jobs (17.2)</a></li> 17.2 backport for fix PEP when SEC is available</a></li> bugfix: Only run advanced SAST job when Ultimate license present</a></li> Backport pipeline fixes for 17.2</a></li> Private dotenv artifacts not accessible to downstream jobs</a></li> </ul> 17.1.3</h3> Backport mock tag cleanup related fixes</a></li> Multiarch fixes backport (17.1)</a></li> Backport release-environments pipeline in security repo to 17.1</a></li> Backport [17.1] Fix empty minimum_should_match in query</a></li> Fix wildcard search for package.json in npm upload</a></li> NPM registry: replace the saj parser (17.1 backport)</a></li> Fix Content-Disposition header for Azure in API download (17.1 Backport)</a></li> Fix order-dependent Elasticsearch spec failure</a></li> Backport to run Release Environments on RC tag into '17-1-stable-ee'</a></li> Fix state leak in cluster_util_spec.rb</a></li> Merge branch 'sh-curl-fail-ci' into 'master' - 17.1</a></li> Ignore object pool already exists creation errors 17.1</a></li> Backport token logging improvements</a></li> Backport add Rake task to show token expiration info</a></li> Remove build-gdk-image, e2e:test-on-gdk, and retag-gdk-image jobs (17.1)</a></li> Backport pipeline fixes for 17.1</a></li> Private dotenv artifacts not accessible to downstream jobs</a></li> </ul> 17.0.5</h3> Backport mock tag cleanup related fixes</a></li> Multiarch fixes backport (17.0)</a></li> Backport to run Release Environments on RC tag into '17-0-stable-ee'</a></li> Backport Resolve "Geo: JWT token expiration too short"</a></li> Ignore object pool already exists creation errors 17.0</a></li> Fix 500 error using a instance runner registration token</a></li> Backport token logging improvements</a></li> Drop migration that finalizes migration to add PAT expiration</a></li> Update the token expiration banner</a></li> Backport add Rake task to show token expiration info</a></li> Fix order-dependent custom role definition spec failure</a></li> Backport pipeline fixes for 17.0</a></li> Private dotenv artifacts not accessible to downstream jobs</a></li> </ul> 16.11.7</h3> Backport Resolve "Geo: JWT token expiration too short"</a></li> Ignore object pool already exists creation errors 17.0</a></li> Backport token logging improvements</a></li> Drop migration that finalizes migration to add PAT expiration</a></li> Update the token expiration banner</a></li> Backport add Rake task to show token expiration info</a></li> </ul> 16.10.9</h3> Backport token logging improvements</a></li> Drop migration that finalizes migration to add PAT expiration</a></li> Update the token expiration banner</a></li> Backport add Rake task to show token expiration info</a></li> </ul> 16.9.10</h3> Backport token logging improvements</a></li> Drop migration that finalizes migration to add PAT expiration</a></li> Update the token expiration banner</a></li> Backport add Rake task to show token expiration info</a></li> </ul> 16.8.9</h3> Backport token logging improvements</a></li> Drop migration that finalizes migration to add PAT expiration</a></li> Update the token expiration banner</a></li> Backport add Rake task to show token expiration info</a></li> </ul> 16.7.9</h3> Backport token logging improvements</a></li> Drop migration that finalizes migration to add PAT expiration</a></li> Update the token expiration banner</a></li> Backport add Rake task to show token expiration info</a></li> </ul> 16.6.9</h3> Backport token logging improvements</a></li> Drop migration that finalizes migration to add PAT expiration</a></li> Update the token expiration banner</a></li> Backport add Rake task to show token expiration info</a></li> </ul> 16.5.9</h3> Backport token logging improvements</a></li> Drop migration that finalizes migration to add PAT expiration</a></li> Add the token expiration banner</a></li> Backport add Rake task to show token expiration info</a></li> </ul> 16.4.6</h3> Drop migration that finalizes migration to add PAT expiration</a></li> Add the token expiration banner</a></li> Backport add Rake task to show token expiration info</a></li> </ul> 16.3.8</h3> Drop migration that finalizes migration to add PAT expiration</a></li> Add the token expiration banner</a></li> Backport add Rake task to show token expiration info</a></li> </ul> 16.2.10</h3> Drop migration that finalizes migration to add PAT expiration</a></li> Add the token expiration banner</a></li> Backport add Rake task to show token expiration info</a></li> </ul> 16.1.7</h3> Drop migration that finalizes migration to add PAT expiration</a></li> Add the token expiration banner</a></li> Backport add Rake task to show token expiration info</a></li> </ul> 16.0.9</h3> Drop migration that finalizes migration to add PAT expiration</a></li> Add the token expiration banner</a></li> Backport add Rake task to show token expiration info</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Patch Notifications</h2> To receive patch blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our patch release RSS feed</a> or our RSS feed for all releases</a>.</p> We’re combining patch and security releases</h2> This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here</a>.</p> GitLab 17.2 released with log streaming, a new pipeline execution security policy, and vulnerability explanations now generally available 2024-07-18T00:00:00+00:00 Today, we are excited to announce the release of GitLab 17.2 with vulnerability explanations becoming generally available and integrated with GitLab Duo</a> to help understand SAST vulnerabilities, log streaming support for Kubernetes</a> to help troubleshoot workloads without leaving GitLab, a new pipeline execution security policy type</a> to enforce the execution of CI/CD jobs in pipelines, Duo Chat and Code Suggestions support in GitLab workspaces</a> for a productivity boost in the remote development environment, and much more! These are just a few highlights from the 30+ improvements in this release. Read on to check out all of the great updates below.</p> To the wider GitLab community, thank you for the 160+ contributions you provided to GitLab 17.2! At GitLab, everyone can contribute</a>, and we couldn't have done it without you!</p> To preview what's coming in next month's release, check out our Upcoming Releases page</a>, which includes our 17.3 release kickoff video.</p> GitLab Critical Patch Release: 17.1.2, 17.0.4, 16.11.6 2024-07-10T00:00:00+00:00 Today we are releasing versions 17.1.2, 17.0.4, 16.11.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com and GitLab Dedicated are already running the patched version.</p> GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook</a> and security FAQ</a>. You can see all of GitLab release blog posts here</a>.</p> For security fixes, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Security fixes</h2> Table of security fixes</h3> Title</th> Severity</th> </tr> </thead> An attacker can run pipeline jobs as an arbitrary user</a></td> Critical</td> </tr> Developer user with admin_compliance_framework</code> permission can change group URL</a></td> Medium</td> </tr> Admin push rules custom role allows creation of project level deploy token</a></td> Low</td> </tr> Package registry vulnerable to manifest confusion</a></td> Low</td> </tr> User with admin_group_member</code> permission can ban group members</a></td> Low</td> </tr> Subdomain takeover in GitLab pages</a></td> Low</td> </tr> </tbody> </table> An attacker can run pipeline jobs as an arbitrary user</h3> An issue was discovered in GitLab CE/EE affecting versions 15.8 prior to 16.11.6, 17.0 prior to 17.0.4, and 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N</code>, 9.6). It is now resolved in the latest release and is assigned CVE-2024-6385</a>.</p> Thanks to yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Developer user with admin_compliance_framework</code> permission can change group URL</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Developer user with admin_compliance_framework</code> custom role may have been able to modify the URL for a group namespace. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N</code>, 4.9). It is now mitigated in the latest release and is assigned CVE-2024-5257</a>.</p> Thanks js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Admin push rules custom role allows creation of project level deploy token</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Guest user with admin_push_rules</code> permission may have been able to create project-level deploy tokens. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N</code>, 3.8). It is now mitigated in the latest release and is assigned CVE-2024-5470</a>.</p> Thanks indoappsec</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Package registry vulnerable to manifest confusion</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 11.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 where it was possible to upload an NPM package with conflicting package data. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N</code>, 3.0). It is now mitigated in the latest release and is assigned CVE-2024-6595</a>.</p> This vulnerability was found internally by a GitLab team member Ameya Darshan</a>. Thanks to Darcy Clarke</a> for their work on manifest confusion</a>.</p> User with admin_group_member</code> permission can ban group members</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 16.5 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2 in which a user with admin_group_member</code> custom role permission could ban group members. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</code>, 2.7). It is now mitigated in the latest release and is assigned CVE-2024-2880</a>.</p> Thanks ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Subdomain takeover in GitLab Pages</h3> An issue was discovered in GitLab CE/EE affecting all versions prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows a subdomain takeover in GitLab Pages by checking if the domain is enabled every time the custom domain is resolved. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned CVE-2024-5528</a>.</p> Thanks fdeleite</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Bug fixes</h2> 17.1.2</h3> git: Update symlinkPointsToGitDir</code> version check</a></li> Fix MailRoom not loading in Omnibus</a></li> Use static AWS credentials for elasticsearch indexer if set</a></li> ci: For 17-1 Use default Ruby version for MRs targeting stable branches</a></li> Remove transaction opening for non-basic search count</a></li> Merge branch 'echui-gitlab-master-patch-58822' into 'master'</a></li> Update FF version info for graphql_minimal_auth_methods</a></li> Merge branch 'correct_finalize_epics_backfilling' into '17-1-stable-ee'</a></li> Fix merge unverified changes modal showing incorrectly</a></li> Backport 17.1: Field needs to be called Url</a></li> Backport Release Environments notification pipeline change to 17.1</a></li> Update dependency slack-messenger to v2.3.5</a></li> Force ffi gem to use Ruby platform gem</a></li> Fix Redis password handling with reserved characters</a></li> Pin QA CI tests to stable gitlab-org/gitlab branches</a></li> </ul> 17.0.4</h3> Backport Release Environments notification pipeline change to 16.11</a></li> Backport Release Environments notification pipeline change to 17.0</a></li> Update dependency slack-messenger to v2.3.5</a></li> Pin QA CI tests to stable gitlab-org/gitlab branches</a></li> Fix Redis password handling with reserved characters</a></li> </ul> 16.11.6</h3> Update versioning info for graphql FF</a></li> Define the Ruby patch version to use in CI jobs in 16.11</a></li> For 16.11: Explicitly set Omnibus and CNG Ruby version in CI</a></li> Backport Release Environments notification pipeline change to 16.11</a></li> Update dependency slack-messenger to v2.3.5</a></li> Pin QA CI tests to stable gitlab-org/gitlab branches</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update GitLab Runner, see the Updating the Runner page</a>.</p> Receive Patch Notifications</h2> To receive patch blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our patch release RSS feed</a> or our RSS feed for all releases</a>.</p> We’re combining patch and security releases</h2> This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here</a>.</p> GitLab Critical Patch Release: 17.1.1, 17.0.3, 16.11.5 2024-06-26T00:00:00+00:00 Today we are releasing versions 17.1.1, 17.0.3, 16.11.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook</a> and security FAQ</a>. You can see all of GitLab release blog posts here</a>.</p> For security fixes, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Security fixes</h2> Table of security fixes</h3> Title</th> Severity</th> </tr> </thead> Run pipelines as any user</a></td> Critical</td> </tr> Stored XSS injected in imported project's commit notes</a></td> High</td> </tr> CSRF on GraphQL API IntrospectionQuery</code></a></td> High</td> </tr> Remove search results from public projects with unauthorized repos</a></td> High</td> </tr> Cross window forgery in user application OAuth flow</a></td> Medium</td> </tr> Project maintainers can bypass group's merge request approval policy</a></td> Medium</td> </tr> ReDoS via custom built markdown page</a></td> medium</td> </tr> Private job artifacts can be accessed by any user</a></td> Medium</td> </tr> Security fixes for banzai pipeline</a></td> Medium</td> </tr> ReDoS in dependency linker</a></td> Medium</td> </tr> Denial of service using a crafted OpenAPI file</a></td> Medium</td> </tr> Merge request title disclosure</a></td> Medium</td> </tr> Access issues and epics without having an SSO session</a></td> Medium</td> </tr> Non project member can promote key results to objectives</a></td> Low</td> </tr> </tbody> </table> Run pipelines as any user</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which could allow an attacker to trigger a pipeline as another user under certain circumstances. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N, 9.6). It is now resolved in the latest release and is assigned CVE-2024-5655.</p> Thanks to ahacker1</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Breaking changes:</p> This fix changes the MR re-targeting workflow so that a pipeline will not automatically run when a merge request is automatically re-targeted due to its previous target branch being merged. Users will need to manually start a pipeline to have CI execute for their changes.</li> GraphQL authentication using CI_JOB_TOKEN is disabled by default from 17.0.0, and back ported to 17.0.3, 16.11.5 in the current patch release. If access to the GraphQL API is required, please configure one of the several supported token types for authentication.</li> </ol> At this time, we have not found evidence of abuse of this vulnerability on the platforms managed by GitLab, including GitLab.com and GitLab Dedicated instances.</p> Stored XSS injected in imported project's commit notes</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, where a stored XSS vulnerability could be imported from a project with malicious commit notes. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned CVE-2024-4901</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> CSRF on GraphQL API IntrospectionQuery</code></h3> An issue has been discovered in GitLab CE/EE affecting all versions from 16.1.0 before 16.11.5, all versions starting from 17.0 before 17.0.3, all versions starting from 17.1.0 before 17.1.1 which allowed for a CSRF attack on GitLab's GraphQL API leading to the execution of arbitrary GraphQL mutations. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N</code>, 8.1). It is now mitigated in the latest release and is assigned CVE-2024-4994</a>.</p> Thanks ahacker1</a> for reporting this vulnerability through our HackerOne bug bounty program</p> Remove search results from public projects with unauthorized repos</h3> Improper authorization in global search in GitLab EE affecting all versions from 16.11 prior to 16.11.5 and 17.0 prior to 17.0.3 and 17.1 prior to 17.1.1 allows an attacker leak content of a private repository in a public project. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</code>, 7.5). It is now mitigated in the latest release and is assigned CVE-2024-6323</a>.</p> Thanks to GitLab Team Member, @joernchen</a> for reporting this issue.</p> Cross window forgery in user application OAuth flow</h3> A Cross Window Forgery vulnerability exists within GitLab CE/EE affecting all versions from 16.3 prior to 16.11.5, 17.0 prior to 17.0.3, and 17.1 prior to 17.1.1. This condition allows for an attacker to abuse the OAuth authentication flow via a crafted payload. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N</code>, 6.8). It is now mitigated in the latest release and is assigned CVE-2024-2177</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Project maintainers can bypass group's merge request approval policy</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 16.10 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows a project maintainer can delete the merge request approval policy via graphQL. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:N</code>, 6.8). It is now mitigated in the latest release and is assigned CVE-2024-5430</a>.</p> Thanks js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> ReDoS via custom built markdown page</h3> A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions from 7.10 prior before 16.11.5, version 17.0 before 17.0.3, and 17.1 before 17.1.1. It is possible for an attacker to cause a denial of service using a crafted markdown page. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-4025</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Private job artifacts can be accessed by any user</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows private job artifacts can be accessed by any user. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-3959</a>.</p> Thanks js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Security fixes for banzai pipeline</h3> Multiple Denial of Service (DoS) issues has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 which allowed an attacker to cause resource exhaustion via banzai pipeline. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-4557</a>.</p> Thanks joaxcar</a> and setiawan_</a> for reporting these vulnerability through our HackerOne bug bounty program</p> ReDoS in dependency linker</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 9.2 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, with the processing logic for generating link in dependency files can lead to a regular expression DoS attack on the server. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-1493</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Denial of service using a crafted OpenAPI file</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 12.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows for an attacker to cause a denial of service using a crafted OpenAPI file. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2024-1816</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Merge request title disclosure</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows merge request title to be visible publicly despite being set as project members only. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2024-2191</a>.</p> Thanks ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Access issues and epics without having an SSO session</h3> An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to access issues and epics without having an SSO session using Duo Chat. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2024-3115</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Non project member can promote key results to objectives</h3> An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to objectives. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2024-4011</a>.</p> Thanks ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Bug fixes</h2> 17.1.1</h3> Prevent cng e2e test from running in security fork</a></li> Only enumerate commits in pre-receive check if push came from Web</a></li> Revert "Allow admin_runner</code> ability to change shared runners setting"</a></li> </ul> 17.0.3</h3> Fix missing filename when downloading generic package in release page</a></li> Update an expired test certificate</a></li> Prevent starting multiple Capybara proxy servers</a></li> Backport 3 commits for Merge Train pipelines support in 17-0-stable-ee</a></li> Fix error when calling GQL ciConfig endpoint with include:component</a></li> Only allow documented token types for GraphQL authentication</a></li> Add a banner informing about token expiration</a></li> Only enumerate commits in pre-receive check if push came from Web</a></li> Backport QA test fixes for stable branches</a></li> Merge branch 'sh-patch-inspec-gem' into 'master'</a></li> </ul> 16.11.5</h3> Prevent starting multiple Capybara proxy servers</a></li> Update an expired test certificate</a></li> Enable invert_emails_disabled_to_emails_enabled by default</a></li> Only allow documented token types for GraphQL authentication</a></li> Add a banner informing about token expiration</a></li> Backport QA test fixes for stable branches</a></li> </ul> 16.10.8</h3> Add a banner informing about token expiration</a></li> </ul> 16.9.9</h3> Add a banner informing about token expiration</a></li> </ul> 16.8.8</h3> Add a banner informing about token expiration</a></li> </ul> 16.7.8</h3> Add a banner informing about token expiration</a></li> </ul> 16.6.8</h3> Add a banner informing about token expiration</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Patch Notifications</h2> To receive patch blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our patch release RSS feed</a> or our RSS feed for all releases</a>.</p> We’re combining patch and security releases</h2> This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here</a>.</p> GitLab 17.1 released with Model registry available in beta and multiple GitLab Duo Code Suggestions in VS Code 2024-06-20T00:00:00+00:00 Today, we are excited to announce the release of GitLab 17.1 with Model registry available in beta</a>, multiple GitLab Duo Code Suggestions in VS Code</a>, Secret Push Protection available in beta</a>, GitLab Runner Autoscaler is generally available</a>, and much more!</p> These are just a few highlights from the 45+ improvements in this release. Read on to check out all of the great updates below.</p> To the wider GitLab community, thank you for the 340+ contributions you provided to GitLab 17.1! At GitLab, everyone can contribute</a> and we couldn't have done it without you!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 17.2 release kickoff video.</p> GitLab Patch Release: 17.0.2, 16.11.4, 16.10.7 2024-06-12T00:00:00+00:00 Today we are releasing versions 17.0.2, 16.11.4, 16.10.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook</a> and security FAQ</a>. You can see all of GitLab release blog posts here</a>.</p> For security fixes, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Security fixes</h2> Table of security fixes</h3> Title</th> Severity</th> </tr> </thead> ReDoS in gomod dependency linker</a></td> Medium</td> </tr> ReDoS in CI interpolation (fix bypass)</a></td> Medium</td> </tr> ReDoS in Asana integration issue mapping when webhook is called</a></td> Medium</td> </tr> XSS and content injection when viewing raw XHTML files on IOS devices</a></td> Medium</td> </tr> Missing agentk request validation could cause KAS to panic</a></td> Low</td> </tr> </tbody> </table> ReDoS in gomod dependency linker</h3> An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.1 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. It was possible for an attacker to cause a denial of service using maliciously crafted file. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-1495</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> ReDoS in CI interpolation (fix bypass)</h3> An issue has been discovered in GitLab CE/EE affecting all versions prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's CI/CD pipeline editor could allow for denial of service attacks through maliciously crafted configuration files. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-1736</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> ReDoS in Asana integration issue mapping when webhook is called</h3> An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.4 prior to 16.10.7, starting from 16.11 prior to 16.11.4, and starting from 17.0 prior to 17.0.2. A vulnerability in GitLab's Asana integration allowed an attacker to potentially cause a regular expression denial of service by sending specially crafted requests. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-1963</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> XSS and content injection when viewing raw XHTML files on iOS devices</h3> A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 16.10.7, all versions starting from 16.11 before 16.11.4, all versions starting from 17.0 before 17.0.2. When viewing an XML file in a repository in raw mode, it can be made to render as HTML if viewed under specific circumstances. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N</code>, 4.4). It is now mitigated in the latest release and is assigned CVE-2024-4201</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Missing agentk request validation could cause KAS to panic</h3> DoS in KAS in GitLab CE/EE affecting all versions from 16.10.0 prior to 16.10.6 and 16.11.0 prior to 16.11.3 allows an attacker to crash KAS via crafted gRPC requests. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2024-5469</a>.</p> This vulnerability has been discovered internally by the Environments team.</p> Bug fixes</h2> 17.0.2</h3> Makefile: update Git versions (v17.0 backport)</a></li> Update VERSION files</a></li> Docs: Backport Dedicated AI updates</a></li> Fix failing specs in 17-0-stable-ee</a></li> Include headers in LfsDownloadObject</a></li> [17.0] Deprecate support for Ubuntu 18.04</a></li> </ul> 16.11.4</h3> Makefile: update Git versions (v16.11 backport)</a></li> Backport 'run-release-environment-for-tag-commits' into 16.11</a></li> Dedicated AI updates</a></li> Speed up as-if-foss Rubocop</a></li> Inclusion of headers in LfsDownloadObject for GitHub imports</a></li> Fix failing specs on 16-11-stable</a></li> Stop orphaning pages deployments on Geo secondaries on 16.11</a></li> </ul> 16.10.7</h3> Makefile: update Git versions (v16.10 backport)</a></li> Backport 'run-release-environment-for-tag-commits' into 16.10</a></li> Fix failing specs on 16-10-stable-ee</a></li> Stop orphaning pages deployments on Geo secondaries on 16.10</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Patch Notifications</h2> To receive patch blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our patch release RSS feed</a> or our RSS feed for all releases</a>.</p> We’re combining patch and security releases</h2> This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here</a>.</p> GitLab Patch Release: 17.0.1, 16.11.3, 16.10.6 2024-05-22T00:00:00+00:00 Today we are releasing versions 17.0.1, 16.11.3, and 16.10.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook</a> and security FAQ</a>. You can see all of GitLab release blog posts here</a>.</p> For security fixes, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Security fixes</h2> Table of security fixes</h3> Title</th> Severity</th> </tr> </thead> 1-click account takeover via XSS leveraging the VS code editor (Web IDE)</a></td> High</td> </tr> A DOS vulnerability in the 'description' field of the runner</a></td> Medium</td> </tr> CSRF via K8s cluster-integration</a></td> Medium</td> </tr> Using Set Pipeline Status of a Commit API incorrectly create a new pipeline when SHA and pipeline_id did not match</a></td> Medium</td> </tr> Redos on wiki render API/Page</a></td> Medium</td> </tr> Resource exhaustion and denial of service with test_report API calls</a></td> Medium</td> </tr> Guest user can view dependency lists of private projects through job artifacts</a></td> Medium</td> </tr> </tbody> </table> 1-click account takeover via XSS leveraging the VS code editor (Web IDE)</h3> A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N</code>, 8.0) It is now mitigated in the latest release and is assigned CVE-2024-4835</a>.</p> Thanks matanber</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> A DOS vulnerability in the 'description' field of the runner</h3> An issue has been discovered in GitLab CE/EE affecting all versions up to 16.10.6, versions 16.11 up to 16.11.3, and 17.0 up to 17.0.1. A runner registered with a crafted description has the potential to disrupt the loading of targeted GitLab web resources. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-2874</a>.</p> Thanks ac7n0w</a> for reporting this vulnerability through our HackerOne bug bounty program</p> CSRF via K8s cluster-integration</h3> A CSRF vulnerability exists within GitLab CE/EE from versions 16.3 up to 16.10.6, from 16.11 up to 16.11.3, from 17.0 up to 17.0.1. By leveraging this vulnerability, an attacker could exfiltrate anti-CSRF tokens via the Kubernetes Agent Server (KAS). This is a medium severity issue (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned CVE-2023-7045</a>.</p> Thanks imrerad</a> for reporting this vulnerability through our HackerOne bug bounty program</p> Using Set Pipeline Status of a Commit API incorrectly create a new pipeline when SHA and pipeline_id did not match</h3> An authorization vulnerability exists within GitLab from versions 16.10 up to 16.10.6, 16.11 up to 16.11.3, and 17.0 up to 17.0.1 where an authenticated attacker could utilize a crafted naming convention to bypass pipeline authorization logic. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N</code>, 4.4). It is now mitigated in the latest release and is assigned CVE-2024-5258</a>.</p> Thanks to GitLab Team Member, Andrew Winata for reporting this issue.</p> Redos on wiki render API/Page</h3> A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions before 16.10.6, version 16.11 before 16.11.3, and 17.0 before 17.0.1. It is possible for an attacker to cause a denial of service using a crafted wiki page. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-6502</a>.</p> Thanks Anonymizer</code> for reporting this vulnerability through our HackerOne bug bounty program.</p> Resource exhaustion and denial of service with test_report API calls</h3> A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 up to 16.10.6, 16.11 up to 16.11.3, and 17.0 up to 17.0.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2024-1947</a>.</p> Thanks luryus</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Guest user can view dependency lists of private projects through job artifacts</h3> An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.11 prior to 16.10.6, starting from 16.11 prior to 16.11.3, and starting from 17.0 prior to 17.0.1. A Guest user can view dependency lists of private projects through job artifacts. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2024-5318</a>.</p> Thanks ricardobrito</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Stored XSS via PDFjs</h3> Mitigations were made to take care of vulnerability in PDF.js CVE-2024-4367</a>.</p> Thanks h4x0r_dz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Mattermost Security Updates April 25th, 2024</h3> Mattermost has been updated to versions 9.7.2, which contains several patches and security fixes.</p> Bug fixes</h2> 17.0.1</h3> Makefile: update Git versions (v17.0 backport)</a></li> Merge branch 'rymai-master-patch-5345' into 'master'</a></li> Don't fail so loudly if default work item type is invalid</a></li> [17.0 backport] Project transfer fix for ES indexing</a></li> Ensure BLPOP/BRPOP returns nil instead of raising ReadTimeoutError</a></li> [17-0] Fix Sidekiq migration timeout</a></li> </ul> 16.11.3</h3> Makefile: update Git versions (v16.11 backport)</a></li> Revert removal of bitbucket_server_convert_mentions_to_users FF</a></li> Cherry pick print-out-release-environment-variables to 16.11</a></li> [16-11] Fix Sidekiq migration timeout</a></li> Merge branch 'rymai-master-patch-5345' into 'master'</a></li> Ensure BLPOP/BRPOP returns nil instead of raising ReadTimeoutError</a></li> Draft: Update changelog for 16.11.0</a></li> BACKPORT-16-11-stable: Use bundler to install Omnibus gems</a></li> </ul> 16.10.6</h3> Makefile: update Git versions (v16.10 backport)</a></li> Revert "Remove bitbucket_server_convert_mentions_to_users feature flag"</a></li> Cherry pick print-out-release-environment-variables to 16.10</a></li> Merge branch 'rymai-master-patch-5345' into 'master'</a></li> Ensure BLPOP/BRPOP returns nil instead of raising ReadTimeoutError</a></li> BACKPORT-16-10-stable: Use bundler to install Omnibus gems</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Patch Notifications</h2> To receive patch blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our patch release RSS feed</a> or our RSS feed for all releases</a>.</p> We’re combining patch and security releases</h2> This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here</a>.</p> GitLab 17.0 released with generally available CI/CD Catalog and AI Impact analytics dashboard 2024-05-16T00:00:00+00:00 Today, we are excited to announce the release of GitLab 17.0 with generally available CI/CD Catalog</a>, AI Impact analytics dashboard</a>, hosted runners on Linux Arm</a>, deployment detail pages</a>, and much more!</p> These are just a few highlights from the 60+ improvements in this release. Read on to check out all of the great updates below.</p> To the wider GitLab community, thank you for the unbelievable 344 contributions you provided to GitLab 17.0! At GitLab, everyone can contribute</a> and we couldn't have done it without you!</p> Join us to explore the new AI-powered features in GitLab 17 that will help you improve collaboration, visibility, security, and cycle times. Register for the GitLab 17 release virtual event: The future of AI-driven software development</a>.</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 17.1 release kickoff video.</p> GitLab Patch Release: 16.9.8 2024-05-09T00:00:00+00:00 Today we are releasing versions 16.9.8 for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a number of regressions and bugs. This patch release does not include any security fixes.</p> GitLab Community Edition and Enterprise Edition</h2> Bug Fixes</h3> Pin parser dependency in chef-bin</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> We’re combining patch and security releases</h2> This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here</a>.</p> GitLab Patch Release: 16.11.2, 16.10.5, 16.9.7 2024-05-08T00:00:00+00:00 Today we are releasing versions 16.11.2, 16.10.5, 16.9.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook</a> and security FAQ</a>. You can see all of GitLab release blog posts here</a>.</p> For security fixes, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Security fixes</h2> Table of security fixes</h3> Title</th> Severity</th> </tr> </thead> ReDoS in branch search when using wildcards</a></td> High</td> </tr> ReDoS in markdown render pipeline</a></td> Medium</td> </tr> Redos on Discord integrations</a></td> Medium</td> </tr> Redos on Google Chat Integration</a></td> Medium</td> </tr> Denial of Service Attack via Pin Menu</a></td> Medium</td> </tr> DoS by filtering tags and branches via the API</a></td> Medium</td> </tr> MR approval via CSRF in SAML SSO</a></td> Medium</td> </tr> Banned user from groups can read issues updates via the api</a></td> Medium</td> </tr> Require confirmation before linking JWT identity</a></td> Medium</td> </tr> View confidential issues title and description of any public project via export</a></td> Medium</td> </tr> SSRF via Github importer</a></td> Low</td> </tr> </tbody> </table> ReDoS in branch search when using wildcards</h3> An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.7 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible for an attacker to cause a denial of service by crafting unusual search terms for branch names. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code>, 7.5). It is now mitigated in the latest release and is assigned CVE-2024-2878</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> ReDoS in markdown render pipeline</h3> An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. It was possible for an attacker to cause a denial of service using maliciously crafted markdown content. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-2651</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Redos on Discord integrations</h3> An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. A problem with the processing logic for Discord Integrations Chat Messages can lead to a regular expression DoS attack on the server. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-6682</a>.</p> Thanks to Anonymizer</code> for reporting this vulnerability through our HackerOne bug bounty program.</p> Redos on Google Chat Integration</h3> An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.11 prior to 16.11.2. A problem with the processing logic for Google Chat Messages integration may lead to a regular expression DoS attack on the server. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-6688</a>.</p> Thanks to Anonymizer</code> for reporting this vulnerability through our HackerOne bug bounty program.</p> Denial of Service Attack via Pin Menu</h3> An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. The pins endpoint is susceptible to DoS through a crafted request. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-2454</a>.</p> Thanks ac7n0w</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> DoS by filtering tags and branches via the API</h3> An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2 where abusing the API to filter branch and tags could lead to Denial of Service. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2024-4539</a>.</p> This vulnerability was reported internally by a GitLab team member Vasilii Iakliushin</a>.</p> MR approval via CSRF in SAML SSO</h3> An issue has been discovered in GitLab EE affecting all versions from 16.7 before 16.9.7, all versions starting from 16.10 before 16.10.5, all versions starting from 16.11 before 16.11.2. An attacker could force a user with an active SAML session to approve an MR via CSRF. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N</code>, 5.7). It is now mitigated in the latest release and is assigned CVE-2024-4597</a>.</p> This vulnerability was reported internally by a GitLab team member joernchen</a>.</p> Banned user from groups can read issues updates via the api</h3> An issue has been discovered in GitLab EE affecting all versions starting from 15.2 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible to disclose updates to issues to a banned group member using the API. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2024-1539</a>.</p> Thanks ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Require confirmation before linking JWT identity</h3> An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2 in which cross-site request forgery may have been possible on GitLab instances configured to use JWT as an OmniAuth provider. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</code>, 6.4). It is now mitigated in the latest release and is assigned CVE-2024-1211</a>.</p> Thanks sim4n6</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> View confidential issues title and description of any public project via export</h3> An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. It was possible to disclose via the UI the confidential issues title and description from a public project to unauthorised instance users. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-3976</a>.</p> Thanks ahacker1</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> SSRF via Github importer</h3> An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.5 prior to 16.9.7, starting from 16.10 prior to 16.10.5, and starting from 16.11 prior to 16.11.2. GitLab was vulnerable to Server Side Request Forgery when an attacker uses a malicious URL in the markdown image value when importing a GitHub repository. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 2.6). It is now mitigated in the latest release and is assigned CVE-2023-6195</a>.</p> Thanks imrerad</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Bug fixes</h2> 16.11.2</h3> ci: Remove license scanning job (16.11)</a></li> Backport 'Zoekt: Fix exact search mode' into 16.11</a></li> Return or display Gitlab version if GITLAB_KAS_VERSION is a SHA</a></li> Allow self-managed instances to require licensed seats for Duo Chat</a></li> Merge branch 'release-environment-notification' into '16-11-stable-ee'</a></li> Changed the email validation for only encoded chars</a></li> Backport 'hide archived filter in search when project selected' 16.11</a></li> Cherry-pick MR 151750 into '16-11-stable-ee'</a></li> Fix reconfigure failure if Redis node has Rails Sentinel config</a></li> </ul> 16.10.5</h3> ci: Remove license scanning job (16.10)</a></li> Upgrade gRPC to v1.62.1</a></li> Return or display Gitlab version if GITLAB_KAS_VERSION is a SHA</a></li> Merge branch 'release-environment-notification' into '16-10-stable-ee'</a></li> Changed the email validation for only encoded chars</a></li> Cherry-pick MR 151750 into '16-10-stable-ee'</a></li> </ul> 16.9.7</h3> ci: Remove license scanning job (16.9)</a></li> Return or display Gitlab version if GITLAB_KAS_VERSION is a SHA</a></li> Merge branch 'release-environment-notification' into 'master'</a></li> Changed the email validation for only encoded chars</a></li> Cherry-pick MR 151750 into '16-9-stable-ee'</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Patch Notifications</h2> To receive patch blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our patch release RSS feed</a> or our RSS feed for all releases</a>.</p> We’re combining patch and security releases</h2> This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here</a>.</p> GitLab Patch Release: 16.11.1, 16.10.4, 16.9.6 2024-04-24T00:00:00+00:00 Today we are releasing versions 16.11.1, 16.10.4, 16.9.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook</a> and security FAQ</a>. You can see all of GitLab release blog posts here</a>.</p> For security fixes, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Accidental breaking changes in KAS configuration</h4> The following KAS patch releases contain breaking changes from the %17.0 revision, because they were tagged from the wrong source (master instead of stable branches):</p> v16.11.1</li> v16.10.4</li> v16.9.6</li> </ul> The next GitLab patch release will fix those changes. Issue 458462</a> provides more information.</p> As a workaround KAS can be downgraded to the last release. Working KAS versions are:</p> v16.11.0</li> v16.10.1</li> v16.9.3</li> </ul> Security fixes</h2> Table of security fixes</h3> Title</th> Severity</th> </tr> </thead> GitLab account takeover, under certain conditions, when using Bitbucket as an OAuth provider</a></td> High</td> </tr> Path Traversal leads to DoS and Restricted File Read</a></td> High</td> </tr> Unauthenticated ReDoS in FileFinder when using wildcard filters in project file search</a></td> High</td> </tr> Personal Access Token scopes not honoured by GraphQL subscriptions</a></td> Medium</td> </tr> Domain based restrictions bypass using a crafted email address</a></td> Medium</td> </tr> </tbody> </table> GitLab account takeover, under certain conditions, when using Bitbucket as an OAuth provider</h3> An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.8 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker with their Bitbucket account credentials may be able to take over a GitLab account linked to another user's Bitbucket account, if Bitbucket is used as an OAuth 2.0 provider on GitLab. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N</code>, 7.3). It is now mitigated in the latest release and is assigned CVE-2024-4024</a>.</p> This vulnerability has been discovered internally by GitLab team members Sam Word</a> and Rodrigo Tomonari</a>.</p> On 2024-04-24, GitLab changed the way Bitbucket authentication works with GitLab. To continue using Bitbucket Authentication, please sign in to GitLab with your Bitbucket account credentials, before 2024-05-16.</p> If you do not sign into GitLab using your Bitbucket account until after 2024-05-16, you will need to re-link your Bitbucket account</a> to your GitLab account manually. For some users, signing in to GitLab using their Bitbucket account may not work after this fix is applied. If this happens to you, your Bitbucket and GitLab accounts have different email addresses. To resolve this, you must log in to your GitLab account with your GitLab username and password and re-link your Bitbucket account</a>.</p> Path Traversal leads to DoS and Restricted File Read</h3> An issue has been discovered in GitLab affecting all versions of GitLab CE/EE 16.9 prior to 16.9.6, 16.10 prior to 16.10.4, and 16.11 prior to 16.11.1 where path traversal could lead to DoS and restricted file read. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H</code>, 8.5). It is now mitigated in the latest release and is assigned CVE-2024-2434</a>.</p> Thanks pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Unauthenticated ReDoS in FileFinder when using wildcard filters in project file search</h3> An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.5 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. A crafted wildcard filter in FileFinder may lead to a denial of service. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code>, 7.5). It is now mitigated in the latest release and is assigned CVE-2024-2829</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Personal Access Token scopes not honoured by GraphQL subscriptions</h3> An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1 where personal access scopes were not honored by GraphQL subscriptions. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2024-4006</a>.</p> This vulnerability was internally discovered and reported by a GitLab team member, Dylan Griffith</a>.</p> Domain based restrictions bypass using a crafted email address</h3> An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker through a crafted email address may be able to bypass domain based restrictions on an instance or a group. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2024-1347</a>.</p> Thanks garethheyes</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Bug fixes</h2> 16.11.1</h3> Backport fixing release environment pipeline triggering rule to 16.11</a></li> Fix for missing branch_build_package_download_url</a></li> Fix missing arguments when PostgreSQL upgrade times out</a></li> </ul> 16.10.4</h3> go.mod: Update golang.org/x/net</code> dependency</a></li> Update vulnerability_reads scanner in the ingestion pipeline</a></li> Fix migration error when updating from GitLab 16.x to 16.10</a></li> Backport fixing release environment pipeline triggering rule to 16.10</a></li> </ul> 16.9.6</h3> Backport fixing release environment pipeline triggering rule to 16.9</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Patch Notifications</h2> To receive patch blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our patch release RSS feed</a> or our RSS feed for all releases</a>.</p> We’re combining patch and security releases</h2> This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here</a>.</p> GitLab 16.11 released with GitLab Duo Chat general availability 2024-04-18T00:00:00+00:00 Today, we are excited to announce the release of GitLab 16.11 with GitLab Duo Chat general availability</a>, Product Analytics general availability</a>, Security policy scopes</a>, and much more!</p> These are just a few highlights from the 40+ improvements in this release. Read on to check out all of the great updates below.</p> To the wider GitLab community, thank you for the 190+ contributions you provided to GitLab 16.11! At GitLab, everyone can contribute</a> and we couldn't have done it without you!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 17.0 release kickoff video.</p> GitLab Patch Release: 16.10.3, 16.9.5, 16.8.7 2024-04-15T00:00:00+00:00 Today we are releasing versions 16.10.3, 16.9.5, 16.8.7 for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a number of regressions and bugs. This patch release does not include any security fixes.</p> GitLab Community Edition and Enterprise Edition</h2> 16.10.3</h3> Fix patroni no longer working with update to ydiff 1.3</a></li> </ul> 16.9.5</h3> Update Go packages to address vulnerabilities in 16-9-stable</a></li> Make Gitaly no downtime upgrades work again in 16.9</a></li> Fix patroni no longer working with update to ydiff 1.3</a></li> </ul> 16.8.7</h3> Fix patroni no longer working with update to ydiff 1.3</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> We’re combining patch and security releases</h2> This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here</a>.</p> GitLab Patch Release: 16.10.2, 16.9.4, 16.8.6 2024-04-10T00:00:00+00:00 Today we are releasing versions 16.10.2, 16.9.4, 16.8.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important bug and security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases fixes for vulnerabilities in dedicated patch releases. There are two types of patch releases: scheduled releases, and ad-hoc critical patches for high-severity vulnerabilities. Scheduled releases are released twice a month on the second and fourth Wednesdays. For more information, you can visit our releases handbook</a> and security FAQ</a>. You can see all of GitLab release blog posts here</a>.</p> For security fixes, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest patch release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Security fixes</h2> Table of security fixes</h3> Title</th> Severity</th> </tr> </thead> Stored XSS injected in diff viewer</a></td> High</td> </tr> Stored XSS via autocomplete results</a></td> High</td> </tr> Redos on Integrations Chat Messages</a></td> Medium</td> </tr> Redos During Parse Junit Test Report</a></td> Medium</td> </tr> </tbody> </table> Stored XSS injected in diff viewer</h3> An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. A payload may lead to a stored XSS while using the diff viewer, allowing attackers to perform arbitrary actions on behalf of victims. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned CVE-2024-3092</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Stored XSS via autocomplete results</h3> An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.7 to 16.8.6 all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. Using the autocomplete for issues references feature a crafted payload may lead to a stored XSS, allowing attackers to perform arbitrary actions on behalf of victims. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned CVE-2024-2279</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Redos on Integrations Chat Messages</h3> A denial of service vulnerability was identified in GitLab CE/EE, versions 16.7.7 prior to 16.8.6, 16.9 prior to 16.9.4 and 16.10 prior to 16.10.2 which allows an attacker to spike the GitLab instance resources usage resulting in service degradation via chat integration feature. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-6489</a>.</p> Thanks Anonymizer</code> for reporting this vulnerability through our HackerOne bug bounty program.</p> Redos During Parse Junit Test Report</h3> An issue has been discovered in GitLab EE affecting all versions before 16.8.6, all versions starting from 16.9 before 16.9.4, all versions starting from 16.10 before 16.10.2. It was possible for an attacker to cause a denial of service using malicious crafted content in a junit test report file. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-6678</a>.</p> Thanks Anonymizer</code> for reporting this vulnerability through our HackerOne bug bounty program.</p> Bug fixes</h2> 16.10.2</h3> Quarantine flaky atomic processing ResetSkippedJobsService specs</a></li> Fix include_optional_metrics_in_service_ping during migration to 16.10</a></li> Use alpine:latest instead of alpine:edge in CI images [16.10]</a></li> [16.10] Backport Delete callback should use namespace_id</a></li> [16.10] Backport handle null owner when indexing projects</a></li> Backport Zoekt: Retry indexing if too many requests to 16.10</a></li> Backport https://gitlab.com/gitlab-org/gitlab/-/merge_requests/148596</a></li> Fix URL validator for mirror services when using localhost</a></li> Backport !148105 into 16.10</a></li> Cherry-pick 'fix-omnibus-gitconfig-deprecation' into '16-10-stable'</a></li> </ul> 16.9.4</h3> Quarantine flaky atomic processing ResetSkippedJobsService specs</a></li> Use alpine:latest instead of alpine:edge in CI images [16.9]</a></li> </ul> 16.8.6</h3> Quarantine flaky atomic processing ResetSkippedJobsService specs</a></li> Use alpine:latest instead of alpine:edge in CI images [16.8]</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Patch Notifications</h2> To receive patch blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our patch release RSS feed</a> or our RSS feed for all releases</a>.</p> We’re combining patch and security releases</h2> This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here</a>.</p> GitLab Security Release: 16.10.1, 16.9.3, 16.8.5 2024-03-27T00:00:00+00:00 Today we are releasing versions 16.10.1, 16.9.3, 16.8.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of fixes</h2> Title</th> Severity</th> </tr> </thead> Stored-XSS injected in Wiki page via Banzai pipeline</a></td> High</td> </tr> DOS using crafted emojis</a></td> Medium</td> </tr> </tbody> </table> Stored-XSS injected in Wiki page via Banzai pipeline</h3> An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. A wiki page with a crafted payload may lead to a Stored XSS, allowing attackers to perform arbitrary actions on behalf of victims. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned CVE-2023-6371</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> DOS using crafted emojis</h3> An issue has been discovered in GitLab CE/EE affecting all versions before 16.8.5, all versions starting from 16.9 before 16.9.3, all versions starting from 16.10 before 16.10.1. It was possible for an attacker to cause a denial of service using malicious crafted description parameter for labels. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2024-2818</a>.</p> Thanks Quintin Crist of Trend Micro for reporting this vulnerability to us.</p> Bump PostgreSQL to 13.14, 14.11</h3> The PostgreSQL project released an update so we are updating to versions 13.14 and 14.11.</p> Non Security Patches</h2> 16.10.1</h3> CI: bump CI_TOOLS_VERSIONS to 5.8.0 (Backport 16.10)</a></li> Backport protobuf and pgx upgrades [16.10]</a></li> Fix new project group templates pagination (16-10-stable-ee)</a></li> Update redis-client to v0.21.1</a></li> </ul> 16.9.3</h3> CI: bump CI_TOOLS_VERSIONS to 5.8.0 (Backport 16.9)</a></li> Backport protobuf and pgx upgrades [16.9]</a></li> Fix detect-tests CI job</a></li> Collect the artifacts from the same namespace</a></li> Fix new project group templates pagination (16-9-stable-ee)</a></li> Backport: RSpec changes for .com handling nightly packages</a></li> </ul> 16.8.5</h3> CI: bump CI_TOOLS_VERSIONS to 5.8.0 (Backport 16.8)</a></li> Fix detect-tests CI job</a></li> Backport: RSpec changes for .com handling nightly packages</a></li> Backport c2a94ae8 for creating stable tag for 16-8-stable</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> We’re combining patch and security releases</h2> This improvement in our release process matches the industry standard and will help GitLab users get information about security and bug fixes sooner, read the blog post here</a>.</p> GitLab 16.10 released with semantic versioning in the CI/CD catalog 2024-03-21T00:00:00+00:00 Today, we are excited to announce the release of GitLab 16.10 with semantic versioning coming to the CI/CD catalog</a>, wiki templates</a>, the possibility to offload CI traffic to geo secondaries</a>, new ClickHouse integration for high-performance DevOps analytics</a>, and much more!</p> These are just a few highlights from the 90+ improvements in this release. Read on to check out all of the great updates below.</p> To the wider GitLab community, thank you for the 170+ contributions you provided to GitLab 16.10! At GitLab, everyone can contribute</a> and we couldn't have done it without you!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 16.11 release kickoff video.</p> GitLab Security Release: 16.9.2, 16.8.4, 16.7.7 2024-03-06T00:00:00+00:00 Today we are releasing versions 16.9.2, 16.8.4, 16.7.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of fixes</h2> Title</th> Severity</th> </tr> </thead> Bypassing CODEOWNERS approval allowing to steal protected variables</a></td> High</td> </tr> Guest with manage group access tokens can rotate and see group access token with owner permissions</a></td> Medium</td> </tr> </tbody> </table> Bypassing CODEOWNERS approval allowing to steal protected variables</h3> An authorization bypass vulnerability was discovered in GitLab affecting versions 11.3 prior to 16.7.7, 16.7.6 prior to 16.8.4, and 16.8.3 prior to 16.9.2. An attacker could bypass CODEOWNERS by utilizing a crafted payload in an old feature branch to perform malicious actions. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 7.7). It is now mitigated in the latest release and is assigned CVE-2024-0199</a>.</p> Thanks ali_shehab</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Guest with manage group access tokens can rotate and see group access token with owner permissions</h3> A privilege escalation vulnerability was discovered in GitLab affecting versions 16.8 prior to 16.8.4 and 16.9 prior to 16.9.2. It was possible for a user with custom role of manage_group_access_tokens</code> to rotate group access tokens with owner privileges. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-1299</a>.</p> Thanks ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Upgrade Kubectl to the latest stable version</h3> kubectl</code> has been updated to version 1.29.2.</p> Mattermost Security Updates February 14, 2024</h3> Mattermost has been updated to version 9.5, which contains several patches and security fixes.</p> Non Security Patches</h2> 16.9.2</h3> Merge branch 'hm-rescue-stale-element-error-in-base' into 'master'</a></li> Fix broken master</a></li> Use fixed date for failing specs [16.9]</a></li> Backport 'pb-fix-broken-master-elastic' into 16.9</a></li> Backport Fix Search::Zoekt.index? logic to 16.9</a></li> Backport 'Don't escape search term in modal twice' into 16.9</a></li> Backport 'add-praefect-to-release-environment-template'</a></li> Backport 'Shows branch name in non-blob…scopes' into 16.9</a></li> Backport: Geo - Fix container repositories checksum mismatch errors</a></li> Backport 145801 (Fix CI linter error when repository is empty) to 16.9</a></li> Merge branch 'remove-pi-os-12-release' into 'master'</a></li> Backport to 16.9: Fix Geo: Personal snippets not syncing</a></li> </ul> 16.8.4</h3> Backport to 16.8: Fix Geo: Personal snippets not syncing</a></li> Backport to 16.8: Fix pg_dump failing with multiple PG read-replicas</a></li> Update tests for broken 16.8</a></li> Backport 'add-praefect-to-release-environment-template'</a></li> Backport: Geo - Fix container repositories checksum mismatch errors</a></li> Backport 145801 (Fix CI linter error when repository is empty) to 16.8</a></li> </ul> 16.7.7</h3> Backport to 16.7: Fix pg_dump failing with multiple PG read-replicas</a></li> Merge branch 'add-praefect-to-release-environment-template'</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update GitLab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Security Release: 16.9.1, 16.8.3, 16.7.6 2024-02-21T00:00:00+00:00 Today we are releasing versions 16.9.1, 16.8.3, 16.7.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of fixes</h2> Title</th> Severity</th> </tr> </thead> Stored-XSS in user's profile page</a></td> High</td> </tr> User with "admin_group_members" permission can invite other groups to gain owner access</a></td> Medium</td> </tr> ReDoS issue in the Codeowners reference extractor</a></td> Medium</td> </tr> LDAP user can reset password using secondary email and login using direct authentication</a></td> Medium</td> </tr> Bypassing group ip restriction settings to access environment details of projects through Environments/Operations Dashboard</a></td> Medium</td> </tr> Users with the Guest</code> role can change Custom dashboard projects</code> settings for projects in the victim group</a></td> Medium</td> </tr> Group member with sub-maintainer role can change title of shared private deploy keys</a></td> Low</td> </tr> Bypassing approvals of CODEOWNERS</a></td> Low</td> </tr> </tbody> </table> Stored-XSS in user's profile page</h3> An issue has been discovered in GitLab CE/EE affecting version 16.9 only. A crafted payload added to the user profile page could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned CVE-2024-1451</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> User with "admin_group_members" permission can invite other groups to gain owner access</h3> An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. When a user is assigned a custom role with admin_group_member permission, they may be able to make a group, other members or themselves Owners of that group, which may lead to privilege escalation. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L</code>, 6.7). It is now mitigated in the latest release and is assigned CVE-2023-6477</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> ReDoS issue in the Codeowners reference extractor</h3> An issue has been discovered in GitLab EE affecting all versions starting from 11.3 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted content in the CODEOWNERS file. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-6736</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> LDAP user can reset password using secondary email and login using direct authentication</h3> An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.7.2, all versions starting from 16.8 before 16.8.2, all versions starting from 16.9 before 16.9.2. Under some specialized conditions, an LDAP user may be able to reset their password using their verified secondary email address and sign-in using direct authentication with the reset password, bypassing LDAP. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2024-1525</a>.</p> This vulnerability was discovered internally by a GitLab team member, Drew Blessing</a>.</p> Bypassing group ip restriction settings to access environment details of projects through Environments/Operations Dashboard</h3> An issue has been discovered in GitLab EE affecting all versions starting from 12.0 to 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. This vulnerability allows for bypassing the 'group ip restriction' settings to access environment details of projects. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-4895</a>.</p> Thanks albatraoz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Users with the Guest</code> role can change Custom dashboard projects</code> settings for projects in the victim group</h3> An issue has been discovered in GitLab EE affecting all versions starting from 16.4 before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. Users with the Guest</code> role can change Custom dashboard projects</code> settings contrary to permissions. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2024-0861</a>.</p> Thanks them4les_l1r</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Group member with sub-maintainer role can change title of shared private deploy keys</h3> An issue has been discovered in GitLab affecting all versions before 16.7.6, all versions starting from 16.8 before 16.8.3, all versions starting from 16.9 before 16.9.1. It was possible for group members with sub-maintainer role to change the title of privately accessible deploy keys associated with projects in the group. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N</code>, 3.7). It is now mitigated in the latest release and is assigned CVE-2023-3509</a>.</p> Thanks theluci</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Bypassing approvals of CODEOWNERS</h3> An authorization bypass vulnerability was discovered in GitLab affecting versions 15.1 prior to 16.7.6, 16.8 prior to 16.8.3, and 16.9 prior to 16.9.1. A developer could bypass CODEOWNERS approvals by creating a merge conflict. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N</code>, 3.0). It is now mitigated in the latest release and is assigned CVE-2024-0410</a>.</p> Thanks ali_shehab</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Non Security Patches</h2> Invalidate markdown cache to clear up stored XSS</a></li> </ul> 16.9.1</h3> Merge branch 'ac-fix-16-9-0-changelog' into 'master'</a></li> [Backport] Revert '437616_fix_changelog_tag_detection'</a></li> Backport Web IDE upgrade into 16.9</a></li> Fix deny_all_requests_except_allowed of AddressableUrlValidator</a></li> Introduce back ci_pipeline_variables routing table FF</a></li> </ul> 16.8.3</h3> Backport 'jc/fix-add-tree-entry' into 16-8-stable</a></li> Allow creation of group-level custom-roles on self-managed instances</a></li> Backport 'Fix stable cache for quick actions'</a></li> Fix X.509 commit signing for OpenSSL 3</a></li> Fix urlblocker validate calls with more options</a></li> </ul> 16.7.6</h3> Backport jc/fix-add-tree-entry into 16-7-stable</a></li> Fix X.509 commit signing for OpenSSL 3</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab 16.9 released with wider Beta access for Duo Chat 2024-02-15T00:00:00+00:00 Today, we are excited to announce the release of GitLab 16.9 with GitLab Duo Chat</a> now available for Premium SaaS and self-managed customers, the ability to request changes in a merge request</a> without blocking the merge, usability improvements to the CI/CD variables page</a>, more options for auto-canceling pipelines</a>, and much more!</p> These are just a few highlights from the 80+ improvements in this release. Read on to check out all of the great updates below.</p> To the wider GitLab community, thank you for the 200+ contributions you provided to GitLab 16.9! At GitLab, everyone can contribute</a> and we couldn't have done it without you!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 16.10 release kickoff video.</p> GitLab Security Release: 16.8.2, 16.7.5, 16.6.7 2024-02-07T00:00:00+00:00 Today we are releasing versions 16.8.2, 16.7.5, 16.6.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of fixes</h2> Title</th> Severity</th> </tr> </thead> Restrict group access token creation for custom roles</a></td> Medium</td> </tr> Project maintainers can bypass group's scan result policy block_branch_modification</code> setting</a></td> Medium</td> </tr> ReDoS in CI/CD Pipeline Editor while verifying Pipeline syntax</a></td> Medium</td> </tr> Resource exhaustion using GraphQL vulnerabilitiesCountByDay</code></a></td> Medium</td> </tr> </tbody> </table> Restrict group access token creation for custom roles</h3> An issue has been discovered in GitLab EE affecting all versions starting from 16.8 before 16.8.2. When a user is assigned a custom role with manage_group_access_tokens permission, they may be able to create group access tokens with Owner privileges, which may lead to privilege escalation. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-1250</a>.</p> This vulnerability has been discovered internally by GitLab team member Rohit Shambhuni</a>.</p> Project maintainers can bypass group's scan result policy block_branch_modification</code> setting</h3> An issue has been discovered in GitLab EE affecting all versions from 16.4 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows a maintainer to change the name of a protected branch that bypasses the security policy added to block MR. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H</code>, 6.7). It is now mitigated in the latest release and is assigned CVE-2023-6840</a>.</p> Thanks js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> ReDoS in CI/CD Pipeline Editor while verifying Pipeline syntax.</h3> A denial of service vulnerability was identified in GitLab CE/EE, affecting all versions from 15.11 prior to 16.6.7, 16.7 prior to 16.7.5 and 16.8 prior to 16.8.2 which allows an attacker to spike the GitLab instance resource usage resulting in service degradation. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-6386</a>.</p> Thanks Anonymizer</code> for reporting this vulnerability through our HackerOne bug bounty program.</p> Resource exhaustion using GraphQL vulnerabilitiesCountByDay</code></h3> An issue has been discovered in GitLab EE affecting all versions from 13.3.0 prior to 16.6.7, 16.7 prior to 16.7.5, and 16.8 prior to 16.8.2 which allows an attacker to do a resource exhaustion using GraphQL vulnerabilitiesCountByDay</code>. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2024-1066</a>.</p> This vulnerability has been discovered internally by GitLab team member Brian Williams</a>.</p> Update to PostgreSQL 14.10 and 13.13</h3> PostgreSQL has been updated.</p> Non Security Patches</h2> 16.8.2</h3> Gitaly: properly set PYTHON_TAG in CI, for Dockerfile (16.8)</a></li> Update GDK base build image and update QA GEM</a></li> Revert "Validate scopes for importing collaborators"</a></li> Backport !142896 into 16.8 stable branch</a></li> Update dependency prometheus-client-mmap to '~> 1.1', '>= 1.1.1'</a></li> Defer ConnectionPool instrumentation setup</a></li> Add item_to_preload method in helper and migrations to prevent N+1 query</a></li> Fix bug for devfile with multiple container components</a></li> Backport "Fix Redis 6.0 compatibility breakage with Sidekiq 7 gem"</a></li> Finalize UUID backfilling before performing cleanup</a></li> Backport - Ensure post upgrade steps are run after geo_pg_upgrade</a></li> </ul> 16.7.5</h3> Update dependency prometheus-client-mmap to '~> 1.1', '>= 1.1.1'</a></li> Backport UUID migration finalization to 16.7</a></li> </ul> 16.6.7</h3> Add missing IMAGE_TAG_EXT to referenced PostgreSQL image</a></li> Backport: Update GDK base build image</a></li> [Backport] Control runner tags for package promotion via env vars</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Critical Security Release: 16.8.1, 16.7.4, 16.6.6, 16.5.8 2024-01-25T00:00:00+00:00 Today we are releasing versions 16.8.1, 16.7.4, 16.6.6, 16.5.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com and GitLab Dedicated environments are already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of fixes</h2> Title</th> Severity</th> </tr> </thead> Arbitrary file write while creating workspace</a></td> Critical</td> </tr> ReDoS in Cargo.toml</code> blob viewer</a></td> Medium</td> </tr> Arbitrary API PUT requests via HTML injection in user's name</a></td> Medium</td> </tr> Disclosure of the public email in Tags RSS Feed</a></td> Medium</td> </tr> Non-Member can update MR Assignees of owned MRs</a></td> Medium</td> </tr> </tbody> </table> Arbitrary file write while creating workspace</h3> An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.5.8, 16.6 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>, 9.9). It is now mitigated in the latest release and is assigned CVE-2024-0402</a>.</p> The fix for this security vulnerability has been backported to 16.5.8 in addition to 16.6.6, 16.7.4, and 16.8.1. GitLab 16.5.8 only</em> includes a fix for this vulnerability and does not</em> contain any of the other fixes or changes mentioned in this blog post.</p> This vulnerability has been discovered internally by GitLab team member joernchen</a>.</p> ReDoS in Cargo.toml</code> blob viewer</h3> An issue has been discovered in GitLab CE/EE affecting all versions from 12.7 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 It was possible for an attacker to trigger a Regular Expression Denial of Service via a Cargo.toml</code> containing maliciously crafted input. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-6159</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Arbitrary API PUT requests via HTML injection in user's name</h3> An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. Improper input sanitization of user name allows arbitrary API PUT requests. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</code>, 6.4). It is now mitigated in the latest release and is assigned CVE-2023-5933</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Disclosure of the public email in Tags RSS Feed</h3> An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. It was possible to read the user email address via tags feed although the visibility in the user profile has been disabled. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2023-5612</a>.</p> Thanks erruqill</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Non-Member can update MR Assignees of owned MRs</h3> An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that they created within the project . This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2024-0456</a>.</p> Thanks to Niklas</a> for reporting this vulnerability.</p> Update xmlsoft/libxml2 to >= v2.11.6</h3> The xmlsoft/libxml2</code> version has been upgraded to 2.12.3 to mitigate CVE-2023-45322</a>.</p> Upgrade redis to address CVE-2023-41056 (Redis RCE)</h3> Redis has been upgraded to version 7.0.15 to mitigate CVE-2023-41056</a>.</p> Non Security Patches</h2> 16.8.1</h3> Update dependency gitlab-glfm-markdown to '~> 0.0.11'</a></li> Backport Redis migration to 16.8</a></li> [Backport] Optimize garbage collection process</a></li> [Backport] Bump GitLab Shell version to 14.33.0</a></li> </ul> 16.7.4</h3> Backport - Bring legacy verification behavior back for repositories</a></li> Sync chef-gem and chef-bin (16.7)</a></li> </ul> 16.6.6</h3> Backport: Move release-environments pipeline to be sourced from master</a></li> Backport - Bring legacy verification behavior back for repositories</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab 16.8 released with Google Cloud Secret Manager support and the ability to speed up your builds with the Maven dependency proxy 2024-01-18T00:00:00+00:00 Today, we are excited to announce the release of GitLab 16.8 with Google Cloud Secret Manager support</a>, the ability to speed up your builds with the Maven dependency proxy</a>, general availability of Workspaces</a>, new organization-level DevOps view with DORA-based industry benchmarks</a> and much more!</p> These are just a few highlights from the 25+ improvements in this release. Read on to check out all of the great updates below.</p> To the wider GitLab community, thank you for the 207 contributions you provided to GitLab 16.8! At GitLab, everyone can contribute</a> and we couldn't have done it without you!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 16.9 release kickoff video.</p> GitLab Patch Release: 16.7.3 16.6.5 16.5.7 2024-01-12T00:00:00+00:00 Today we are releasing versions 16.7.3</code> 16.6.5</code> 16.5.7</code> for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a single issue with a database migration.</p> GitLab Community Edition and Enterprise Edition</h2> 16.7.3</h3> Make chat_names table migration idempotent</a></li> </ul> 16.6.5</h3> Make chat_names table migration idempotent</a></li> </ul> 16.5.7</h3> Make chat_names table migration idempotent</a></li> </ul> Important notes on upgrading</h2> This version fixes an issue with an existing migration that prevented upgrades from completing</a>. It does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Critical Security Release: 16.7.2, 16.6.4, 16.5.6 2024-01-11T00:00:00+00:00 Today we are releasing versions 16.7.2, 16.6.4, 16.5.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases fixes for security vulnerabilities in security releases. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>. If you have not upgraded yet, be aware that there is a newer patch</a> that includes additional fixes for recently discovered DB migration issue. Please upgrade to 16.7.3, 16.6.5, 16.5.7, or newer to prevent the migration issue.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of fixes</h2> Title</th> Severity</th> </tr> </thead> Account Takeover via password reset without user interactions</a></td> Critical</td> </tr> Bypass CODEOWNERS approval removal</a></td> High</td> </tr> Attacker can abuse Slack/Mattermost integrations to execute slash commands as another user</a></td> High</td> </tr> Workspaces able to be created under different root namespace</a></td> Medium</td> </tr> Commit signature validation ignores headers after signature</a></td> Low</td> </tr> </tbody> </table> Account Takeover via Password Reset without user interactions</h3> An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address. This is a Critical severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H</code>, 10.0). It is now mitigated in the latest release and is assigned CVE-2023-7028</a>.</p> This security fix has been backported to GitLab versions and 16.1.6, 16.2.9, 16.3.7, and 16.4.5 in addition to 16.5.6, 16.6.4, and 16.7.2.</p> Thanks asterion04</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> FAQ</h3> What should I do if I believe my GitLab instance is compromised?</strong></p> In addition to following your incident response plan</em></p> Apply the Critical Security Release to your GitLab instance</li> Enable Two-Factor Authentication</a> (2FA) for all GitLab accounts</li> Rotate all secrets stored in GitLab: All credentials, including GitLab account passwords</li> API tokens</li> Any certificates</li> Any other secrets</li> </ol> </li> Follow steps in our incident response guide, here</a></li> </ol> Who is impacted by this?</strong></p> GitLab self-managed instances using the following affected versions:</p> 16.1 to 16.1.5</li> 16.2 to 16.2.8</li> 16.3 to 16.3.6</li> 16.4 to 16.4.4</li> 16.5 to 16.5.5</li> 16.6 to 16.6.3</li> 16.7 to 16.7.1</li> </ul> Within these versions, all authentication mechanisms are impacted. Additionally, users who have two-factor authentication enabled are vulnerable to password reset but not account takeover as their second authentication factor is required to login.</p> What actions should I take?</strong></p> Upgrade self-managed instances to a patched version</a> following our upgrade path. Do not skip upgrade stops as this could create instability. Note: 16.3.x is a required upgrade stop</a> in the GitLab upgrade path</a>.</li> </ul> </li> Enable Two-Factor Authentication</a> (2FA) for all GitLab accounts, especially for users with elevated privileges (e.g. administrator accounts).</li> </ul> Has the vulnerability been resolved?</strong></p> This vulnerability was resolved with this security release.</p> Were any accounts actually compromised due to this vulnerability?</strong></p> We have not detected any abuse of this vulnerability on platforms managed by GitLab, including GitLab.com and GitLab Dedicated instances. Self-managed customers can review their logs to check for possible attempts to exploit this vulnerability:</p> Check gitlab-rails/production_json.log</a> for HTTP requests to the /users/password</code> path with params.value.email consisting of a JSON array with multiple</em> email addresses.</li> Check gitlab-rails/audit_json.log</a> for entries with meta.caller_id</code> of PasswordsController#create</code> and target_details</code> consisting of a JSON array with multiple</em> email addresses.</li> </ul> When was the vulnerability introduced?</strong></p> The vulnerability was introduced in 16.1.0 on May 1, 2023.</p> How was the vulnerability discovered?</strong></p> The vulnerability was responsibly reported through our Bug Bounty program.</p> What security measures do you have in place to prevent such vulnerabilities?</strong></p> We have added multiple tests that validate the password reset logic as a whole, in particular handling of email provided, the email generation, and content to prevent similar vulnerabilities.</li> Security reviews are a required part of the MR checklist that developers must complete.</li> We have a code review process that requires multiple approvals for changes.</li> We have started the Root Cause Analysis process</a> in order to determine a comprehensive list of follow-up actions, including ways to prevent vulnerabilities like this one.</li> We have a two-factor authentication feature</a> that prevents such a vulnerability if enabled. It is currently enabled for all GitLab Team Members.</li> We have added additional developer documentation in the code base to ensure implementation and security considerations are available to engineers working in this area in the future.</li> Revised the implementation logic to not support the submission of multiple email addresses for reset links.</li> </ul> How did this happen?</strong></p> A change was made in 16.1.0 to allow users to reset their password through a secondary email address. The vulnerability is a result of a bug in the email verification process. The bug has been fixed with this patch, and as mentioned above, we have implemented a number of preventive security measures to protect customers.</p> Does this affect me if I use an Identity Provider, like Okta or Azure AD?</strong></p> Users without SSO enforcement are vulnerable. If your configuration allows a username and password to be used in addition to SSO options, then you are impacted. Disabling all password authentication options via Sign-in restrictions settings</a> will mitigate the vulnerability for Self-Managed customers that have an external identity provider configured, as this will disable the ability to perform password reset.</p> Am I affected by this vulnerability if I have 2FA enforced?</strong></p> An attacker will not be able to takeover your account if you have 2FA enabled. They may still be able to reset your password but will not be able to access your second factor authentication method. If you are suddenly redirected to login, or see a reset email triggered, please reset your password.</p> Does this vulnerability affect GitLab Runner?</strong></p> No, this vulnerability does not affect GitLab Runner. This vulnerability affected the GitLab Rails codebase for impacted versions of GitLab itself. GitLab Runner has a separate code base that is unaffected.</p> Bypass CODEOWNERS approval removal</h3> An issue has been discovered in GitLab affecting all versions starting from 15.3 before 16.5.5, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2. The required CODEOWNERS approval could be bypassed by adding changes to a previously approved merge request. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N</code>, 7.6). It is now mitigated in the latest release and is assigned CVE-2023-4812</a>.</p> Thanks ali_shehab</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Attacker can abuse Slack/Mattermost integrations to execute slash commands as another user</h3> Incorrect authorization checks in GitLab CE/EE from all versions starting from 8.13 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2, allows a user to abuse Slack/Mattermost integrations to execute slash commands as another user. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N</code>, 7.3). It is now mitigated in the latest release and is assigned CVE-2023-5356</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Workspaces able to be created under different root namespace</h3> An improper access control vulnerability exists in GitLab Workspaces affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N</code>, 6.6). It is now mitigated in the latest release and is assigned CVE-2023-6955</a>.</p> This vulnerability was discovered internally by GitLab team member @j.seto</a>.</p> Commit signature validation ignores headers after signature</h3> An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which an attacker could potentially modify the metadata of signed commits. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned CVE-2023-2030</a>.</p> Thanks lotsofloops</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Non Security Patches</h2> 16.7.2</h3> Backport 16.7: Clean mocked tags from assets</a></li> Backport: Solving database cross joins on HookData::ProjectBuilder</a></li> Fix order-dependent Sidekiq config spec failures</a></li> Harden Internal Events CLI specs against flakiness</a></li> Enable Apollo Boards by default</a></li> Backport "Add missing ci_sources_pipelines indexes for self-host" 16.7</a></li> Temporarily pin Faraday related gems</a></li> </ul> 16.6.4</h3> Merge branch 'ci-clean-mocked-tags' into '16-6-stable'</a></li> Backport 16.6 : Clean mocked tags from assets</a></li> Backport-Search::IndexRepairService using Repository index for projects</a></li> Backport !140718 into 16.6 stable branch</a></li> Temporarily pin Faraday related gems</a></li> </ul> 16.5.6</h3> CI: clean mocked tags from assets, don't pollute artifacts (backport to 16.5)</a></li> Backport 16.5 : Clean mocked tags from assets</a></li> Backport 16.5: Fix chatty loopWriter logs when log level config is empty</a></li> Bump allure-report and backport clickhouse version fix to 16.5</a></li> Temporarily pin Faraday related gems</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab 16.7 released with general availability of GitLab Duo Code Suggestions and CI/CD Catalog in Beta 2023-12-21T00:00:00+00:00 Today, we are excited to announce the release of GitLab 16.7 with general availability of GitLab Duo Code Suggestions</a>, CI/CD Catalog in Beta</a>, new drill-down view from Insights report charts</a>, SAST findings in MR changes view</a>, and much more!</p> These are just a few highlights from the 30+ improvements in this release. Read on to check out all of the great updates below.</p> To the wider GitLab community, thank you for the 186 contributions you provided to GitLab 16.7! At GitLab, everyone can contribute</a> and we couldn't have done it without you!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 16.8 release kickoff video.</p> GitLab Security Release: 16.6.2, 16.5.4, 16.4.4 2023-12-13T00:00:00+00:00 Today we are releasing versions 16.6.2, 16.5.4, and 16.4.4 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of fixes</h2> Title</th> Severity</th> </tr> </thead> Smartcard authentication allows impersonation of arbitrary user using user's public certificate</a></td> High</td> </tr> When subgroup is allowed to merge or push to protected branches, subgroup members with the Developer role may gain the ability to push or merge</a></td> Medium</td> </tr> The GitLab web interface does not ensure the integrity of information when downloading the source code from installation packages or tags.</a></td> Medium</td> </tr> Project maintainer can escalate to Project owner using project access token rotate API</a></td> Medium</td> </tr> Omission of Double Encoding in File Names Facilitates the Creation of Repositories with Malicious Content.</a></td> Medium</td> </tr> Unvalidated timeSpent value leads to unable to load issues on Issue board</a></td> Medium</td> </tr> Developer can bypass predefined variables via REST API</a></td> Medium</td> </tr> Auditor users can create merge requests on projects they don't have access to</a></td> Low</td> </tr> </tbody> </table> Smartcard authentication allows impersonation of arbitrary user using user's public certificate</h3> An improper certificate validation issue in Smartcard authentication in GitLab EE affecting all versions from 11.6 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows an attacker to authenticate as another user given their public key if they use Smartcard authentication. Smartcard authentication is an experimental feature and has to be manually enabled by an administrator. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N</code>, 7.4). It is now mitigated in the latest release and is assigned CVE-2023-6680</a>.</p> Thanks Lucas Serrano from PEReN (@LSerranoPEReN</a>) for reporting this vulnerability.</p> When subgroup is allowed to merge or push to protected branches, subgroup members with the Developer role may gain the ability to push or merge</h2> An issue has been discovered in GitLab EE Premium and Ultimate affecting versions 16.4.3, 16.5.3, and 16.6.1. In projects using subgroups to define who can push and/or merge to protected branches, there may have been instances in which subgroup members with the Developer role were able to push or merge to protected branches. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-6564</a>.</p> This vulnerability has been discovered internally by a GitLab team member.</p> The following script can help you identify projects that may be subject to a vulnerable configuration. This script can be used to create a CSV file listing projects that have a group set as "Allowed to merge" or "Allowed to push and merge" along with the web_url and project_id for the project and the group_name/group_id for the group. Note that this is not an indication that unauthorized changes were made to protected branches, but rather an indication that these projects were subject to this vulnerable configuration. For impacted projects, customers will need to check merge requests that were merged on their self-managed GitLab instances running 16.4.3, 16.5.3, or 16.6.1 prior to updating to 16.4.4, 16.5.4, or 16.6.2 or on GitLab.com prior to 2023-12-04 18:10 UTC.</p> Click to expand the script</summary> ```sh ## install `glab` (if not already installed) # https://gitlab.com/gitlab-org/cli#installation ## install `jq` (if not already installed) # https://jqlang.github.io/jq/download/ # authenticate with `glab` as Admin (self-managed) or group owner (SaaS) glab auth login ## get `project_id` and `web_url` for all projects at the instance level (self-managed) or group level (SaaS), save it as `project-list.csv` # self-managed - instance level (use Admin PAT for authentication) glab api --hostname "self-managed-gitlab.example.com" --paginate projects 2>> error.log | jq -c '.[]' | jq -rc '[.id, .web_url] | @csv' | tee -a project-list.csv # SaaS - group level (use group owner PAT for authentication) glab api --paginate "groups/$GROUP_ID/projects" 2>> error.log | jq -c '.[]' | jq -rc '[.id, .web_url] | @csv' | tee -a project-list.csv ## add headers to protected_branch_report.csv file echo "project_id, web_url, group_name_push_access, group_id_push_access, group_name_merge_access, group_id_merge_access" > protected_branch_report.csv ## loop through each project to check for protected branches that have a group with push or merge access while IFS=',' read -r PROJECT_ID WEB_URL; do glab api "projects/$PROJECT_ID/protected_branches" 2>> error.log \ | jq -c '.[]' \ | jq 'select((any(.push_access_levels[]; .group_id != null and .access_level == 40)) or (any(.merge_access_levels[]; .group_id != null and .access_level == 40)))' 2>> error.log \ | jq -c "{project_id: $PROJECT_ID, web_url: $WEB_URL, group_id_push_access: .push_access_levels.[].group_id, group_name_push_access: .push_access_levels.[].access_level_description, group_id_merge_access: .merge_access_levels.[].group_id, group_name_merge_access: .merge_access_levels.[].access_level_description}" 2>> error.log \ | jq 'select((.group_id_push_access != null or .group_id_merge_access != null) and (.group_name_push_access != "Maintainers" or .group_name_merge_access != "Maintainers"))' 2>> error.log \ | jq -rc '[.project_id, .web_url, .group_name_push_access, .group_id_push_access, .group_name_merge_access, .group_id_merge_access] | @csv' \ | tee -a protected_branch_report.csv done < project-list.csv ``` GitLab has conducted limited testing to validate this script. As such this script is provided AS-IS and GitLab makes no warranties of any kind. GITLAB HEREBY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. </details> The GitLab web interface does not ensure the integrity of information when downloading the source code from installation packages or tags.</h3> An issue has been discovered in GitLab CE/EE affecting all versions before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when source code or installation packages are pulled from a specific tag. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N</code>, 5.7). It is now mitigated in the latest release and is assigned CVE-2023-6051</a>.</p> Thanks st4nly0n</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Project maintainer can escalate to Project owner using project access token rotate API</h3> A privilege escalation vulnerability in GitLab EE affecting all versions from 16.0 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows a project Maintainer to use a Project Access Token to escalate their role to Owner. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N</code>, 4.9). It is now mitigated in the latest release and is assigned CVE-2023-3907</a>.</p> Thanks ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Omission of Double Encoding in File Names Facilitates the Creation of Repositories with Malicious Content.</h3> An issue has been discovered in GitLab CE/EE affecting all versions from 16.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when specific HTML encoding is used for file names leading for incorrect representation in the UI. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N</code>, 4.8). It is now mitigated in the latest release and is assigned CVE-2023-5512</a>.</p> Thanks st4nly0n</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Unvalidated timeSpent value leads to unable to load issues on Issue board</h3> An issue has been discovered in GitLab EE affecting all versions starting before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. It was possible to overflow the time spent on an issue that altered the details shown in the issue boards. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-3904</a>.</p> Thanks toukakirishima</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Developer can bypass predefined variables via REST API</h3> An issue has been discovered in GitLab affecting all versions starting from 9.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. In certain situations, it may have been possible for developers to override predefined CI variables via the REST API. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-5061</a>.</p> Thanks ali_shehab</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Auditor users can create merge requests on projects they don't have access to</h3> An issue has been discovered in GitLab EE affecting all versions starting from 8.17 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. It was possible for auditor users to fork and submit merge requests to private projects they're not a member of. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N</code>, 2.0). It is now mitigated in the latest release and is assigned CVE-2023-3511</a>.</p> Thanks js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Non Security Patches</h2> 16.6.2</h3> [Backport 16.6] Fix redis-namspace dependency version for UBI mailroom</a></li> Fix backup id parsing from backup URLs (16.6 Backport)</a></li> Package Registry: Truncate Pypi metadata description field</a></li> Fix adding confidential child tasks</a></li> Backport Hide obsolete migration warning into 16.6</a></li> [16.6 Backport] Fix Admin Mode bug in DeactivateDormantUsersWorker</a></li> Backport Fix cluster reindexing service preflight check to 16.6</a></li> Backport Sanitize string provided to to_tsvector</a></li> Backport "Update migration to work for any fk name" to 16.6</a></li> Fix Environment destroy job is retried endlessly (16.6 backport)</a></li> Allow users to authenticate via OAuth with password-based providers</a></li> Do not scan entire /var/opt/gitlab for stale pids (16.6 backport)</a></li> </ul> 16.5.4</h3> gitlab-rails: support skipping post-migrations in db checks</a></li> [Backport 16.5] Fix redis-namspace dependency version for UBI mailroom</a></li> Backport - Truncate verification failure message to 255</a></li> [16.5 Backport] Fix Admin Mode bug in DeactivateDormantUsersWorker</a></li> </ul> 16.4.4</h3> [Backport 16.4] Fix redis-namspace dependency version for UBI mailroom</a></li> [16.4 Backport] Fix Admin Mode bug in DeactivateDormantUsersWorker</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Security Release: 16.6.1, 16.5.3, 16.4.3 2023-11-30T00:00:00+00:00 Today we are releasing versions 16.6.1, 16.5.3, 16.4.3 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of fixes</h2> Title</th> Severity</th> </tr> </thead> XSS and ReDoS in Markdown via Banzai pipeline of Jira</a></td> High</td> </tr> Members with admin_group_member custom permission can add members with higher role</a></td> High</td> </tr> Release Description visible in public projects despite release set as project members only through atom response</a></td> Medium</td> </tr> Manipulate the repository content in the UI (CVE-2023-3401 bypass)</a></td> Medium</td> </tr> External user can abuse policy bot to gain access to internal projects</a></td> Medium</td> </tr> Developers can update pipeline schedules to use protected branches even if they don't have permission to merge</a></td> Medium</td> </tr> Users can install Composer packages from public projects even when Package registry</code> is turned off</a></td> Medium</td> </tr> Client-side DOS via Mermaid Flowchart</a></td> Low</td> </tr> Unauthorized member can gain Allowed to push and merge</code> access and affect integrity of protected branches</a></td> Low</td> </tr> Guest users can react (emojis) on confidential work items which they cant see in a project</a></td> Low</td> </tr> </tbody> </table> XSS and ReDoS in Markdown via Banzai pipeline of Jira</h3> Improper neutralization of input in Jira integration configuration in GitLab CE/EE, affecting all versions from 15.10 prior to 16.6.1, 16.5 prior to 16.5.3, and 16.4 prior to 16.4.3 allowed attacker to execute javascript in victim's browser.</p> This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned CVE-2023-6033</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Members with admin_group_member custom permission can add members with higher role</h3> An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. When a user is assigned a custom role with admin_group_member</code>` enabled, they may be able to add a member with a higher static role than themselves to the group which may lead to privilege escalation.</p> This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N</code>, 8.1). It is now mitigated in the latest release and is assigned CVE-2023-6396</a>.</p> This vulnerability was discovered internally by GitLab team member jarka</a>.</p> Release Description visible in public projects despite release set as project members only through atom response</h3> An issue has been discovered in GitLab affecting all versions starting from 11.3 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for unauthorized users to view a public projects' release descriptions via an atom endpoint when release access on the public was set to only project members</p> This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2023-3949</a>.</p> Thanks ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Manipulate the repository content in the UI (CVE-2023-3401 bypass)</h3> An issue has been discovered in GitLab affecting all versions before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. Under certain circumstances, a malicious actor bypass prohibited branch checks using a specially crafted branch name to manipulate repository content in the UI.</p> This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N</code>, 4.8). It is now mitigated in the latest release and is assigned CVE-2023-5226</a>.</p> Thanks shells3c</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> External user can abuse policy bot to gain access to internal projects</h3> An issue has been discovered in GitLab EE affecting all versions starting from 16.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the policy bot to gain access to internal projects.</p> This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N</code>, 4.4). It is now mitigated in the latest release and is assigned CVE-2023-5995</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Client-side DOS via Mermaid Flowchart</h3> An issue has been discovered in GitLab EE affecting all versions starting from 10.5 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted mermaid diagram input.</p> This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L</code>, 2.6). It is now mitigated in the latest release and is assigned CVE-2023-4912</a>.</p> Thanks toukakirishima</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Developers can update pipeline schedules to use protected branches even if they don't have permission to merge</h3> An issue has been discovered in GitLab affecting all versions starting from 9.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a user with the Developer role to update a pipeline schedule from an unprotected branch to a protected branch.</p> This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-4317</a>.</p> Thanks js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Users can install Composer packages from public projects even when Package registry</code> is turned off</h3> An issue has been discovered in GitLab affecting all versions starting from 13.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for users to access composer packages on public projects that have package registry disabled in the project settings.</p> This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-3964</a>.</p> Thanks js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Unauthorized member can gain Allowed to push and merge</code> access and affect integrity of protected branches</h3> An issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the Allowed to merge</code> permission as a guest user, when granted the permission through a group.</p> This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-4658</a>.</p> Thanks theluci</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Guest users can react (emojis) on confidential work items which they cant see in a project</h3> An issue has been discovered in GitLab affecting all versions starting from 12.1 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a Guest user to add an emoji on confidential work items.</p> This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-3443</a>.</p> Thanks ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Mattermost Security Update</h3> Mattermost has been updated to the latest patch release to mitigate several security issues.</p> Update to PG 14.9 and 13.12</h3> PostgreSQL has been updated to 14.9 and 13.12 to mitigate CVE-2023-39417.</p> Update pcre2 to 10.42</h3> pcre2</code> has been updated to version 10.42 to mitigate CVE-2022-41409.</p> Non Security Patches</h2> 16.6.1</h3> Install Gitaly dependencies for project archiving (16.6 backport)</a></li> Fix intermittent 404 errors loading GitLab Pages</a></li> Prefer custom sort order with search in users API</a></li> Backport "Fix group page erroring because of nil user" to 16-6-stable-ee</a></li> Skip encrypted settings logic for Redis when used by Mailroom</a></li> Allow +</code> char in abuse detection for global search</a></li> Backport "Move unlock pipeline cron scheduler out of ee" to 16.6</a></li> Fix bug with pages_deployments files not being deleted on disk</a></li> Backport - Truncate verification failure message to 255</a></li> Backport "Revert "Merge branch 'sc1-release-goredis' into 'master'""</a></li> </ul> 16.5.3</h3> Backport 10871d71b171db38701bfefe15883b05c234ca6d to 16-5-stable</code></a></li> Geo: Reduce batch size of verification state backfill</a></li> </ul> 16.4.3</h3> Backport 10871d71b171db38701bfefe15883b05c234ca6d to 16-4-stable</code></a></li> Backport to 16.4 the fix for test failure due to "not-existing.com" being registered</a></li> Bump asdf-bootstrapped-verify</code> version on 16.4</a></li> Fix bulk batch export of badges and uploads</a></li> [16.4] ci: Fix broken master by not reading GITLAB_ENV</a></li> Fix assign security check permission checks</a></li> For 16.4: Fix Geo verification state backfill job can exceed batch size</a></li> Geo: Reduce batch size of verification state backfill</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab 16.6 released with GitLab Duo Chat available in Beta 2023-11-16T00:00:00+00:00 Today, we are excited to announce the release of GitLab 16.6 with GitLab Duo Chat Available in Beta</a>, MR approvals as a compliance policy</a>, improved forking</a>, improved UI for CI/CD variable management</a>, and much more!</p> These are just a few highlights from the 25+ improvements in this release. Read on to check out all of the great updates below.</p> To the wider GitLab community, thank you for the 137 contributions you provided to GitLab 16.6! At GitLab, everyone can contribute</a> and we couldn't have done it without you!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 16.7 release kickoff video.</p> GitLab Patch Release: 16.5.2 2023-11-14T00:00:00+00:00 Today we are releasing versions 16.5.2 for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a number of regressions and bugs.</p> GitLab Community Edition and Enterprise Edition</h2> 16.5.2</h3> Backport to 16.5: Geo: Bring back legacy project Prometheus metrics</a></li> Backport artifacts page breadcrumb fixes</a></li> Fix broken issue rendering when initial ID is null</a></li> Backport - Create group wiki repo if absent when verifying on primary</a></li> backport to 16.5: Fix Geo verification state backfill job can exceed batch size</a></li> Fix assign security check permission checks</a></li> Update postgres_exporter from 0.14.0 to 0.15.0 (16.5 backport)</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 16.5.1, 16.4.2, 16.3.6 2023-10-31T00:00:00+00:00 Today we are releasing versions 16.5.1, 16.4.2, 16.3.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> On 2023-10-20 11:03 UTC, GitLab internally discovered (CVE-2023-5831) that a change in the GitLab sidebar feature resulted in self-managed GitLab instances sending version-checks to version.gitlab.com each time they opened a page on their GitLab instance. This means that the hostnames and current versions of self-managed GitLab instances were being sent to version.gitlab.com any time a user of that GitLab instance opened any page, regardless of whether or not the sending of version-check was enabled. This information was only accessible to some GitLab team members and was not exposed externally, and GitLab is working to purge the erroneously collected data from our database.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of fixes</h2> Title</th> Severity</th> </tr> </thead> Disclosure of CI/CD variables using Custom project templates</a></td> High</td> </tr> GitLab omnibus DoS crash via OOM with CI Catalogs</a></td> Medium</td> </tr> Parsing gitlab-ci.yml with large string via timeout</code> input leads to Denial of Service</a></td> Medium</td> </tr> DoS - Blocking FIFO files in Tar archives</a></td> Medium</td> </tr> Titles exposed by service-desk template</a></td> Medium</td> </tr> Approval on protected environments can be bypassed</a></td> Low</td> </tr> Version information disclosure when super_sidebar_logged_out</code> feature flag is enabled</a></td> Low</td> </tr> Add abuse detection for search syntax filter pipes</a></td> Low</td> </tr> </tbody> </table> Disclosure of CI/CD variables using Custom project templates</h3> An issue has been discovered in GitLab affecting all versions starting from 11.6 before 12.9.8, all versions starting from 12.10 before 12.10.7, all versions starting from 13.0 before 13.0.1. It was possible for an unauthorised project or group member to read the CI/CD variables using the custom project templates. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N</code>, 8.5). It is now mitigated in the latest release and is assigned CVE-2023-3399</a>.</p> Thanks theluci</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> GitLab omnibus DoS crash via OOM with CI Catalogs</h3> An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.2 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. A low-privileged attacker can point a CI/CD Component to an incorrect path and cause the server to exhaust all available memory through an infinite loop and cause Denial of Service. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-5825</a>.</p> Thanks blakbat</a> for reporting this vulnerability through our HackerOne bug bounty program"</p> Parsing gitlab-ci.yml with large string via timeout</code> input leads to Denial of Service</h3> An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.3 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. A Regular Expression Denial of Service was possible by adding a large string in timeout input in gitlab-ci.yml file." This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-3909</a>.</p> Thanks akadrian</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> DoS - Blocking FIFO files in Tar archives</h3> An issue has been discovered in GitLab EE/CE affecting all versions starting before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1 which allows an attackers to block Sidekiq job processor. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-3246</a>.</p> Thanks zhutyra</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Titles exposed by service-desk template</h3> An issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. Arbitrary access to the titles of an private specific references could be leaked through the service-desk custom email template. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-5600</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Approval on protected environments can be bypassed</h3> An authorization issue affecting GitLab EE affecting all versions from 14.7 prior to 16.3.6, 16.4 prior to 16.4.2, and 16.5 prior to 16.5.1, allowed a user to run jobs in protected environments, bypassing any required approvals. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned CVE-2023-4700</a>.</p> Thanks Gregor Pirolt</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Version information disclosure when super_sidebar_logged_out</code> feature flag is enabled</h3> An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, and all versions starting from 16.5.0 before 16.5.1 which have the super_sidebar_logged_out</code> feature flag enabled. Affected versions with this default-disabled feature flag enabled may unintentionally disclose GitLab version metadata to unauthorized actors. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 3.7). It is now mitigated in the latest release and is assigned CVE-2023-5831</a>.</p> This vulnerability was discovered internally by the GitLab team.</p> Add abuse detection for search syntax filter pipes</h3> An issue has been discovered in GitLab EE with Advanced Search affecting all versions from 13.9 to 16.3.6, 16.4 prior to 16.4.2 and 16.5 prior to 16.5.1 that could allow a denial of service in the Advanced Search function by chaining too many syntax operators. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 3.1). It is now mitigated in the latest release. We have requested a CVE ID and will update this blog post when it is assigned.</p> This vulnerability was found internally by GitLab.</p> Update curl to v8.4.0</h3> curl has been updated to v8.4.0 to mitigate CVE-2023-38545</a>.</p> Update mermaid to 10.5.0</h3> mermaid has been updated to 10.5.0 to mitigate a security issue.</p> Patch NGINX for CVE-2023-44487</h3> NGINX has been patched to mitigate CVE-2023-44487.</p> Non Security Patches</h2> 16.5.1</h3> Revert better-error-messages-for-pull-mirroring</a></li> Update post migration to drop column only if it exists</a></li> Downgrade vue-apollo to prevent auto-restarting subscriptions on error</a></li> </ul> 16.4.2</h3> UBI: Explicitly add webrick gem to mailroom build</a></li> Update VERSION files</a></li> Update dependency prometheus-client-mmap to '>= 0.28.1'</a></li> Backport: fix migration when commit_message_negative_regex is missing</a></li> Backport to 16.4: Geo: Avoid getting resources stuck in Queued</a></li> Fix pipeline schedules view when owner is nil</a></li> Quarantine flaky delete_job_spec:46</a></li> Create Geo event when project is created</a></li> Fix bug with batched gitaly ref deletion duplicates</a></li> </ul> 16.3.6</h3> UBI: Explicitly add webrick gem to mailroom build</a></li> Backport 16.3: Upgrade exiftool to 12.65</a></li> Fixes the 16-3-stable branch</a></li> Backport to 16.3: Geo: Avoid getting resources stuck in Queued</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab 16.5 released with compliance standards adherence reports and merge request target branch rules 2023-10-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 16.5 with compliance standards adherence reports</a>, merge request target branch rules</a>, resolvable issue threads</a>, fast-forward merge trains with semi-linear history</a>, and much more!</p> These are just a few highlights from the 25+ improvements in this release. Read on to check out all of the great updates below.</p> To the wider GitLab community, thank you for the 170+ contributions you provided to GitLab 16.5! At GitLab, everyone can contribute</a> and we couldn't have done it without you!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 16.6 release kickoff video.</p> GitLab Security Release: 16.4.1, 16.3.5, and 16.2.8 2023-09-28T00:00:00+00:00 Today we are releasing versions 16.4.1, 16.3.5, and 16.2.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Attacker can add other projects policy bot as member to their own project and use that bot to trigger pipelines in victims project</a></td> high</td> </tr> Group import allows impersonation of users in CI pipelines</a></td> high</td> </tr> Developers can bypass code owners approval by changing a MR's base branch</a></td> high</td> </tr> Leaking source code of restricted project through a fork</a></td> medium</td> </tr> Third party library Consul requires enable-script-checks to be False to enable patch</a></td> medium</td> </tr> Service account not deleted when namespace is deleted allowing access to internal projects</a></td> medium</td> </tr> Enforce SSO settings bypassed for public projects for Members without identity</a></td> medium</td> </tr> Removed project member can write to protected branches</a></td> medium</td> </tr> Unauthorised association of CI jobs for Machine Learning experiments</a></td> medium</td> </tr> Force pipelines to not have access to protected variables and will likely fail using tags</a></td> medium</td> </tr> Maintainer can create a fork relationship between existing projects</a></td> medium</td> </tr> Disclosure of masked CI variables via processing CI/CD configuration of forks</a></td> medium</td> </tr> Asset Proxy Bypass using non-ASCII character in asset URI</a></td> low</td> </tr> Unauthorized member can gain Allowed to push and merge</code> access and affect integrity of protected branches</a></td> low</td> </tr> Removed Developer can continue editing the source code of a public project</a></td> low</td> </tr> A project reporter can leak owner's Sentry instance projects</a></td> low</td> </tr> Math rendering in markdown can escape container and hijack clicks</a></td> low</td> </tr> </tbody> </table> Attacker can add other projects policy bot as member to their own project and use that bot to trigger pipelines in victims project</h2> A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An authenticated attacker could perform arbitrary pipeline execution under the context of another user. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N</code>, 8.2). It is now mitigated in the latest release and is assigned CVE-2023-5207</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Group import allows impersonation of users in CI pipelines</h2> Two issues have been discovered in Ultimate-licensed GitLab EE affecting all versions starting 13.12 prior to 16.2.8, 16.3.0 prior to 16.3.5, and 16.4.0 prior to 16.4.1 that could allow an attacker to impersonate users in CI pipelines through direct transfer group imports. These are a high severity issues (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N</code>, 8.2). They are now mitigated in the latest release and are assigned CVE-2023-5106</a>.</p> These issues have been discovered internally by GitLab team member Joern Schneeweisz</a>.</p> Developers can bypass code owners approval by changing a MR's base branch</h2> An issue has been discovered in GitLab EE affecting all versions starting 15.3 prior to prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Code owner approval was not removed from merge requests when the target branch was updated. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N</code>, 8.1). It is now mitigated in the latest release and is assigned CVE-2023-4379</a>.</p> This issue was reported by a customer.</p> Leaking source code of restricted project through a fork</h2> An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that an unauthorised user to fork a public project. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-3413</a>.</p> Thanks shells3c</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Third party library Consul requires enable-script-checks to be False to enable patch</h2> Patch in third party library Consul requires 'enable-script-checks' to be set to False. This only affects GitLab-EE. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 5.9). It is now mitigated in the latest release and is assigned CVE-2023-5332</a>.</p> This issue was reported by a customer.</p> Service account not deleted when namespace is deleted allowing access to internal projects</h2> A business logic error in GitLab EE affecting all versions prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows access to internal projects. A service account is not deleted when a namespace is deleted, allowing access to internal projects. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned CVE-2023-3914</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Enforce SSO settings bypassed for public projects for Members without identity</h2> An issue has been discovered in GitLab EE affecting all versions affecting all versions from 11.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Single Sign On restrictions were not correctly enforced for indirect project members accessing public members-only project repositories. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned CVE-2023-3115</a>.</p> Thanks theluci</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Removed project member can write to protected branches</h2> An issue has been discovered in GitLab affecting all versions prior to 16.2.7, all versions starting from 16.3 before 16.3.5, and all versions starting from 16.4 before 16.4.1. It was possible for a removed project member to write to protected branches using deploy keys. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-5198</a>.</p> Thanks theluci</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Unauthorised association of CI jobs for Machine Learning experiments</h2> An issue has been discovered in GitLab affecting all versions starting from 16.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. Users were capable of linking CI/CD jobs of private projects which they are not a member of. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-4532</a>.</p> Thanks ricardobrito</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Force pipelines to not have access to protected variables and will likely fail using tags</h2> Denial of Service in pipelines affecting all versions of Gitlab EE and CE prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows attacker to cause pipelines to fail. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-3917</a>.</p> Thanks js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Maintainer can create a fork relationship between existing projects</h2> An issue has been discovered in GitLab affecting all versions starting from 11.2 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that a maintainer to create a fork relationship between existing projects contrary to the documentation. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-3920</a>.</p> Thanks theluci</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Disclosure of masked CI variables via processing CI/CD configuration of forks</h2> An information disclosure issue in GitLab CE/EE affecting all versions from 13.11 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows an attacker to extract non-protected CI/CD variables by tricking a user to visit a fork with a malicious CI/CD configuration. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-0989</a>.</p> Thanks shells3c</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Asset Proxy Bypass using non-ASCII character in asset URI</h2> An input validation issue in the asset proxy in GitLab EE, affecting all versions from 12.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1, allowed an authenticated attacker to craft image urls which bypass the asset proxy. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned CVE-2023-3906</a>.</p> Thanks afewgoats</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Unauthorized member can gain Allowed to push and merge</code> access and affect integrity of protected branches</h2> An issue has been discovered in GitLab EE affecting all versions starting from X.Y before 16.X, all versions starting from 16.X before 16.X. It was possible for an attacker to abuse the Allowed to merge</code> permission as a guest user, when granted the permission through a group. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-4658</a>.</p> Thanks theluci</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Removed Developer can continue editing the source code of a public project</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible that upstream members to collaborate with you on your branch get permission to write to the merge request’s source branch. . This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-3979</a>.</p> Thanks theluci</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> A project reporter can leak owner's Sentry instance projects</h2> An improper authorization issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.2.x8, all versions starting from 16.3 before 16.3.5 and all versions starting from 16.4.0 before 16.4.1. It allows a project reporter to leak the owner's Sentry instance projects. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-2233</a>.</p> Thanks js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Math rendering in markdown can escape container and hijack clicks</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.15 before 16.2.8, all versions starting from 16.3 before 16.3.5, all versions starting from 16.4 before 16.4.1. It was possible to hijack some links and buttons on the GitLab UI to a malicious page. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:L</code>, 3.0). It is now mitigated in the latest release and is assigned CVE-2023-3922</a>.</p> Thanks ammar2</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Update Exiftool</h1> Exiftool has been updated to version 1.12 in order to mitigate security issues.</p> Update Mattermost</h1> Mattermost has been updated to version 8.1.2 in order to mitigate security issues.</p> Update Auto deploy image</h1> Auto deploy image has been updated to version 2.55.0 in order to mitigate security issues.</p> Non Security Patches</h2> 16.3.5</h3> Backport disable v1 package metadata sync</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab 16.4 released with customizable roles and group-level dependency list 2023-09-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 16.4 with Customizable Roles</a>, Group/sub-group level dependency list</a>, Access clusters locally using your GitLab user identity</a>, Create workspaces for private projects</a> and much more!</p> These are just a few highlights from the 100+ improvements in this release. Read on to check out all of the great updates below.</p> To the wider GitLab community, thank you for the 137 contributions you provided to GitLab 16.4! At GitLab, everyone can contribute</a> and we couldn't have done it without you!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 16.5 release kickoff video.</p> Note that our monthly release date will change to the third Thursday of every month</a> starting with our 16.6 release.</p> GitLab Critical Security Release: 16.3.4 and 16.2.7 2023-09-18T00:00:00+00:00 Today we are releasing versions 16.3.4 and 16.2.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>. For versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4, see the mitigations</a> offered below.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Attacker can abuse scan execution policies to run pipeline as another user</a></td> high</td> </tr> </tbody> </table> Attacker can abuse scan execution policies to run pipelines as another user</h2> An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.2.7 and all versions starting from 16.3 before 16.3.4. It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies. This was a bypass of CVE-2023-3932</a> showing additional impact. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N</code>, 8.2). It is now mitigated in the latest release and is assigned CVE-2023-5009</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Mitigations for impacted versions</h3> Instances running versions starting from 13.12 before 16.2.7, all versions starting from 16.3 before 16.3.4 are vulnerable if both of the features below are enabled at the same time. In order to mitigate this vulnerability in situations where it's not possible to upgrade, it is required to disable one or both features.</p> Direct transfers</a></li> Security policies</a></li> </ul> If both features are turned on, the instance is in a vulnerable state.</strong></p> Non Security Patches</h2> This security release also includes the following non-security patches.</p> 16.3.4</h3> Use new indexer, fix removing blobs from index</a></li> Backport "Fix Geo secondary proxying Git pulls unnecessarily" to 16.3</a></li> </ul> 16.2.7</h3> Revert "Merge branch 'md-play-all-skipped-button' into 'master'"</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Patch Release: 16.3.3 2023-09-12T00:00:00+00:00 Today we are releasing versions 16.3.3 for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a number of regressions and bugs.</p> GitLab Community Edition and Enterprise Edition</h2> 16.3.3</h3> Pin redis-client to v0.17.0</a></li> Backport !6251 to 16-3-stable</a></li> Backport create ci_pipelines iid sequence on new projects to 16.3</a></li> Backport 16.3 Fix cluster service reindexing params</a></li> Patch UpdateCiMaxTotalYamlSizeBytesDefaultValue - stable branch</a></li> Remove gdk base image and pin gdk sha</a></li> Backport Enable sync with package metadata db by default</a></li> Backport "Prevent pipeline creation while import is running" to 16.3</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 16.2.6 2023-09-12T00:00:00+00:00 Today we are releasing versions 16.2.6 for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a number of regressions and bugs.</p> GitLab Community Edition and Enterprise Edition</h2> 16.2.6</h3> Pin redis-client to v0.14.1</a></li> praefect: Handle replica paths in 'track-repository' and 'track-repositories' subcommands</a></li> Backport create ci_pipelines iid sequence on new projects to 16.2</a></li> Backport "Drop bridge jobs on unknown failures" to 16.2</a></li> Backport "Prevent pipeline creation while import is running" to 16.2</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 16.3.2 2023-09-05T00:00:00+00:00 Today we are releasing versions 16.3.2 for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a number of regressions and bugs.</p> GitLab Community Edition and Enterprise Edition</h2> 16.3.2</h3> Fix Code Suggestions in Web IDE on GitLab 16.3</a></li> Backport "Drop bridge jobs on unknown failures" to 16.3</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 16.3.1, 16.2.5, and 16.1.5 2023-08-31T00:00:00+00:00 Today we are releasing versions 16.3.1, 16.2.5 and 16.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Privilege escalation of "external user" to internal access through group service account</a></td> medium</td> </tr> Maintainer can leak sentry token by changing the configured URL (fix bypass)</a></td> medium</td> </tr> Google Cloud Logging private key showed in plain text in GitLab UI leaking to other group owners</a></td> medium</td> </tr> Information disclosure via project import endpoint</a></td> medium</td> </tr> Developer can leak DAST scanners "Site Profile" request headers and auth password</a></td> medium</td> </tr> Project forking outside current group</a></td> medium</td> </tr> User is capable of creating Model experiment and updating existing run's status in public project</a></td> medium</td> </tr> ReDoS in bulk import API</a></td> medium</td> </tr> Pagination for Branches and Tags can be skipped leading to DoS</a></td> medium</td> </tr> Internal Open Redirection Due to Improper handling of "../" characters</a></td> low</td> </tr> Subgroup Member With Reporter Role Can Edit Group Labels</a></td> low</td> </tr> Banned user can delete package registries</a></td> low</td> </tr> </tbody> </table> Privilege escalation of "external user" to internal access through group service account</h2> An issue has been discovered in GitLab EE affecting all versions starting from 16.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. If an external user is given an owner role on any group, that external user may escalate their privileges on the instance by creating a service account in that group. This service account is not classified as external and may be used to access internal projects. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-3915</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Maintainer can leak sentry token by changing the configured URL (fix bypass)</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. A malicious Maintainer can, under specific circumstances, leak the sentry token by changing the configured URL in the Sentry error tracking settings page. This was as a result of an incomplete fix for CVE-2022-4365. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 5.5). It is now mitigated in the latest release and is assigned [CVE-2023-4378](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4378.</p> Thanks 70rpedo</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Google Cloud Logging private key showed in plain text in GitLab UI leaking to other group owners</h2> An information disclosure issue in GitLab EE affecting all versions from 16.2 prior to 16.2.5, and 16.3 prior to 16.3.1 allowed other Group Owners to see the Public Key for a Google Cloud Logging audit event streaming destination, if configured. Owners can now only write the key, not read it. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 5.5), and affects only GitLab EE. It is now mitigated in the latest release and is assigned [CVE-2023-3950](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3950.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Information disclosure via project import endpoint</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which any user can read limited information about any project's imports. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</code>, 5.0). It is now mitigated in the latest release and is assigned CVE-2023-4630</a>.</p> This vulnerability was found internally by a GitLab team member Rodrigo Tomonari</a>.</p> Developer can leak DAST scanners "Site Profile" request headers and auth password</h2> An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which a project member can leak credentials stored in site profile. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</code>, 5.0), and only affects GitLab EE. It is now mitigated in the latest release and is assigned CVE-2022-4343</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Project forking outside current group</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.3 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was possible to fork a project outside of current group by an unauthorised user. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-4638</a>.</p> Thanks theluci</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> User is capable of creating Model experiment and updating existing run's status in public project</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was possible to create model experiments in public projects. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-4018</a>.</p> Thanks ricardobrito</a> for reporting this vulnerability through our HackerOne bug bounty program</p> ReDoS in bulk import API</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. An authenticated user could trigger a denial of service when importing or cloning malicious content. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>,6.5). It is now mitigated in the latest release and is assigned CVE-2023-3205</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program</p> Pagination for Branches and Tags can be skipped leading to DoS</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.3 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 in which the projects API pagination can be skipped, potentially leading to DoS on certain instances. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2023-4647</a>.</p> This vulnerability has been discovered internally by GitLab team member Vasilii Iakliushin</a></p> Internal Open Redirection Due to Improper handling of "../" characters</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 4.1 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1 where it was possible to create a URL that would redirect to a different project. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned CVE-2023-1279</a>.</p> Thanks akadrian</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Subgroup Member With Reporter Role Can Edit Group Labels</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. Due to improper permission validation it was possible to edit labels description by an unauthorised user. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned CVE-2023-0120</a>.</p> Thanks drjgouveia</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Banned user can delete package registries</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.2 before 16.1.5, all versions starting from 16.2 before 16.2.5, all versions starting from 16.3 before 16.3.1. A namespace-level banned user can access the API. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</code>, 2.7). It is now mitigated in the latest release and is assigned CVE-2023-1555</a>.</p> Thanks ali_shehab</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Update commonmarker</h2> Commonmarker has been updated to version 0.23.10 in order to mitigate security issues.</p> Update openssl</h2> Openssl has been updated to version to 1.1.1u in order to mitigate security issues.</p> Non Security Patches</h2> This security release also includes the following non-security patches.</p> 16.3.1</h3> Remove unified URL limitation for GitLab chart (16.3 backport)</a></li> Revert migration to backfill archived in wikis</a></li> Add .net to context selector to skip live envs</a></li> Backport "Geo: Resync direct upload object stored artifacts" to 16.3</a></li> CSP: disable LFS url when not using object storage</a></li> Backport LicenseScanning fix for AutoDevOps</a></li> </ul> 16.2.5</h3> Backport "cgroup: using a noop manager on linux without cgroup" fix to 16.2</a></li> Adjust Danger logic for stable branches</a></li> Backport "Geo: Resync direct upload object stored artifacts" to 16.2</a></li> </ul> 16.1.5</h3> Revert "Log rails response length" - 16.1 Backport</a></li> Adjust Danger logic for stable branches</a></li> Backport "Geo: Resync direct upload object stored artifacts" to 16.1</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab 16.3 released with new velocity metrics in the Value Streams Dashboard 2023-08-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 16.3 with new velocity metrics in the Value Streams Dashboard</a>, more powerful GitLab SaaS runners on Linux</a>, additional filtering for scan result policies</a>, workspace connections with SSH</a>, Flux sync status visualization</a>, and much more!</p> These are just a few highlights from the 100+ improvements in this release. Read on to check out all of the great updates below.</p> We thank the wider GitLab community for the 237 contributions they provided to GitLab 16.3! At GitLab, everyone can contribute and we couldn't have done it without you!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 16.4 release kickoff video.</p> GitLab Patch Release: 16.2.4 2023-08-11T00:00:00+00:00 Today we are releasing versions 16.2.4 for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a number of regressions and bugs.</p> GitLab Community Edition and Enterprise Edition</h2> 16.2.4</h3> Backport '420347-fix-new-index-settings' to 16.2</a></li> Backport Fix max number of slices to 16.2</a></li> Put back broadcast messages to sign-in page for self-hosted</a></li> Revert "Remove log_response_length feature flag" - 16.2 Backport</a></li> Fix broken dependency list for invalid Container Scanning pkg mgr type</a></li> Replace vscode-cdn.net with web-ide.gitlab-static.net (Backport)</a></li> Set proxy_http_version v1.0 for health monitoring endpoints</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 16.2.3 2023-08-03T00:00:00+00:00 Today we are releasing versions 16.2.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a bug.</p> GitLab Community Edition and Enterprise Edition</h2> 16.2.3</h3> Backport "Fix artifacts object storage geo replication" to 16.2</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 16.1.4 2023-08-03T00:00:00+00:00 Today we are releasing version 16.1.4 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs.</p> GitLab Community Edition and Enterprise Edition</h2> 16.1.4</h3> Backport "Fix artifacts object storage geo replication" to 16.1</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 16.2.2, 16.1.3, and 16.0.8 2023-08-01T00:00:00+00:00 Today we are releasing versions 16.2.2, 16.1.3, and 16.0.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> ReDoS via ProjectReferenceFilter in any Markdown fields</a></td> high</td> </tr> ReDoS via AutolinkFilter in any Markdown fields</a></td> high</td> </tr> An attacker can run pipeline jobs as arbitrary user</a></td> high</td> </tr> Regex DoS in Harbor Registry search</a></td> medium</td> </tr> Arbitrary read of files owned by the "git" user via malicious tar.gz file upload using GitLab export functionality</a></td> medium</td> </tr> Stored XSS in Web IDE Beta via crafted URL</a></td> medium</td> </tr> securityPolicyProjectAssign</code> mutation does not authorize security policy project ID</a></td> medium</td> </tr> Possible Pages Unique Domain Overwrite</a></td> medium</td> </tr> Access tokens may have been logged when a query was made to an endpoint</a></td> medium</td> </tr> Reflected XSS via PlantUML diagram</a></td> medium</td> </tr> The main branch of a repository with a specially designed name may allow an attacker to create repositories with malicious code</a></td> medium</td> </tr> Invalid 'start_sha' value on merge requests page may lead to Denial of Service</a></td> medium</td> </tr> Developers can create pipeline schedules on protected branches even if they don't have access to merge</a></td> medium</td> </tr> Potential DOS due to lack of pagination while loading license data</a></td> medium</td> </tr> Leaking emails of newly created users</a></td> low</td> </tr> </tbody> </table> ReDoS via ProjectReferenceFilter in any Markdown fields</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 9.3 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible via sending crafted payloads which use ProjectReferenceFilter to the preview_markdown endpoint. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code>, 7.5). It is now mitigated in the latest release and is assigned CVE-2023-3994</a>.</p> Thanks ryhmnlfj</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> ReDoS via AutolinkFilter in any Markdown fields</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible via sending crafted payloads which use AutolinkFilter to the preview_markdown endpoint. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code>, 7.5). It is now mitigated in the latest release and is assigned CVE-2023-3364</a>.</p> Thanks ryhmnlfj</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> An attacker can run pipeline jobs as arbitrary user</h2> An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for an attacker to run pipeline jobs as an arbitrary user via scheduled security scan policies. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N</code>, 8.2). It is now mitigated in the latest release and is assigned CVE-2023-3932</a>.</p> Thanks vaib25vicky</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Regex DoS in Harbor Registry search</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.2 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A Regular Expression Denial of Service was possible by using crafted payloads to search Harbor Registry. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-0632</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Arbitrary read of files owned by the "git" user via malicious tar.gz file upload using GitLab export functionality</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.10 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Under specific circumstances, a user importing a project 'from export' could access and read unrelated files via uploading a specially crafted file. This was due to a bug in tar</code>, fixed in tar-1.35</code></a>. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N</code>, 6.3). It is now mitigated in the latest release and is assigned CVE-2023-3385</a>.</p> Thanks ubercomp</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Stored XSS in Web IDE Beta via crafted URL</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for an attacker to trigger a stored XSS vulnerability via user interaction with a crafted URL in the WebIDE beta. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned CVE-2023-2164</a>.</p> Thanks viridian_40826d</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> securityPolicyProjectAssign</code> mutation does not authorize security policy project ID</h2> An issue has been discovered in GitLab EE affecting all versions starting from 14.1 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible for EE-licensed users to link any security policy project by its ID to projects or groups the user has access to, potentially revealing the security projects's configured security policies. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2023-4002</a>.</p> This vulnerability has been discovered internally by GitLab team member bauerdominic</a>.</p> Possible Pages Unique Domain Overwrite</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible to takeover GitLab Pages with unique domain URLs if the random string added was known. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</code>, 5.0). It is now mitigated in the latest release and is assigned CVE-2023-4008</a>.</p> This vulnerability was discovered internally by GitLab team member kassio</a>.</p> Access tokens may have been logged when a query was made to an endpoint</h2> An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Access tokens may have been logged when a query was made to a specific endpoint. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N</code>, 4.9). It is now mitigated in the latest release and is assigned CVE-2023-3993</a>.</p> This vulnerability was discovered internally by GitLab team member mjozenazemian</a>.</p> Reflected XSS via PlantUML diagram</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. A reflected XSS was possible when creating specific PlantUML diagrams that allowed the attacker to perform arbitrary actions on behalf of victims. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N</code>, 4.8). It is now mitigated in the latest release and is assigned CVE-2023-3500</a>.</p> Thanks ankitsingh</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> The main branch of a repository with a specially designed name may allow an attacker to create repositories with malicious code</h2> An issue has been discovered in GitLab affecting all versions before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N</code>, 4.8). It is now mitigated in the latest release and is assigned CVE-2023-3401</a>.</p> Thanks st4nly0n</a> for reporting this vulnerability through our HackerOne bug bounty program</p> Invalid 'start_sha' value on merge requests page may lead to Denial of Service</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. An invalid 'start_sha' value on merge requests page may lead to Denial of Service as Changes tab would not load. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-3900</a>.</p> Thanks toukakirishima</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Developers can create pipeline schedules on protected branches even if they don't have access to merge</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2, which leads to developers being able to create pipeline schedules on protected branches even if they don't have access to merge. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-2022</a>.</p> Thanks js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Potential DOS due to lack of pagination while loading license data</h2> An issue has been discovered in GitLab EE affecting all versions from 15.11 prior to 16.2.2 which allows an attacker to spike the resource consumption by loading Dependency List page, resulting in a possible DoS. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is mitigated in the latest 16.2.2 release and is assigned CVE-2023-4011</a>.</p> This vulnerability was discovered internally by GitLab team member gonzoyumo</a>.</p> Leaking emails of newly created users</h2> An issue has been discovered in GitLab affecting all versions starting from 12.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. It was possible to leak a user's email via an error message for groups that restrict membership by email domain. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-1210</a>.</p> Thanks shells3c</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Update Mattermost</h2> Mattermost has been updated to version 7.10.4 in order to mitigate security issues.</p> Update Redis</h2> Redis has been updated to version 6.2.13 in order to mitigate security issues.</p> Non Security Patches</h2> This security release also includes the following non-security patches.</p> 16.2.2</h3> Issue type change to incident results in 404</a></li> Enable descendant_security_scans</code> by default</a></li> Disable IAT verification by default</a></li> BitBucket Server Importer - Preserve PR (MR) reviewers</a></li> Toggle recommend_pg_upgrade</code> to false for now</a></li> </ul> 16.1.3</h3> Geo: Backport design repos verification bug fix</a></li> Geo - Backport wiki repository verification fix</a></li> Fix FOUC when new sidebar enabled</a></li> Repair the trigger for Release Environments</a></li> Disable IAT verification by default</a></li> Backport fix for pending direct uploads completion to 16.1</a></li> BitBucket Server Importer - Preserve PR (MR) reviewers</a></li> Fix pg-upgrade failure on Geo secondary nodes [16.1]</a></li> Don't 500 when pages tries to serve a chunked file</a></li> </ul> 16.0.8</h3> Disable IAT verification by default</a></li> Fix pg-upgrade failure on Geo secondary nodes [16.0]</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Patch Release: 15.11.13 2023-07-27T00:00:00+00:00 Today we are releasing version 15.11.13 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs.</p> GitLab Community Edition and Enterprise Edition</h2> 15.11.13</h3> Disable IAT verification by default</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 16.2.1 2023-07-25T00:00:00+00:00 Today we are releasing versions 16.2.1 for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a number of regressions and bugs.</p> GitLab Community Edition and Enterprise Edition</h2> 16.2.1</h3> Backport fix for pending direct uploads completion to 16.2</a></li> Fix crash when LDAP CA file set outside tls_options</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 16.2 released with all new rich text editor experience 2023-07-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 16.2 with all new rich text editor experience</a>, command palette</a>, support for keyless signing with Cosign</a>, new customization layer for the Value Streams Dashboard</a> and much more!</p> These are just a few highlights from the 110+ improvements in this release. Read on to check out all of the great updates below.</p> We thank the wider GitLab community for the 208 contributions they provided to GitLab 16.2! At GitLab, everyone can contribute and we couldn't have done it without you!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 16.3 release kickoff video.</p> GitLab Patch Release: 15.11.12 2023-07-17T00:00:00+00:00 Today we are releasing versions 15.11.12 for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a number of regressions and bugs.</p> GitLab Community Edition and Enterprise Edition</h2> Fix pg-upgrade failure on Geo secondary nodes</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 16.1.2, 16.0.7, and 15.11.11 2023-07-05T00:00:00+00:00 Today we are releasing versions 16.1.2, 16.0.7, and 15.11.11 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab Enterprise Edition installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all GitLab EE installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> A user can change the name and path of some public GitLab groups</a></td> high</td> </tr> </tbody> </table> A user can change the name and path of some public GitLab groups</h2> An issue has been discovered in GitLab EE affecting all versions starting from 12.8 before 15.11.11, all versions starting from 16.0 before 16.0.7, all versions starting from 16.1 before 16.1.2. An attacker could change the name or path of a public top-level group in certain situations. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H</code>, 8.0). It is now mitigated in the latest release and is assigned CVE-2023-3484</a>.</p> Thanks zeb0x01</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Non Security Patches</h2> This security release also includes the following non-security patches.</p> 16.1.2</h3> Fix environments tab is empty after upgrading to 16.1</a></li> Fix Bitbucket Cloud Importer: 16.1 backport</a></li> Fix GitHub Importer: 16.1 Backport</a></li> Fix overlapping titles in wiki sidebar navigation</a></li> Reset webpack path for Mermaid iFrames</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Security Release: 16.1.1, 16.0.6, and 15.11.10 2023-06-29T00:00:00+00:00 Today we are releasing versions 16.1.1, 16.0.6, and 15.11.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> ReDoS via EpicReferenceFilter in any Markdown fields</a></td> high</td> </tr> New commits to private projects visible in forks created while project was public</a></td> medium</td> </tr> Code Owners approvals are not removed allowing merge into protected branches</a></td> medium</td> </tr> Maintainer can leak masked webhook secrets by manipulating URL masking</a></td> medium</td> </tr> Information disclosure of project import errors</a></td> medium</td> </tr> Sensitive information disclosure via value stream analytics controller</a></td> medium</td> </tr> Bypassing Code Owners branch protection rule in GitLab</a></td> medium</td> </tr> HTML injection in email address</a></td> medium</td> </tr> Webhook token leaked in Sidekiq logs if log format is 'default'</a></td> low</td> </tr> Private email address of service desk issue creator disclosed via issues API</a></td> low</td> </tr> </tbody> </table> ReDoS via EpicReferenceFilter in any Markdown fields</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code>, 7.5). It is now mitigated in the latest release and is assigned CVE-2023-3424</a>.</p> Thanks ryhmnlfj</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> New commits to private projects visible in forks created while project was public</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.10 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. It may be possible for users to view new commits to private projects in a fork created while the project was public. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-2190</a>.</p> Thanks pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Code Owners approvals are not removed allowing merge into protected branches</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.3 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to merge arbitrary code into protected branches due to a CODEOWNERS approval bug. This is a medium severity issue (CVSS:3.1/CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N</code>, 5.7). It is now mitigated in the latest release and is assigned CVE-2023-3444</a>.</p> Thanks glan1k</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Maintainer can leak masked webhook secrets by manipulating URL masking</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.1 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all versions from 16.1 prior to 16.1.1. A maintainer could modify a webhook URL to leak masked webhook secrets by manipulating other masked portions. This addresses an incomplete fix for CVE-2023-0838. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 5.5). It is now mitigated in the latest release and is assigned CVE-2023-2620</a>.</p> Thanks theluci</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Information disclosure of project import errors</h2> An information disclosure issue in GitLab CE/EE affecting all versions from 16.0 prior to 16.0.6, and version 16.1.0 allows unauthenticated actors to access the import error information if a project was imported from GitHub. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2023-3362</a>.</p> This vulnerability has been discovered internally by GitLab team member Rodrigo Tomonari</a>.</p> Sensitive information disclosure via value stream analytics controller</h2> A sensitive information leak issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows access to titles of private issues and merge requests. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2023-3102</a>.</p> Thanks pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Bypassing Code Owners branch protection rule in GitLab</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. This allowed a developer to remove the CODEOWNERS rules and merge to a protected branch. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-2576</a>.</p> Thanks inspector-ambitious</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> HTML injection in email address</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 7.14 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to inject HTML in an email address field. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N</code>, 4.1). It is now mitigated in the latest release and is assigned CVE-2023-2200</a>.</p> Thanks cryptopone</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Webhook token leaked in Sidekiq logs if log format is 'default'</h2> An information disclosure issue in Gitlab CE/EE affecting all versions from 13.6 prior to 15.11.10, all versions from 16.0 prior to 16.0.6, all versions from 16.1 prior to 16.1.1, resulted in the Sidekiq log including webhook tokens when the log format was set to default</code>. This is a low severity issue (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 3.9). It is now mitigated in the latest release and is assigned CVE-2023-3363</a>.</p> This vulnerability was reported by Martin Vaisset from MyMoneyBank.</p> Private email address of service desk issue creator disclosed via issues API</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1, which allows an attacker to leak the email address of a user who created a service desk issue. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned CVE-2023-1936</a>.</p> Thanks ricardobrito</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Update Mattermost</h2> Mattermost has been updated to version 7.10.2 in GitLab 16.0.6 and version 7.9.4 in GitLab 15.11.10 in order to mitigate security issues.</p> Update xmlsoft/libxml2 to version 2.10.4</h2> xmlsoft/libxml2 has been updated to version 2.10.4 in order to mitigate security issues.</p> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab 16.1 released with all new navigation 2023-06-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 16.1 with all new navigation</a>, GitLab Dedicated General Availability</a>, Kubernetes resource visualization</a>, Authentication with Service Accounts</a> and much more!</p> These are just a few highlights from the 100+ improvements in this release. Read on to check out all of the great updates below.</p> We thank the wider GitLab community for the 189 contributions they provided to GitLab 16.1! At GitLab, everyone can contribute and we couldn't have done it without you!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 16.2 release kickoff video.</p> GitLab Patch Release: 16.0.5 2023-06-16T00:00:00+00:00 Today we are releasing versions 16.0.5 for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a number of regressions and bugs.</p> GitLab Community Edition and Enterprise Edition</h2> 16.0.5</h3> Update gitlab-elasticsearch-indexer version</a></li> Add Metrics Dashboard menu</a></li> Fix HllRedisCounter overwriting know events aggregation with symbol instead of string (backport)</a></li> Slowly iterate MigrateSharedVulnerabilityIdentifiers</a></li> Do not run bulk cron indexer when cluster is unhealthy</a></li> Use root_ref to index commits</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 15.11.9 2023-06-15T00:00:00+00:00 Today we are releasing versions 15.11.9 for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a number of regressions and bugs.</p> GitLab Community Edition and Enterprise Edition</h2> 15.11.9</h3> Slowly iterate MigrateSharedVulnerabilityIdentifiers</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 16.0.4 2023-06-08T00:00:00+00:00 Today we are releasing versions 16.0.4 for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a number of regressions and bugs.</p> GitLab Community Edition and Enterprise Edition</h2> 16.0.4</h3> Fix LDAP tls_options not working</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 16.0.3 2023-06-07T00:00:00+00:00 Today we are releasing versions 16.0.3 for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a number of regressions and bugs.</p> GitLab Community Edition and Enterprise Edition</h2> 16.0.3</h3> Fix serialization of pull_requests in Bitbucket Server Import</a></li> Fix memory leak in CI config includes entry</a></li> Fix MR approval rules sync when disabling scan result policy</a></li> LFS: Serve pre-signed URLs in /lfs/objects/batch</code></a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 15.11.8 2023-06-07T00:00:00+00:00 Today we are releasing versions 15.11.8 for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a number of regressions and bugs.</p> GitLab Community Edition and Enterprise Edition</h2> 15.11.8</h3> Fix serialization of pull requests in BitbucketServer Import</a></li> Update stable branch with security</a></li> LFS: Serve pre-signed URLs in /lfs/objects/batch</code></a></li> Fix memory leak in CI config includes entry</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 16.0.2, 15.11.7, and 15.10.8 2023-06-05T00:00:00+00:00 Today we are releasing versions 16.0.2, 15.11.7, and 15.10.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Stored-XSS with CSP-bypass in Merge requests</a></td> high</td> </tr> ReDoS via FrontMatterFilter in any Markdown fields</a></td> high</td> </tr> ReDoS via InlineDiffFilter in any Markdown fields</a></td> high</td> </tr> ReDoS via DollarMathPostFilter in Markdown fields</a></td> high</td> </tr> DoS via malicious test report artifacts</a></td> medium</td> </tr> Restricted IP addresses can clone repositories of public projects</a></td> medium</td> </tr> Reflected XSS in Report Abuse Functionality</a></td> medium</td> </tr> Privilege escalation from maintainer to owner by importing members from a project</a></td> medium</td> </tr> Bypassing tags protection in GitLab</a></td> medium</td> </tr> Denial of Service using multiple labels with arbitrarily large descriptions</a></td> medium</td> </tr> Ability to use an unverified email for public and commit emails</a></td> medium</td> </tr> Open Redirection Through HTTP Response Splitting</a></td> low</td> </tr> Disclosure of issue notes to an unauthorized user when exporting a project</a></td> low</td> </tr> Ambiguous branch name exploitation</a></td> low</td> </tr> </tbody> </table> Stored-XSS with CSP-bypass in Merge requests</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A specially crafted merge request could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned CVE-2023-2442</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> ReDoS via FrontMatterFilter in any Markdown fields</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code>, 7.5). It is now mitigated in the latest release and is assigned CVE-2023-2199</a>.</p> Thanks ryhmnlfj</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> ReDoS via InlineDiffFilter in any Markdown fields</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.7 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A Regular Expression Denial of Service was possible via sending crafted payloads to the preview_markdown endpoint. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code>, 7.5). It is now mitigated in the latest release and is assigned CVE-2023-2198</a>.</p> Thanks ryhmnlfj</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> ReDoS via DollarMathPostFilter in Markdown fields</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A DollarMathPostFilter Regular Expression Denial of Service in was possible by sending crafted payloads to the preview_markdown endpoint. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code>, 7.5). It is now mitigated in the latest release and is assigned CVE-2023-2132</a>.</p> Thanks ryhmnlfj</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> DoS via malicious test report artifacts</h2> A denial of service issue was discovered in GitLab CE/EE affecting all versions starting from 13.2.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2 which allows an attacker to cause high resource consumption using malicious test report artifacts. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-0121</a>.</p> Thanks luryus</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Restricted IP addresses can clone repositories of public projects</h2> An issue has been discovered in GitLab EE affecting all versions starting from 12.0 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An attacker can clone a repository from a public project, from a disallowed IP, even after the top-level group has enabled IP restrictions on the group. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code>, 5.9). It is now mitigated in the latest release and is assigned CVE-2023-2589</a>.</p> Thanks ali_shehab</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Reflected XSS in Report Abuse Functionality</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.8 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A reflected XSS was possible when creating new abuse reports which allows attackers to perform arbitrary actions on behalf of victims. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N</code>, 4.4). It is now mitigated in the latest release and is assigned CVE-2023-2015</a>.</p> Thanks akadrian</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Privilege escalation from maintainer to owner by importing members from a project</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.1 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A malicious maintainer in a project can escalate other users to Owners in that project if they import members from another project that those other users are Owners of. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N</code>, 4.4). It is now mitigated in the latest release and is assigned CVE-2023-2485</a>.</p> Thanks theluci</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Bypassing tags protection in GitLab</h2> An issue has been discovered in GitLab CE/EE affecting all versions before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An attacker was able to spoof protected tags, which could potentially lead a victim to download malicious code. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-2001</a>.</p> Thanks inspector-ambitious</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Denial of Service using multiple labels with arbitrarily large descriptions</h2> A lack of length validation in GitLab CE/EE affecting all versions from 8.3 before 15.10.8, 15.11 before 15.11.7, and 16.0 before 16.0.2 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-0921</a>.</p> Thanks cryptopone</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Ability to use an unverified email for public and commit emails</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.1 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A user could use an unverified email as a public email and commit email by sending a specifically crafted request on user update settings. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-1204</a>.</p> Thanks theluci</a> for reporting this vulnerability through our HackerOne bug bounty program</p> Open Redirection Through HTTP Response Splitting</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. Open redirection was possible via HTTP response splitting in the NPM package API. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-0508</a>.</p> Thanks akadrian</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Disclosure of issue notes to an unauthorized user when exporting a project</h2> An issue has been discovered in GitLab EE affecting all versions starting from 15.7 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. It was possible to disclose issue notes to an unauthorized user at project export. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-1825</a>.</p> This vulnerability has been discovered internally by GitLab team member.</p> Ambiguous branch name exploitation</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 1.2 before 15.10.8, all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. An issue was found that allows someone to abuse a discrepancy between the Web application display and the git command line interface to social engineer victims into cloning non-trusted code. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 2.6). It is now mitigated in the latest release and is assigned CVE-2023-2013</a>.</p> Thanks inspector-ambitious</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Update Mattermost</h2> Mattermost has been updated to version 7.9.3 in order to mitigate security issues.</p> Update Ncurses</h2> Ncurses has been updated to version 6.4-20230225 in order to mitigate security issues.</p> Update PostgreSQL</h2> PostgreSQL has been updated to versions 12.14 and 13.11 in order to mitigate security issues.</p> Non Security Patches</h2> This security release also includes the following non-security patches.</p> 16.0.2</h3> Update the upgrade path for 15.11 and 16.x</a></li> Introduce parallelised BitBucket Server Importer</a></li> Fix Sidekiq crash when gitlab.yml contains UTF-8 characters</a></li> Revert "Remove legacy project routes"</a></li> Merge branch '344594-fix-migration' into '16-0-stable-ee'</a></li> Do not run notify-package-and-test-failure on sec</a></li> Add task to fix migrations for 15.11 upgrades (16.0 Stable)</a></li> Do not requeue the indexing worker if failures occur</a></li> Stop supporting and using deprecated Gitaly configuration</a></li> </ul> 15.11.7</h3> Backport 'Remove uncessary fields from pack-objects cache key computation' to 15.11</a></li> Do not run notify-package-and-test-failure on sec</a></li> Add task to fix migrations for 15.11 upgrades (15.11 Stable)</a></li> </ul> 15.10.8</h3> Update redis-namespace dependency in MailRoom</a></li> Skip weak dependencies during install on UBI</a></li> Fix restore with azcopy</a></li> Backport 'fix-container-replication' into 15.10</a></li> Convert some regex to use Gitlab::UntrustedRegexp</a></li> Do not run notify-package-and-test-failure on sec</a></li> Add SMTP timeout configuration options</a></li> Validate that SMTP settings do not enable both TLS and STARTTLS</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Patch Release: 15.11.6 2023-05-24T00:00:00+00:00 Today we are releasing versions 15.11.6 for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a number of regressions and bugs.</p> GitLab Community Edition and Enterprise Edition</h2> 15.11.6</h3> Introduce parallelised BitBucket Server Importer</a></li> [15-11 backport] Skip weak dependencies during install on UBI</a></li> Backport 15.11 | Fix restore with azcopy</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Critical Security Release: 16.0.1 2023-05-23T00:00:00+00:00 Today we are releasing version 16.0.1 for GitLab Community Edition (CE) and Enterprise Edition (EE). It is only required for installations running 16.0.0. Earlier versions are not affected.</p> This version contains important security fixes, and we strongly recommend that GitLab installations running 16.0.0 be upgraded immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Arbitrary file read via uploads path traversal</a></td> critical</td> </tr> </tbody> </table> Arbitrary file read via uploads path traversal</h2> An issue has been discovered in GitLab CE/EE affecting only version 16.0.0. An unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N</code>, 10.0). It is now mitigated in the latest release and is assigned CVE-2023-2825</a>.</p> Thanks pwnie</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab 16.0 released with Value Streams Dashboards and improvements to AI-powered Code Suggestions 2023-05-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 16.0 with Value Streams Dashboards now generally available</a>, Remote development workspaces</a>, more powerful GitLab SaaS runners</a>, comment templates</a>, and much more!</p> We've also made improvements to our AI-powered Code Suggestions</a>. This is just one of many AI-assisted features</a> we are iterating on to help you build more secure software, faster. Check out our ongoing AI/ML in DevSecOps Blog Series</a> to stay up-to-date between GitLab release announcements.</p> These are just a few highlights from the 55+ improvements in this release. Read on to check out all of the great updates below.</p> We thank the wider GitLab community for the 304 contributions they provided to GitLab 16.0! At GitLab, everyone can contribute and we couldn't have done it without you!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 16.1 release kickoff video.</p> GitLab Patch Release: 15.11.5 2023-05-19T00:00:00+00:00 Today we are releasing versions 15.11.5 for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a number of regressions and bugs.</p> GitLab Community Edition and Enterprise Edition</h2> 15.11.5</h3> [15.11] Fix no_proxy not working when DNS rebinding protection enabled</a></li> Remove epic date fields authorization</a></li> Update by_parent filter in EpicsFinder</a></li> Fix Roadmap frontend glitches and timeline bar placement</a></li> Makes roadmap current day indicator & timeline locale aware</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 15.11.4 2023-05-17T00:00:00+00:00 Today we are releasing versions 15.11.4 for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a number of regressions and bugs.</p> GitLab Community Edition and Enterprise Edition</h2> 15.11.4</h3> [15.11] Update redis-namespace dependency in MailRoom</a></li> Do not autofocus the description field</a></li> Adapt MR widget to support fail-closed approval rules</a></li> Fix group blobs search permission when migration is not complete</a></li> Use correct migration finalisation method</a></li> [15.11] Add SMTP timeout configuration options</a></li> [15.11] Validate that SMTP settings do not enable both TLS and STARTTLS</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Publishing of the AWS Marketplace listing for GitLab Enterprise Edition Premium version 15.11.4 was delayed, but is now available.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Coordinated Security Release: 15.11.3, 15.10.7, 15.9.8 2023-05-10T00:00:00+00:00 Today we are releasing versions 15.11.3, 15.10.7, 15.9.8 for GitLab Community Edition (CE) and Enterprise Edition (EE). This is a coordinated security release, aligning with a disclosure date provided by Git.</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are three types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), ad-hoc security releases for critical vulnerabilities, as well as coordinated security releases. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Smuggling code changes via merge requests with refs/replace</a></td> Medium</td> </tr> </tbody> </table> Smuggling code changes via merge requests with refs/replace</h2> An issue has been discovered in GitLab affecting all versions before 15.9.8, 15.10.0 before 15.10.7, and 15.11.0 before 15.11.3. A malicious developer could use a git feature called refs/replace to smuggle content into a merge request which would not be visible during review in the UI. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N</code>, 6.3 Medium). It is now mitigated in the latest release and is assigned CVE-2023-2181</a>.</p> Thanks inspector-ambitious</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Non-security patches</h2> This security release also includes the following non-security patches.</p> Into 15.11.3:</p> Restrict bigint cleanup migrations to GitLab.com only</a></li> Revert migration squash that breaks 15.11</a></li> [15.11] ci: Fix omnibus trigger target branch for MR targeting stable branches</a></li> Fix custom template import permission</a></li> [15.11] Fix for the rebase merge request state being shown incorrectly</a></li> Back with UNSTRUCTURED_RAILS_LOG environment variable</a></li> Fix issue description keeping autosave after save</a></li> </ul> Into 15.10.7:</p> [15.10] ci: Fix omnibus trigger target branch for MR targeting stable branches</a></li> Fix custom template import permission</a></li> [15.10] Fix for the rebase merge request state being shown incorrectly</a></li> </ul> Into 15.9.8:</p> [15.9] ci: Fix omnibus trigger target branch for MR targeting stable branches</a></li> [15.9] Fix for the rebase merge request state being shown incorrectly</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Critical Security Release: 15.11.2, 15.10.6, and 15.9.7 2023-05-05T00:00:00+00:00 Today we are releasing versions 15.11.2, 15.10.6, and 15.9.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Malicious Runner Attachment via GraphQL</a></td> critical</td> </tr> </tbody> </table> Malicious Runner Attachment via GraphQL</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.9.7, all versions starting from 15.10 before 15.10.6, all versions starting from 15.11 before 15.11.2. Under certain conditions, any GitLab user account on the instance may use a GraphQL endpoint to attach a malicious runner to any project on the instance. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N</code>, 9.6). It is now mitigated in the latest release and is assigned CVE-2023-2478</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Non Security Patches</h2> This security release also includes the following non-security patches.</p> 15.10.6</h3> Backport IP enforcement FF to 15.10</a></li> Bundle libarchive in the package</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Security Release: 15.11.1, 15.10.5, and 15.9.6 2023-05-02T00:00:00+00:00 Today we are releasing versions 15.11.1, 15.10.5, and 15.9.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Privilege escalation for external users when OIDC is enabled under certain conditions</a></td> medium</td> </tr> Account takeover through open redirect for Group SAML accounts</a></td> medium</td> </tr> Users on banned IP addresses can still commit to projects</a></td> medium</td> </tr> User with developer role (group) can modify Protected branches setting on imported project and leak group CI/CD variables</a></td> medium</td> </tr> The GitLab web interface does not guarantee file integrity when downloading source code or installation packages from a tag or from a release.</a></td> medium</td> </tr> Banned group member continues to have access to the public projects of a public group with the access level as same as before the ban.</a></td> medium</td> </tr> The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code.</a></td> medium</td> </tr> XSS and content injection and iframe injection when viewing raw files under specific circumstances</a></td> medium</td> </tr> Authenticated users can find other users by their private email</a></td> low</td> </tr> </tbody> </table> Privilege escalation for external users when OIDC is enabled under certain conditions</h2> An issue has been discovered in GitLab EE affecting all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Under certain conditions when OpenID Connect is enabled on an instance, it may allow users who are marked as 'external' to become 'regular' users thus leading to privilege escalation for those users. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N</code>, 6.8). It is now mitigated in the latest release and is assigned CVE-2023-2182</a>.</p> This vulnerability was reported to us by a customer.</p> Account takeover through open redirect for Group SAML accounts</h2> An issue has been discovered in GitLab EE affecting all versions starting from 14.2 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Lack of verification on RelayState parameter allowed a maliciously crafted URL to obtain access tokens granted for 3rd party Group SAML SSO logins. This feature isn't enabled by default. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N</code>, 6.8). It is now mitigated in the latest release and is assigned CVE-2023-1965</a>.</p> If you are seeing an unexpected redirect after sign in through SAML, ensure the RelayState</code> setting</a> on the identity provider side is set to a valid URL.</p> Thanks bull</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Users on banned IP addresses can still commit to projects</h2> An issue has been discovered in GitLab EE affecting all versions starting from 12.0 before 15.10.5, all versions starting from 15.11 before 15.11.1. A malicious group member may continue to commit to projects even from a restricted IP address. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-1621</a>.</p> User with developer role (group) can modify Protected branches setting on imported project and leak group CI/CD variables</h2> An issue has been discovered in GitLab affecting all versions starting from 10.0 before 12.9.8, all versions starting from 12.10 before 12.10.7, all versions starting from 13.0 before 13.0.1. A user with the role of developer could use the import project feature to leak CI/CD variables. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N</code>, 6.4). It is now mitigated in the latest release and is assigned CVE-2023-2069</a>.</p> Thanks js_noob</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Fix for this issue was to restrict imports to users with Maintainer and above role</a>. That however affected usage of custom project templates, on group and instance levels</a> as well, and Developers are no longer able to create projects from custom templates. We are working on the fix, that will allow users with Developer role to create projects from templates again, and will release a patch with this fix to GitLab versions 15.11.1, 15.10.5.</p> The GitLab web interface does not guarantee file integrity when downloading source code or installation packages from a tag or from a release.</h2> An issue has been discovered in GitLab CE/EE affecting all versions from 8.6 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. File integrity may be compromised when source code or installation packages are pulled from a tag or from a release containing a ref to another commit. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N</code>, 5.7). It is now mitigated in the latest release and is assigned CVE-2023-1178</a>.</p> Thanks st4nly0n</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Banned group member continues to have access to the public projects of a public group with the access level as same as before the ban.</h2> An issue has been discovered in GitLab EE affecting all versions starting from 15.2 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. A malicious group member may continue to have access to the public projects of a public group even after being banned from the public group by the owner. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N</code>, 4.9). It is now mitigated in the latest release and is assigned CVE-2023-0805</a>.</p> Thanks albatraoz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> The main branch of a repository with a specially designed name allows an attacker to create repositories with malicious code.</h2> An issue has been discovered in GitLab affecting all versions before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. The main branch of a repository with a specially crafted name allows an attacker to create repositories with malicious code, victims who clone or download these repositories will execute arbitrary code on their systems. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N</code>, 4.8). It is now mitigated in the latest release and is assigned CVE-2023-0756</a>.</p> Thanks st4nly0n</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> XSS and content injection and iframe injection when viewing raw files under specific circumstances</h2> A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. When viewing an XML file in a repository in "raw" mode, it can be made to render as HTML if viewed under specific circumstances. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N</code>, 4.4). It is now mitigated in the latest release and is assigned CVE-2023-1836</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Authenticated users can find other users by their private email</h2> An issue has been discovered in GitLab affecting all versions before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Under certain conditions, an attacker may be able to map a private email of a GitLab user to their GitLab account on an instance. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2022-4376</a>.</p> Thanks shells3c</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Update Mattermost</h2> Mattermost has been updated to versions 7.9.1 and 7.9.2 in order to mitigate security issues.</p> Patch OpenSSL</h2> A patch has been applied to mitigate CVE-2023-0464 in GitLab Omnibus.</p> Patch Grafana</h2> A patch has been applied to mitigate CVE-2023-1410 in GitLab Omnibus.</p> Non Security Patches</h2> This security release also includes the following non-security patches.</p> 15.11.1</h3> 15.11: Fix Web IDE Beta icons not loading in Safari</a></li> Move approved filter behind mr_approved_filter</code> feature flag</a></li> Fix search cron worker when indexing is disabled</a></li> </ul> 15.10.5</h3> Use proxied_site for geo proxied clone urls</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab 15.11 released with Code Suggestions 2023-04-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 15.11 with Code Suggestions</a>, project compliance frameworks report management at the group level</a>, re-running downstream pipeline trigger jobs</a>, vulnerability dismissal reasons</a>, and much more!</p> These are just a few highlights from the 110+ improvements in this release. Read on to check out all of the great updates below.</p> We thank the wider GitLab community for the 180 contributions they provided to GitLab 15.11! At GitLab, everyone can contribute and we couldn't have done it without you!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 16.0 release kickoff video.</p> GitLab Patch Release: 15.10.4, 15.9.5 2023-04-21T00:00:00+00:00 Today we are releasing versions 15.10.4, 15.9.5 for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a number of regressions and bugs.</p> GitLab Community Edition and Enterprise Edition</h2> 15.10.4</h3> [15.10] Patch mail gem to handle TLS settings properly</a></li> Use primary ssh_url_to_repo for geo proxied ssh clone url</a></li> </ul> 15.9.5</h3> [15.9] Fix automatically-retried jobs stuck in pending state</a></li> [15.9 Backport] Fix suggested_reviewers runs when rails is disabled</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 15.7.9 2023-04-20T00:00:00+00:00 Today we are releasing version 15.7.9 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 15.7 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Fix automatically-retried jobs stuck in pending state</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 15.8.6 2023-04-19T00:00:00+00:00 Today we are releasing version 15.8.6 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 15.8 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> [15.8] Fix automatically-retried jobs stuck in pending state</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 15.10.3 2023-04-14T00:00:00+00:00 Today we are releasing versions 15.10.3 for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a number of regressions and bugs.</p> GitLab Community Edition and Enterprise Edition</h2> 15.10.3</h3> Change the order of vulnerability creation</a></li> Resolve ambiguous references for archive metadata (backport)</a></li> Verify deploy keys settings for protected tags (backport)</a></li> Backport Broadcast messages fix for firefox dates and relative root url</a></li> [15.10] Fix automatically-retried jobs stuck in pending state</a></li> [15.10 Backport] Fix suggested_reviewers runs when rails is disabled</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 15.10.2 2023-04-05T00:00:00+00:00 Today we are releasing versions 15.10.2 for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a number of regressions and bugs.</p> GitLab Community Edition and Enterprise Edition</h2> 15.10.2</h3> Update mail gem to v2.8.1</a></li> Add sync_name check to Gitlab::Auth::Ldap::Access</a></li> Backport Admin role fix to 15.10</a></li> Fix openapi viewer for relative url instances</a></li> Migrate RedisHLL keys to default slot</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 15.10.1, 15.9.4, and 15.8.5 2023-03-30T00:00:00+00:00 Today we are releasing versions 15.10.1, 15.9.4, and 15.8.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Cross-site scripting in "Maximum page reached" page</a></td> medium</td> </tr> Private project guests can read new changes using a fork</a></td> medium</td> </tr> Mirror repository error reveals password in Settings UI</a></td> medium</td> </tr> DOS and high resource consumption of Prometheus server through abuse of Prometheus integration proxy endpoint</a></td> medium</td> </tr> Unauthenticated users can view Environment names from public projects limited to project members only</a></td> medium</td> </tr> Copying information to the clipboard could lead to the execution of unexpected commands</a></td> medium</td> </tr> Maintainer can leak masked webhook secrets by adding a new parameter to the webhook URL</a></td> medium</td> </tr> Arbitrary HTML injection possible when :soft_email_confirmation feature flag is enabled in the latest release</a></td> medium</td> </tr> Framing of arbitrary content (leading to open redirects) on any page allowing user controlled markdown</a></td> medium</td> </tr> MR for security reports are available to everyone</a></td> medium</td> </tr> API timeout when searching for group issues</a></td> medium</td> </tr> Unauthorised user can add child epics linked to victim's epic in an unrelated group</a></td> medium</td> </tr> GitLab search allows to leak internal notes</a></td> medium</td> </tr> Ambiguous branch name exploitation in GitLab</a></td> low</td> </tr> Improper permissions checks for moving an issue</a></td> low</td> </tr> Private project branches names can be leaked through a fork</a></td> low</td> </tr> </tbody> </table> Cross-site scripting in "Maximum page reached" page</h2> An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. A specially crafted payload could lead to a reflected XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims on self-hosted instances running without strict CSP. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</code>, 6.1)). It is now mitigated in the latest release and is assigned CVE-2022-3513</a>.</p> Thanks ryotak</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Private project guests can read new changes using a fork</h2> An issue has been discovered in GitLab affecting all versions starting from 13.11 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible that a project member demoted to a user role could read project updates by doing a diff with a pre-existing fork. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-0485</a>.</p> Thanks shells3c</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Mirror repository error reveals password in Settings UI</h2> An information disclosure vulnerability has been discovered in GitLab EE/CE affecting all versions starting from 11.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1 will allow an admin to leak password from repository mirror configuration. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N</code>, 5.8). It is now mitigated in the latest release and is assigned CVE-2023-1098</a>.</p> Thanks tennox_</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> DOS and high resource consumption of Prometheus server through abuse of Prometheus integration proxy endpoint</h2> A denial of service condition exists in the Prometheus server bundled with GitLab affecting all versions from 11.10 to 15.8.5, 15.9 to 15.9.4 and 15.10 to 15.10.1. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L</code>, 5.8). It is now mitigated in the latest release and is assigned CVE-2023-1733</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Unauthenticated users can view Environment names from public projects limited to project members only</h2> An issue has been discovered in GitLab affecting all versions starting from 13.6 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1, allowing reading of environment names supposed to be restricted to project members only. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N</code>, 5.8). It is now mitigated in the latest release and is assigned CVE-2023-0319</a>.</p> Thanks ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Copying information to the clipboard could lead to the execution of unexpected commands</h2> An issue was identified in GitLab CE/EE affecting all versions from 1.0 prior to 15.8.5, 15.9 prior to 15.9.4, and 15.10 prior to 15.10.1 where non-printable characters are copied from clipboard, allowing unexpected commands to be executed on the victim machine. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N</code>, 5.7). It is now mitigated in the latest release and is assigned CVE-2023-1708</a>.</p> Thanks st4nly0n</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Maintainer can leak masked webhook secrets by adding a new parameter to the webhook URL</h2> An issue has been discovered in GitLab affecting versions starting from 15.1 before 15.8.5, 15.9 before 15.9.4, and 15.10 before 15.10.1. A maintainer could modify a webhook URL to leak masked webhook secrets by adding a new parameter to the url. This addresses an incomplete fix for CVE-2022-4342. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 5.5). It is now mitigated in the latest release and is assigned CVE-2023-0838</a>.</p> Thanks 0xn3va</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Arbitrary HTML injection possible when :soft_email_confirmation feature flag is enabled in the latest release</h2> An issue has been discovered in GitLab affecting all versions starting from 15.6 before 15.8.5, 15.9 before 15.9.4, and 15.10 before 15.10.1. On certain instances, a stored XSS was possible via a malicious email address, which only affected the admins when they tried to impersonate the account with the malicious payload. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned CVE-2023-0523</a>.</p> Thanks cryptopone</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Framing of arbitrary content (leading to open redirects) on any page allowing user controlled markdown</h2> An issue has been discovered in GitLab affecting all versions starting from all versions starting from 15.7 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible to iframe arbitrary origins in the browser via specially crafted markdown on any page. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L</code>, 5.4). It is now mitigated in the latest release and is assigned CVE-2023-0155</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> MR for security reports are available to everyone</h2> Improper authorization in GitLab EE affecting all versions from 12.3.0 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1 allows an unauthorized access to security reports in merge requests. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2023-1167</a>.</p> This vulnerability has been discovered internally by GitLab team member @minac</a>.</p> API timeout when searching for group issues</h2> An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. A search timeout could be triggered if a specific HTML payload was used in the issue description. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-1787</a>.</p> This vulnerability has been discovered internally by a GitLab team member.</p> Unauthorised user can add child epics linked to victim's epic in an unrelated group</h2> An issue has been discovered in GitLab affecting all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible for an unauthorised user to add child epics linked to a victim's epic in an unrelated group. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-1417</a>.</p> Thanks cryptopone</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> GitLab search allows to leak internal notes</h2> A sensitive information disclosure vulnerability in GitLab affecting all versions from 15.0 prior to 15.8.5, 15.9 prior to 15.9.4 and 15.10 prior to 15.10.1 allows an attacker to view the count of internal notes for a given issue. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2023-1710</a></p> Thanks shells3c</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Ambiguous branch name exploitation in GitLab</h2> An issue has been discovered in GitLab affecting all versions starting from 8.1 to 15.8.5, and from 15.9 to 15.9.4, and from 15.10 to 15.10.1. It was possible to add a branch with an ambiguous name that could be used to social engineer users. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N</code>, 3.7). It is now mitigated in the latest release and is assigned CVE-2023-0450</a>.</p> Thanks inspector-ambitious</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Improper permissions checks for moving an issue</h2> An issue has been discovered in GitLab affecting all versions from 15.5 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. Due to improper permissions checks it was possible for an unauthorised user to remove an issue from an epic. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-1071</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Private project branches names can be leaked through a fork</h2> An issue has been discovered in GitLab affecting all versions starting from 11.10 before 15.8.5, all versions starting from 15.9 before 15.9.4, all versions starting from 15.10 before 15.10.1. It was possible to disclose the branch names when an attacker has a fork of a project that was switched to private. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2022-3375</a>.</p> Thanks shells3c</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Update Mattermost</h2> Mattermost has been updated to versions 7.7.3 and 7.8.2 in order to mitigate security issues.</p> Update curl</h2> Curl has been updated to version 8.0.1 in order to mitigate security issues.</p> Update redis</h2> Redis has been updated to version 6.2.11 in order to mitigate security issues.</p> Update OpenSSL</h2> OpenSSL has been updated to version 'OpenSSL_1_1_1t' in order to mitigate security issues.</p> Non Security Patches</h2> This security release also includes the following non-security patches.</p> Into 15.10.1</h3> Cherry pick "Use the ubi packaged libedit-devel" to 15-10-stable</a></li> Don't autofocus comment field with content editor</a></li> Sync security policy rule schedules that may have been deleted by bug</a></li> Fix issue dashboard returning issues from archived projects</a></li> </ul> Into 15.9.4</h3> Resolve "Duplicate todo is created for already mentioned user"</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab 15.10 released with improved SAST finding resolution 2023-03-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 15.10 with the ability to automatically resolve SAST findings when rules are disabled</a>, a new view to see all branch-related settings together</a>, the ability to create and switch branches in the Web IDE Beta</a>, compliance frameworks reports</a>, and much more!</p> These are just a few highlights from the 115+ improvements in this release. Read on to check out all of the great updates below.</p> We thank the wider GitLab community for the 170+ contributions they provided to GitLab 15.10! At GitLab, everyone can contribute and we couldn't have done it without you!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 15.11 release kickoff video.</p> GitLab Patch Release: 15.9.3 2023-03-09T00:00:00+00:00 Today we are releasing version 15.9.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 15.9 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Removing markdown checklist task feature flag</a></li> Add group merge checks settings document</a></li> Fix object deletion not working with Azure Blob Storage</a></li> Note that Kerberos headers are needed to build GitLab shell now</a></li> Fix BackfillUserDetailsFields migration finalization</a></li> Guard against dropped columns when finalizing user details migration</a></li> Enable Geo::RepositoryRegistrySyncWorker on Geo secondary site</a></li> Docs for marking a batched BG migration finished</a></li> Fix foreign_key_exists? migration helper</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 15.9.2, 15.8.4, and 15.7.8 2023-03-02T00:00:00+00:00 Today we are releasing versions 15.9.2, 15.8.4, and 15.7.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Stored XSS via Kroki diagram</a></td> high</td> </tr> Prometheus integration Google IAP details are not hidden, may leak account details from instance/group/project settings</a></td> medium</td> </tr> Improper validation of SSO and SCIM tokens while managing groups</a></td> medium</td> </tr> Maintainer can leak Datadog API key by changing Datadog site</a></td> medium</td> </tr> Clipboard based XSS in the title field of work items</a></td> medium</td> </tr> Improper user right checks for personal snippets</a></td> medium</td> </tr> Release Description visible in public projects despite release set as project members only</a></td> medium</td> </tr> Group integration settings sensitive information exposed to project maintainers</a></td> medium</td> </tr> Improve pagination limits for commits</a></td> medium</td> </tr> Gitlab Open Redirect Vulnerability</a></td> medium</td> </tr> Maintainer may become an Owner of a project</a></td> low</td> </tr> </tbody> </table> Stored XSS via Kroki diagram</h2> An issue has been discovered in GitLab affecting all versions starting from 13.7 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. A specially crafted Kroki diagram could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned CVE-2023-0050</a>.</p> Thanks vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Prometheus integration Google IAP details are not hidden, may leak account details from instance/group/project settings</h2> An issue has been discovered in GitLab affecting all versions starting from 15.3 before 15.7.8, versions of 15.8 before 15.8.4, and version 15.9 before 15.9.2. Google IAP details in Prometheus integration were not hidden, could be leaked from instance, group, or project settings to other users. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N</code>, 6.4). It is now mitigated in the latest release and is assigned CVE-2022-4289</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Improper validation of SSO and SCIM tokens while managing groups</h2> An issue has been discovered in GitLab EE affecting all versions starting from 15.1 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. If a group with SAML SSO enabled is transferred to a new namespace as a child group, it's possible previously removed malicious maintainer or owner of the child group can still gain access to the group via SSO or a SCIM token to perform actions on the group. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N</code>, 5.7). It is now mitigated in the latest release and is assigned CVE-2022-4331</a>.</p> Thanks vaib25vicky</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Maintainer can leak Datadog API key by changing Datadog site</h2> An issue has been discovered in GitLab affecting all versions starting from 12.1 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. It was possible for a project maintainer to extract a Datadog integration API key by modifying the site. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 5.5). It is now mitigated in the latest release and is assigned CVE-2023-0483</a>.</p> Thanks akadrian</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Clipboard based XSS in the title field of work items</h2> A issue has been discovered in GitLab CE/EE affecting all versions from 15.3 prior to 15.7.8, version 15.8 prior to 15.8.4, and version 15.9 prior to 15.9.2 A cross-site scripting vulnerability was found in the title field of work items that allowed attackers to perform arbitrary actions on behalf of victims at client side. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned CVE-2022-4007</a>.</p> Thanks ryotak</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Improper user right checks for personal snippets</h2> An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Due to improper permissions checks an unauthorised user was able to read, add or edit a users private snippet. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned CVE-2022-3758</a>.</p> Thanks cryptopone</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Release Description visible in public projects despite release set as project members only</h2> An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. Non-project members could retrieve release descriptions via the API, even if the release visibility is restricted to project members only in the project settings. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2023-0223</a>.</p> Thanks ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Group integration settings sensitive information exposed to project maintainers</h2> An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. This vulnerability could allow a user to unmask the Discord Webhook URL through viewing the raw API response. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</code>, 5.0). It is now mitigated in the latest release and is assigned CVE-2022-4462</a>.</p> Thanks vaib25vicky</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Improve pagination limits for commits</h2> An issue has been discovered in GitLab affecting all versions starting from 9.0 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. It was possible to trigger a resource depletion attack due to improper filtering for number of requests to read commits details. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-1072</a>.</p> Thanks Nico Jones</a> for reporting this vulnerability.</p> Gitlab Open Redirect Vulnerability</h2> An issue has been discovered in GitLab affecting all versions starting from 10.0 to 15.7.8, 15.8 prior to 15.8.4 and 15.9 prior to 15.9.2. A crafted URL could be used to redirect users to arbitrary sites. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-3381</a>.</p> Thanks burpheart</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Maintainer may become an Owner of a project</h2> An issue has been discovered in GitLab CE/EE affecting all versions before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions starting from 15.9 before 15.9.2. A malicious project Maintainer may create a Project Access Token with Owner level privileges using a crafted request. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</code>, 2.7). It is now mitigated in the latest release and is assigned CVE-2023-1084</a>.</p> Thanks @shubham_sohi</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Update libksba</code></h2> libksba</code> and libksba_project</code> have been updated to version 1.6.3 to mitigate potential security issues.</p> Update gnupg</code></h2> gnupg</code> has been updated to 2.2.41 to mitigate potential security issues.</p> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Patch Release: 15.9.1 2023-02-24T00:00:00+00:00 Today we are releasing version 15.9.1 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 15.9 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Resolve "Deprecate legacy praefect config structure in Omnibus"</a></li> Fix dependency check in license approval policies</a></li> Fix LDAP config sync_name</code> problem</a></li> Document rate limit for Direct transfer</a></li> Missaligned ref-selector dropdown button on search page status bar</a></li> Fix Broadcast messages not showing in admin console</a></li> Bump omniauth_openid_connect to v0.6.1</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 15.9 released with new guest roles for viewing private repositories and license approval policies 2023-02-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 15.9 with guest roles viewing private repositories</a>, license approval policies</a> and license compliance scanner</a>, notifications in the GitLab for Slack app</a>, code suggestions in closed beta</a> and much more!</p> These are just a few highlights from the 105+ improvements in this release. Read on to check out all of the great updates below.</p> We thank the wider GitLab community for the 410+ contributions they provided to GitLab 15.9! At GitLab, everyone can contribute and we couldn't have done it without you!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 15.10 release kickoff video.</p> GitLab Critical Security Release: 15.8.2, 15.7.7 and 15.6.8 2023-02-14T00:00:00+00:00 Today we are releasing versions 15.8.2, 15.7.7, and 15.6.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com and GitLab Dedicated are already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Security issues in Git</a></td> Critical</td> </tr> </tbody> </table> Security issues in Git</h2> This release addresses the security issues CVE-2023-23946</a> and CVE-2023-22490</a> in Git</a>.</p> These vulnerabilities affect all previous versions of GitLab.</p> The details of these vulnerabilities are as follows:</p> CVE-2023-23946</h3> A user can feed a specially crafted input to git apply</code> to overwrite a path outside the working tree.</p> This can be used to execute arbitrary commands in GitLab installations within GitLab's Gitaly environment.</p> Credit for finding CVE-2023-23946 goes to Joern Schneeweisz of GitLab.</p> CVE-2023-22490</h3> Using a specially-crafted repository, Git can be tricked into using its local clone optimization even when using a non-local transport. Though Git will abort local clones whose source $GIT_DIR/objects directory contains symbolic links (c.f., CVE-2022-39253), the objects directory itself may still be a symbolic link.</p> These two may be combined to include arbitrary files based on known paths on the victim's filesystem within the malicious repository's working copy, allowing for data exfiltration in a similar manner as CVE-2022-39253.</p> Credit for finding CVE-2023-22490 goes to yvvdwf.</p> Update Python</h2> Python has been updated to version 3.9.16 in order to mitigate security issues.</p> Versions affected</h3> Affects all GitLab Omnibus versions from 14.1 to 15.6.7, all 15.7 versions before 15.7.7, and all 15.8 versions before 15.8.2.</p> Non-security patches</h2> This security release also includes the following non-security patches.</p> Into 15.8.2:</p> Fix false positives for approved by insufficient users violation</a></li> gitaly: Remove readiness check</a></li> </ul> Into 15.7.7:</p> GitLab Version Check - Add feature flag</a></li> gitaly: Remove readiness check</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Patch Release: 15.8.3 2023-02-14T00:00:00+00:00 Today we are releasing version 15.8.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 15.8 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Deprecate backup upload using Openstack Swift and Rackspace APIs</a></li> Note about Openstack and Rackspace API removal</a></li> Updating nav and top level</a></li> Update feature flag status of GitHub gists feature</a></li> What's New post for 15.8</a></li> Add version note to email feature</a></li> Revert changes on wiki replication/verification legacy code</a></li> Handle client disconnects better in workhorse</a></li> Attempt reading schema file instead of a file named #{report_version}</code></a></li> Upgrade Alert - Add proper API support</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 15.8.1, 15.7.6, and 15.6.7 2023-01-31T00:00:00+00:00 Today we are releasing versions 15.8.1, 15.7.6, and 15.6.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Denial of Service via arbitrarily large Issue descriptions</a></td> medium</td> </tr> CSRF via file upload allows an attacker to take over a repository.</a></td> medium</td> </tr> Sidekiq background job DoS by uploading malicious CI job artifact zips</a></td> medium</td> </tr> Sidekiq background job DoS by uploading a malicious Helm package</a></td> medium</td> </tr> </tbody> </table> Denial of Service via arbitrarily large Issue descriptions</h2> A lack of length validation in GitLab CE/EE affecting all versions from 12.4 before 15.6.7, 15.7 before 15.7.6, and 15.8 before 15.8.1 allows an authenticated attacker to create a large Issue description via GraphQL which, when repeatedly requested, saturates CPU usage. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-3411</a>.</p> Thanks cryptopone</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> CSRF via file upload allows an attacker to take over a repository.</h2> A Cross Site Request Forgery issue has been discovered in GitLab CE/EE affecting all versions before 15.6.7, all versions starting from 15.7 before 15.7.6, and all versions starting from 15.8 before 15.8.1. An attacker could take over a project if an Owner or Maintainer uploads a file to a malicious project. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</code>, 6.4). It is now mitigated in the latest release and is assigned CVE-2022-4138</a>.</p> Thanks st4nly0n</a> and joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Sidekiq background job DoS by uploading malicious CI job artifact zips</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 15.6.7, all versions starting from 15.7 before 15.7.6, all versions starting from 15.8 before 15.8.1. An attacker may upload a crafted CI job artifact zip file in a project that uses dynamic child pipelines and make a sidekiq job allocate a lot of memory. In GitLab instances where Sidekiq is memory-limited, this may cause Denial of Service. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-3759</a>.</p> Thanks luryus</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Sidekiq background job DoS by uploading a malicious Helm package</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.0 before 15.6.7, all versions starting from 15.7 before 15.7.6, all versions starting from 15.8 before 15.8.1. It was possible to trigger a DoS attack by uploading a malicious Helm chart. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-0518</a>.</p> Thanks luryus</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Update Mattermost</h2> Mattermost has been updated to versions 7.5.2, 7.4.1, and 7.1.5 in order to mitigate security issues.</p> Versions affected</h3> Affects versions 15.6 and 15.7 of GitLab Omnibus. GitLab 15.8 already included Mattermost 7.5.2.</p> Non-security patches</h2> This security release also includes the following non-security patches.</p> Into 15.6.7:</p> Ensure Workhorse is built with FIPS for CNG</a></li> Grab gitlab-logger archives from the new project location</a></li> Ensure Workhorse is built in FIPS mode for Omnibus</a></li> Doc: FIPS, update omnibus language</a></li> Only refresh indexes that exist</a></li> Clear DuplicateJobs cookies from post-deployment migration</a></li> Upgrade GitLab logger to v2.3.0</a></li> </ul> Into 15.7.6:</p> Geo - Remove parameter validation for registry notification request</a></li> </ul> Into 15.8.1:</p> Fix command in print-release-contents job</a></li> Fix resource_parent in FOSS instances</a></li> Geo - Remove parameter validation for registry notification request</a></li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab 15.8 released with external status checks and self-managed SCIM 2023-01-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 15.8 with block merges unless external status checks pass</a>, SCIM support for self-managed GitLab</a>, view estimated queuing for runners in the admin area</a>, migrate GitLab projects by direct transfer beta</a>, and much more!</p> These are just a few highlights from the 35+ improvements in this release. Read on to check out all of the great updates below.</p> We thank the wider GitLab community for the 85+ contributions they provided to GitLab 15.8! At GitLab, everyone can contribute and we couldn't have done it without you!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 15.9 release kickoff video.</p> GitLab Critical Security Release: 15.7.5, 15.6.6, and 15.5.9 2023-01-17T00:00:00+00:00 Today we are releasing versions 15.7.5, 15.6.6, and 15.5.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com and GitLab Dedicated are already running the patched version.</p> UPDATE (2023-01-20): In addition, we have released GitLab Runner versions 15.8.0, 15.7.3, 15.6.3, and 15.5.2. These images contain updates to the Docker helper images</a> to address the Git vulnerabilities.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Critical security issues in Git</a></td> Critical</td> </tr> </tbody> </table> Critical security issues in Git</h2> This release addresses the security issues CVE-2022-41903</a> and CVE-2022-23521</a> in Git</a>.</p> These vulnerabilities affect all previous versions of GitLab.</p> The details of these vulnerabilities are as follows:</p> CVE-2022-41903</h3> The git-log</code> command has the ability to display commits using an arbitrary format with its --format</code> specifiers. This functionality is also exposed to git-archive</code> via the export-subst</code> gitattribute.</p> When processing the padding operators (e.g., %<(</code>, %<|(</code>, %>(</code>, %>>(</code>, or %><( )</code>, an integer overflow can occur in pretty.c::format_and_pad_commit()</code> where a size_t</code> is improperly stored as an int</code>, and then added as an offset to a subsequent memcpy()</code> call.</p> This overflow can be triggered directly by a user running a command which invokes the commit formatting machinery (e.g., git log --format=...</code>). It may also be triggered indirectly through git-archive</code> via the export-subst</code> mechanism, which expands format specifiers inside of files within the repository during a git archive.</p> This integer overflow can result in arbitrary heap writes, which may result in remote code execution.</p> Credit for finding CVE-2022-41903 goes to Joern Schneeweisz of GitLab.</p> CVE-2022-23521</h3> gitattributes are a mechanism to allow defining attributes for paths. These attributes can be defined by adding a .gitattributes</code> file to the repository, which contains a set of file patterns and the attributes that should be set for paths matching this pattern.</p> When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, a huge number of attributes for a single pattern, or when the declared attribute names are huge.</p> These overflows can be triggered via a crafted .gitattributes</code> file that may be part of the commit history. Git silently splits lines longer than 2KB when parsing gitattributes from a file, but not when parsing them from the index. Consequentially, the failure mode depends on whether the file exists in the working tree, the index or both.</p> This integer overflow can result in arbitrary heap reads and writes, which may result in remote code execution.</p> Credit for finding CVE-2022-23521 goes to Markus Vervier and Eric Sesterhenn of X41 D-Sec.</p> Updating</h2> To update GitLab, see the Update page</a>.</p> Note: GitLab releases have skipped 15.7.4, 15.6.5, and 15.5.8. There are no patches with these version numbers.</p> To update Gitlab Runner, see the Updating the Runner page</a>. These security releases update Git on the helper images, which are used by the Docker and Kubernetes executors. If you are using a shell executor, you will need to update Git on your operating system.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Patch Release: 15.7.3 2023-01-11T00:00:00+00:00 Today we are releasing version 15.7.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 15.7 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Update GitHub for cancelling GitHub project import</a></li> Geo: Container Repository push events don't work</a></li> Enforce memory-watchdog by default</a></li> Reset Container Repository Sync status on secondary</a></li> Ensure Elasticsearch index is clean before wildcard test</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 15.7.2, 15.6.4, and 15.5.7 2023-01-09T00:00:00+00:00 Today we are releasing versions 15.7.2, 15.6.4, and 15.5.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Race condition on gitlab.com enables verified email forgery & third-party account hijacking</a></td> medium</td> </tr> DOS and high resource consumption of Prometheus server through abuse of Grafana integration proxy endpoint</a></td> medium</td> </tr> Maintainer can leak sentry token by changing the configured URL</a></td> medium</td> </tr> Maintainer can leak masked webhook secrets by changing target URL of the webhook</a></td> medium</td> </tr> Cross-site scripting in wiki changes page affecting self-hosted instances running without strict CSP</a></td> medium</td> </tr> Group access tokens continue to work after owner loses ability to revoke them</a></td> medium</td> </tr> Users' avatar disclosure by user ID in private GitLab instances</a></td> medium</td> </tr> Arbitrary Protocol Redirection in GitLab Pages</a></td> medium</td> </tr> ReDoS due to device-detector parsing user agents</a></td> medium</td> </tr> Regex DOS in the Submodule Url Parser</a></td> medium</td> </tr> </tbody> </table> Race condition on gitlab.com enables verified email forgery & third-party account hijacking</h2> An issue has been discovered in GitLab CE/EE affecting all versions before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A race condition can lead to verified email forgery and takeover of third-party accounts when using GitLab as an OAuth provider. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N</code>, 6.4). It is now mitigated in the latest release and is assigned CVE-2022-4037</a>.</p> Thanks to an anonymous researcher for reporting this vulnerability through our HackerOne bug bounty program.</p> DOS and high resource consumption of Prometheus server through abuse of Grafana integration proxy endpoint</h2> An issue has been discovered in GitLab CE/EE affecting all versions before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A crafted Prometheus Server query can cause high resource consumption and may lead to Denial of Service. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L</code>, 5.8). It is now mitigated in the latest release and is assigned CVE-2022-3613</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Maintainer can leak sentry token by changing the configured URL</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A malicious Maintainer can leak the sentry token by changing the configured URL in the Sentry error tracking settings page. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 5.5). It is now mitigated in the latest release and is assigned CVE-2022-4365</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Maintainer can leak masked webhook secrets by changing target URL of the webhook</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.1 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. A malicious Maintainer can leak masked webhook secrets by changing target URL of the webhook. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 5.5). It is now mitigated in the latest release and is assigned CVE-2022-4342</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Cross-site scripting in wiki changes page affecting self-hosted instances running without strict CSP</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. Due to the improper filtering of query parameters in the wiki changes page, an attacker can execute arbitrary JavaScript on the self-hosted instances running without strict CSP. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned CVE-2022-3573</a>.</p> Thanks ryotak</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Group access tokens continue to work after owner loses ability to revoke them</h2> Incorrect Authorization check affecting all versions of GitLab EE from 13.11 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2 allows group access tokens to continue working even after the group owner loses the ability to revoke them. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2022-4167</a>.</p> This vulnerability was reported to us by a customer.</p> Users' avatar disclosure by user ID in private GitLab instances</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.0 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. GitLab allows unauthenticated users to download user avatars using the victim's user ID, on private instances that restrict public level visibility. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2022-3870</a>.</p> Thanks nocasis</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Arbitrary Protocol Redirection in GitLab Pages</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.4 prior to 15.5.7, 15.6 prior to 15.6.4, and 15.7 prior to 15.7.2. GitLab Pages allows redirection to arbitrary protocols. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-0042</a>.</p> This vulnerability has been discovered internally by a GitLab team member, Joern Schneeweisz.</p> Regex DoS due to device-detector parsing user agents</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex issue in how the application parses user agents. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-4131</a>.</p> Thanks afewgoats</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Regex DoS in the Submodule Url Parser</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 6.6 before 15.5.7, all versions starting from 15.6 before 15.6.4, all versions starting from 15.7 before 15.7.2. An attacker may cause Denial of Service on a GitLab instance by exploiting a regex issue in the submodule URL parser. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-3514</a>.</p> Thanks mokusou</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Update Mattermost</h2> Mattermost has been updated to version 7.3.1 in order to mitigate security issues.</p> Versions affected</h3> Affects all versions of GitLab Omnibus 15.4 and 15.5.</p> Update Python</h2> Python has been updated to version 3.8.16 in order to mitigate security issues.</p> Versions affected</h3> Affects all versions of GitLab Omnibus 15.5, 15.6 and 15.7.</p> Update Logrotate</h2> Logrotate has been updated to version 3.20.1 in order to mitigate security issues.</p> Versions affected</h3> Affects all versions of GitLab Omnibus 15.5, 15.6 and 15.7.</p> Update Redis</h2> Redis has been updated to version 6.2.8 in order to mitigate security issues.</p> Versions affected</h3> Affects all versions of GitLab Omnibus.</p> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Patch Release: 15.7.1 2023-01-05T00:00:00+00:00 Today we are releasing version 15.7.1 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 15.7 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Fix flaky CI builds count metric test</a></li> Update dependency proxy details in Geo data types table</a></li> Remove vulnerability state migration</a></li> Workaround a segfault due to array GC bug</a></li> Relax FIPS constraints on PyPi packages</a></li> Update curl to 7.87.0</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 15.7 released introducing the GitLab CLI and with browser-based DAST GA 2022-12-22T00:00:00+00:00 We are excited to announce the release of GitLab 15.7, which introduces the new GitLab CLI</a>, general availability of browser-based DAST</a>, support for GitOps deployments from outside the default branch</a>, and much more!</p> These are just a few highlights from the 70+ improvements in this release. Read on to check out all of the great updates below.</p> We thank the wider GitLab community for the 190+ contributions they provided to GitLab 15.7! At GitLab, everyone can contribute and we couldn't have done it without you!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 15.8 release kickoff video.</p> GitLab Patch Release: 15.6.3 2022-12-16T00:00:00+00:00 Today we are releasing version 15.6.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 15.6 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Add global.image.tagSuffix</code> as a helm values option</a></li> Makefile: Upgrade Git to v2.35.4.gl1 and v2.37.4.gl1</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 15.5.6 2022-12-08T00:00:00+00:00 Today we are releasing version 15.5.6 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in last month's 15.5 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Gitaly: Fix migration of gitconfig with subsections</a></li> Conditionally enable FIPS auto-detection</a></li> Remove resource_group usage for package releases</a></li> Bump Container Registry to v3.60.1-gitlab</a></li> Fix flaky PostgreSQL builds</a></li> Revert refactor #98971</a></li> Revert Sidekiq default routing rules</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 15.6.2 2022-12-02T00:00:00+00:00 Today we are releasing version 15.6.2 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 15.6 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Add docs for work item description</a></li> Fix deleting protected branch</a></li> Fix release number for internal notes</a></li> Doc: Remove stray comma in /link example</a></li> Potential fix for flaky spec in resolve discussions spec</a></li> Update GitLab Migration doc about projects migration on .com</a></li> Fix memory limit for RssMemoryLimit monitor</a></li> feat: This updates labkit to version 0.29.0</a></li> Hide marketing-related entries</a></li> Finalize group member namespace id migration</a></li> Revert refactor #98971</a></li> Conditionally disable fastupdate on GIN indexes (issues, merge_requests)</a></li> Consolidate database cleaner code for migrations</a></li> Potential fix for flaky user_edit_profile_spec.rb</a></li> gitaly: Fix migration of gitconfig with subsections</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 15.6.1, 15.5.5 and 15.4.6 2022-11-30T00:00:00+00:00 Today we are releasing versions 15.6.1, 15.5.5 and 15.4.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> DAST API scanner exposes Authorization headers in vulnerabilities</a></td> medium</td> </tr> Group IP allow-list not fully respected by the Package Registry</a></td> medium</td> </tr> Deploy keys and tokens may bypass External Authorization service if it is enabled</a></td> medium</td> </tr> HTML content injection in README file</a></td> medium</td> </tr> Repository import still allows to import 40 hexadecimal branches</a></td> medium</td> </tr> Webhook secret tokens leaked in webhook logs</a></td> medium</td> </tr> Maintainer can leak webhook secret token by changing the webhook URL</a></td> medium</td> </tr> Cross-site scripting in Jira Integration affecting self-hosted instances without strict CSP</a></td> medium</td> </tr> Release names visible in public projects despite release set as project members only</a></td> medium</td> </tr> Sidekiq background job DoS by uploading malicious NuGet packages</a></td> medium</td> </tr> Email ID leaked through Webhook payloads</a></td> medium</td> </tr> Blind SSRF in repository mirroring using DNS rebinding</a></td> medium</td> </tr> SSRF in Web Terminal advertise_address</a></td> low</td> </tr> </tbody> </table> DAST API scanner exposes Authorization headers in vulnerabilities</h2> A sensitive information leak issue has been discovered in all versions of DAST API scanner from 1.6.50 prior to 2.0.102, exposing the Authorization header in the vulnerability report. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</code>, 5.0). It is now mitigated in the latest release of DAST API scanner and is assigned CVE-2022-4206</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Group IP allow-list not fully respected by the Package Registry</h2> An issue has been discovered in GitLab affecting all versions starting from 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. GitLab was not performing correct authentication with some Package Registries when IP address restrictions were configured, allowing an attacker already in possession of a valid Deploy Token to misuse it from any location. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-3820</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Deploy keys and tokens may bypass External Authorization service if it is enabled</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. A group owner may be able to bypass External Authorization check, if it is enabled, to access git repositories and package registries by using Deploy tokens or Deploy keys. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-3740</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Repository import still allows to import 40 hexadecimal branches</h2> In GitLab EE/CE before 15.6.1, 15.5.5 and 15.4.6 using a branch with a hexadecimal name could override an existing hash. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L</code>, 6.3). It is now mitigated in the latest release and is assigned CVE-2022-4205</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> HTML content injection in README file</h2> An issue has been discovered in GitLab EE affecting all versions starting from 15.6 before 15.6.1. It was possible to create a malicious README page due to improper neutralisation of user supplied input. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N</code>, 5.7). It is now mitigated in the latest release and is assigned CVE-2022-4092</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Webhook secret tokens leaked in webhook logs</h2> An issue has been discovered in GitLab affecting all versions starting from 9.3 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible for a project maintainer to unmask webhook secret tokens by reviewing the logs after testing webhooks. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 5.5). It is now mitigated in the latest release and is assigned CVE-2022-3902</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Maintainer can leak webhook secret token by changing the webhook URL</h2> An issue has been discovered in GitLab affecting all versions starting from 9.3 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible for a project maintainer to leak a webhook secret token by changing the webhook URL to an endpoint that allows them to capture request headers. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 5.5). It is now mitigated in the latest release and is assigned CVE-2022-4054</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Cross-site scripting in Jira Integration affecting self-hosted instances without strict CSP</h2> A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions from 13.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the Jira Connect integration which could lead to a reflected XSS that allowed attackers to perform arbitrary actions on behalf of victims. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned CVE-2022-3572</a>.</p> Thanks ryotak</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Release names visible in public projects despite release set as project members only</h2> An improper access control issue in GitLab CE/EE affecting all versions from 11.3 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allowed an unauthorized user to see release names even when releases were set to be restricted to project members only. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2022-3482</a>.</p> Thanks ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Email ID leaked through Webhook payloads</h2> An info leak issue was identified in all versions of GitLab EE from 13.7 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 which exposes user email id through webhook payload. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-4255</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Sidekiq background job DoS by uploading malicious NuGet packages</h2> An issue has been discovered in GitLab affecting all versions starting from 12.8 before 15.4.6, all versions starting from 15.5 before 15.5.5, all versions starting from 15.6 before 15.6.1. It was possible to trigger a DoS attack by uploading a malicious NuGet package. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-3478</a>.</p> Thanks luryus</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Blind SSRF in repository mirroring using DNS rebinding</h2> A blind SSRF vulnerability was identified in all versions of GitLab EE prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 which allows an attacker to connect to a local host. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-4335</a>.</p> Thanks ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> SSRF in Web Terminal advertise_address</h2> A blind SSRF in GitLab CE/EE affecting all from 11.3 prior to 15.4.6, 15.5 prior to 15.5.5, and 15.6 prior to 15.6.1 allows an attacker to connect to local addresses when configuring a malicious GitLab Runner. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned CVE-2022-4201</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Update xmlsoft/libxml2</h2> xmlsoft/libxml2 has been updated to version 2.10.3 in order to mitigate security issues.</p> Versions affected</h3> Affects all versions of GitLab Omnibus from 13.6.6.</p> Update haxx/curl</h2> haxx/curl has been updated to version 7.86.0 in order to mitigate security issues.</p> Versions affected</h3> Affects all versions of GitLab Omnibus 15.4 and 15.6.</p> Update ruby</h2> ruby has been updated to version 2.7.6 in order to mitigate security issues.</p> Versions affected</h3> Affects all versions of GitLab Omnibus and GitLab Chart.</p> Update ncurses</h2> ncurses has been updated to version 6.3-20220416 to mitigate security issues.</p> Versions affected</h3> Affects all versions of GitLab Omnibus.</p> Update zlib</h2> zlib has been updated to version 1.2.13 to mitigate security issues.</p> Versions affected</h3> Affects all versions of GitLab Omnibus prior to 15.7.</p> Update rsync</h2> rsync has been updated to version 3.2.6 to mitigate security issues.</p> Versions affected</h3> Affects all versions of GitLab Omnibus 15.3, 15.4, and 15.5.</p> Update PostgreSQL</h2> PostgreSQL has been updated to versions 12.12 and 13.8 to mitigate security issues. By default Omnibus automatically restarts PostgreSQL</a> after the update. However, if automatic restart is disabled manual restarts would be required.</p> Versions affected</h3> Affects all versions of GitLab Omnibus 15.3, 15.4, and 15.5.</p> Backport fix for Gitaly NTP request issue</h2> A non-security issue in Gitaly is being backported to this release. Customers that rely on public NTP services such as pool.ntp.org</code> are at risk of receiving rate limited responses due to increased NTP request volume. Every readiness check results in each Praefect node making a request to the configured NTP service. Failed NTP responses result in failed readiness check. If a NTP service is not specified pool.ntp.org</code> is used as the default. Deployments that rely on healthy readiness checks can experience outages. Issue Link: Gitaly 15.4.3 spams NTP requests</a>.</p> Backport fix for Watchdog RssMemoryLimit monitor</h2> A non-security issue in Puma is being backported to this release. This affects self-managed instances that uses PumaWorkerKiller. PumaWorkerKiller is disabled by default on Gitlab.com and self-managed instances using helm charts. This means that gitlab.com is not affected. It is enabled by default for omnibus installations and installations from source. Issue Link: Convert memory_limit to bytes for RssMemoryLimit</a>.</p> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>. To update DAST API scanner, self-managed customers that are using our built-in DAST CI template after 15.0 can get the latest release from registry.gitlab.com. If using the always pull policy the update will occur automatically. GitLab.com is already running the updated DAST scanner.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab 15.6 released with improvements to security policies, CI/CD variables, and DAST API 2022-11-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 15.6 with Git abuse rate limiting</a>, Support for special characters in CI/CD variables</a>, group and subgroup-level scan result policies</a>, DAST API analyzer for on-demand DAST API scans</a> and much more!</p> These are just a few highlights from the 30+ improvements in this release. Read on to check out all of the great updates below.</p> We thank the wider GitLab community for the 200+ contributions they provided to GitLab 15.6! At GitLab, everyone can contribute and we couldn't have done it without you!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 15.7 release kickoff video.</p> GitLab Patch Release: 15.5.4 2022-11-14T00:00:00+00:00 Today we are releasing version 15.5.4 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 15.5 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Add Hashie::Array to allowed YAML serialization classes</a></li> Allow links to be opened from Swagger UI documentations</a></li> Revert Sidekiq default routing rules</a> </li> </ul> Important notes on upgrading</h2> GitLab 15.4.0 introduced a default Sidekiq routing rule</a> that routes all jobs to the default</code> queue. For instances using queue selectors</a>, this will cause performance problems</a> as some Sidekiq processes will be idle.</p> The default routing rule has been reverted in this release (15.5.4), so upgrading to this version or later will return to the previous behavior.</li> If a GitLab instance now listens only to the default</code> queue (which is not currently recommended), it will be required to add this routing rule back in gitlab.rb</code>:</p> sidekiq</span>[</span>'routing_rules'</span>]</span> =</span> [[</span>''</span>,</span> 'default'</span>]]</span> </code></pre></div> </li> </ol> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 15.4.5 2022-11-14T00:00:00+00:00 Today we are releasing version 15.4.5 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in September's 15.4 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> gitlab-base: set /tmp sticky, RH bug 2138434 [15.4]</a></li> CI: UBI: cleanup artifacts after completion of tarball [15.4]</a></li> Revert Sidekiq default routing rules</a></li> Gitaly: add config.toml back, as mock template</a> </li> </ul> Important notes on upgrading</h2> GitLab 15.4.0 introduced a default Sidekiq routing rule</a> that routes all jobs to the default</code> queue. For instances using queue selectors</a>, this will cause performance problems</a> as some Sidekiq processes will be idle.</p> The default routing rule has been reverted in this release (15.4.5), so upgrading to this version or later will return to the previous behavior.</li> If a GitLab instance now listens only to the default</code> queue (which is not currently recommended), it will be required to add this routing rule back in gitlab.rb</code>:</p> sidekiq</span>[</span>'routing_rules'</span>]</span> =</span> [[</span>''</span>,</span> 'default'</span>]]</span> </code></pre></div> </li> </ol> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 15.5.3 2022-11-08T00:00:00+00:00 Today we are releasing version 15.5.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 15.5 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Mentioned FF in WI iteration docs</a></li> Fix Opensearch compatibility check</a></li> Add support to AWS encryption with KMS key + S3 endpoint URL</a></li> gitlab-base: set /tmp sticky, RH bug 2138434</a></li> Container Registry: Return 404 Not Found when the metadata DB is not enabled</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 15.5.2, 15.4.4, and 15.3.5 2022-11-02T00:00:00+00:00 Today we are releasing versions 15.5.2, 15.4.4, and 15.3.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> DAST analyzer sends custom request headers with every request</a></td> high</td> </tr> Stored-XSS with CSP-bypass via scoped labels' color</a></td> high</td> </tr> Maintainer can leak Datadog API key by changing integration URL</a></td> medium</td> </tr> Uncontrolled resource consumption when parsing URLs</a></td> medium</td> </tr> Issue HTTP requests when users view an OpenAPI document and click buttons</a></td> medium</td> </tr> Command injection in CI jobs via branch name in CI pipelines</a></td> medium</td> </tr> Open redirection</a></td> medium</td> </tr> Prefill variables do not check permission of the project in external CI config</a></td> medium</td> </tr> Disclosure of audit events to insufficiently permissioned group and project members</a></td> medium</td> </tr> Arbitrary GFM references rendered in Jira issue description leak private/confidential resources</a></td> medium</td> </tr> Award emojis API for an internal note is accessible to users without access to the note</a></td> low</td> </tr> Open redirect in pipeline artifacts when generating HTML documents</a></td> low</td> </tr> Retrying a job in a downstream pipeline allows the retrying user to take ownership of the retried jobs in upstream pipelines</a></td> low</td> </tr> Project-level Secure Files can be written out of the target directory</a></td> low</td> </tr> </tbody> </table> DAST analyzer sends custom request headers with every request</h2> Missing validation in DAST analyzer affecting all versions from 1.11.0 prior to 3.0.32, allows custom request headers to be sent with every request, regardless of the host. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N</code>, 7.7). It is now mitigated in the latest release and is assigned CVE-2022-3767</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Stored-XSS with CSP-bypass via scoped labels' color</h2> A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2. It was possible to exploit a vulnerability in setting the labels colour feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N</code>, 7.3). It is now mitigated in the latest release and is assigned CVE-2022-3265</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Maintainer can leak Datadog API key by changing integration URL</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.1 before 15.3.5, all versions starting from 15.4 before 15.4.4, all versions starting from 15.5 before 15.5.2. A malicious maintainer could exfiltrate a Datadog integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled server. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 5.5). It is now mitigated in the latest release and is assigned CVE-2022-3483</a>.</p> Thanks ryotak</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Uncontrolled resource consumption when parsing URLs</h2> An uncontrolled resource consumption issue when parsing URLs in GitLab CE/EE affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to cause performance issues and potentially a denial of service on the GitLab instance. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2022-3818</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Issue HTTP requests when users view an OpenAPI document and click buttons</h2> Lack of sand-boxing of OpenAPI documents in GitLab CE/EE affecting all versions from 12.6 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick a user to click on the Swagger OpenAPI viewer and issue HTTP requests that affect the victim's account. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N</code>, 4.8). It is now mitigated in the latest release and is assigned CVE-2022-3726</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Command injection in CI jobs via branch name in CI pipelines</h2> Improper sanitization of branch names in GitLab Runner affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user who creates a branch with a specially crafted name and gets another user to trigger a pipeline to execute commands in the runner as that other user. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N</code>, 4.8). It is now mitigated in the latest release and is assigned CVE-2022-2251</a>.</p> Thanks stanlyoncm</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Open redirection</h2> An open redirect vulnerability in GitLab EE/CE affecting all versions from 9.3 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allows an attacker to redirect users to an arbitrary location if they trust the URL. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N</code>, 4.7). It is now mitigated in the latest release and is assigned CVE-2022-3486</a>.</p> Thanks ryotak</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Prefill variables do not check permission of the project in external CI config</h2> An improper authorization issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to read variables set directly in a GitLab CI/CD configuration file they don't have access to. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-3793</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Disclosure of audit events to insufficiently permissioned group and project members</h2> Incorrect authorization during display of Audit Events in GitLab EE affecting all versions from 14.5 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2, allowed Developers to view the project's Audit Events and Developers or Maintainers to view the group's Audit Events. These should have been restricted to Project Maintainers, Group Owners, and above. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-3413</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Arbitrary GFM references rendered in Jira issue description leak private/confidential resources</h2> An information disclosure issue in GitLab CE/EE affecting all versions from 14.4 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to use GitLab Flavored Markdown (GFM) references in a Jira issue to disclose the names of resources they don't have access to. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-2761</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Award emojis API for an internal note is accessible to users without access to the note</h2> An improper authorization issue in GitLab CE/EE affecting all versions from 15.0 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a malicious users to set emojis on internal notes they don't have access to. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned CVE-2022-3819</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Open redirect in pipeline artifacts when generating HTML documents</h2> An open redirect in GitLab CE/EE affecting all versions from 10.1 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows an attacker to trick users into visiting a trustworthy URL and being redirected to arbitrary content. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned CVE-2022-3280</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Retrying a job in a downstream pipeline allows the retrying user to take ownership of the retried jobs in upstream pipelines</h2> Improper authorization in GitLab CE/EE affecting all versions from 7.14 prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user retrying a job in a downstream pipeline to take ownership of the retried jobs in the upstream pipeline even if the user doesn't have access to that project. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2022-3706</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Project-level Secure Files can be written out of the target directory</h2> Secure Files named in a specific way could traverse outside of the target directory in the CI job. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</code>, 2.7). Only GitLab.com was affected as this feature is not yet enabled on self-managed instances and the patch has been deployed in production.</p> This vulnerability has been discovered internally by the GitLab team.</p> Update openssl</h2> The version of openssl has been updated to 3.0.2-0ubuntu1.7</a> in order to mitigate security concerns.</p> Versions affected</h1> Affects all versions of GitLab Dynamic Application Security Testing (DAST) Analyzer prior to 3.0.32.</p> Update curl</h2> The version of curl has been updated to 7.85.0 in order to mitigate security concerns.</p> Versions affected</h1> Affects all versions of GitLab Omnibus.</p> Update pcre2</h2> The version of pcre2 has been updated to 10.40 in order to mitigate security concerns.</p> Versions affected</h1> Affects all versions of GitLab Omnibus.</p> Non-security fixes</h2> 15.5.0 upgrade on CentOS 8 Stream in FIPS mode fails</a>: Backported to 15.5.</li> Ohai fails to build trying to find unavailable version of the dependency chef-utils</a>: Backported to 15.4 and 15.3.</li> </ul> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> To update DAST scanner, self-managed customers that are using our built-in DAST CI template after 15.0 can get the latest release from registry.gitlab.com</code>. If using the always pull policy</a> the update will occur automatically. GitLab.com is already running the updated DAST scanner.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Patch Release: 15.5.1 2022-10-24T00:00:00+00:00 Today we are releasing version 15.5.1 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 15.5 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Docs: Remove deprecated SAST analyzers</a></li> Remove git target from gitaly rake job</a></li> Add Ubuntu 22.04 to the supported OS list</a></li> Add intended use for health status into docs</a></li> Specify certificates when connecting to KAS using TLS</a></li> Batch records when preloading for indexing</a></li> Install chef-config 17.10.19 before installing Ohai</a></li> Fix fail-fast job when there are migrations present</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 15.5 released with GitLab Cloud Seed and Autocomplete suggestions 2022-10-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 15.5 with GitLab Cloud Seed</a>, Autocomplete suggestions in the Content Editor</a>, Error Tracking Open Beta</a>, Operational Container Scanning</a> and much more!</p> These are just a few highlights from the 50+ improvements in this release. Read on to check out all of the great updates below.</p> We thank the wider GitLab community for the 153 contributions they provided to GitLab 15.5! At GitLab, everyone can contribute and we couldn't have done it without you!</p> To preview what's coming in next month's release, check out our Upcoming Releases page</a>, which includes our 15.6 release kickoff video.</p> GitLab Patch Release: 15.4.3 2022-10-19T00:00:00+00:00 Today we are releasing version 15.4.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 15.4 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Restore caching for License.current logic</a></li> Fix closing of external issues</a></li> Gitaly: add config.toml back, as mock template</a></li> Fix REST/GRAPHQL APIs handling TODOs WorkItem target</a></li> Sign in: use custom logo again</a></li> Sign in: use custom logo again</a></li> Gitaly: add config.toml back, as mock template</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 15.4.2 2022-10-03T00:00:00+00:00 Today we are releasing version 15.4.2 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 15.4 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Docs for Suggested Reviewers</a></li> Feat(doc): docs on Gitaly GPG signing</a></li> Update work item tasks user docs</a></li> Add What's New for 15.4</a></li> Ensure that stage name and record are in sync for page deployments</a></li> Gitaly: remove config.toml, unneeded, problematic.</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 15.4.1, 15.3.4, and 15.2.5 2022-09-29T00:00:00+00:00 Today we are releasing versions 15.4.1, 15.3.4, and 15.2.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Denial of Service via cloning an issue</a></td> high</td> </tr> Arbitrary PUT request as victim user through Sentry error list</a></td> high</td> </tr> Content injection via External Status Checks</a></td> high</td> </tr> Project maintainers can access Datadog API Key from logs</a></td> medium</td> </tr> Unsafe serialization of Json data could lead to sensitive data leakage</a></td> medium</td> </tr> Import bug allows importing of private local git repos</a></td> medium</td> </tr> Maintainer can leak Github access tokens by changing integration URL (even after 15.2.1 patch)</a></td> medium</td> </tr> Unauthorized users able to create issues in any project</a></td> medium</td> </tr> Bypass group IP restriction on Dependency Proxy</a></td> medium</td> </tr> Healthcheck endpoint allow list can be bypassed when accessed over HTTP in an HTTPS enabled system</a></td> medium</td> </tr> Disclosure of Todo details to guest users</a></td> medium</td> </tr> A user's primary email may be disclosed through group member events webhooks</a></td> medium</td> </tr> Content manipulation due to branch/tag name confusion with the default branch name</a></td> low</td> </tr> Leakage of email addresses in WebHook logs</a></td> low</td> </tr> Specially crafted output makes job logs inaccessible</a></td> low</td> </tr> </tbody> </table> Denial of Service via cloning an issue</h2> A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions before before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 While cloning an issue with special crafted content added to the description could have been used to trigger high CPU usage. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code> 7.5). It is now mitigated in the latest release and is assigned CVE-2022-3283</a>.</p> Thanks legit-security</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Arbitrary PUT request as victim user through Sentry error list</h2> Improper control of a resource identifier in Error Tracking in GitLab CE/EE affecting all versions from 12.7 allows an authenticated attacker to generate content which could cause a victim to make unintended arbitrary requests. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N</code>, 7.3). It is now mitigated in the latest release and is assigned CVE-2022-3060</a>.</p> Thanks @joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Content injection via External Status Checks</h2> A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 It was possible to exploit a vulnerability in the external status checks feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N</code>, 7.3). It is now mitigated in the latest release and is assigned CVE-2022-2904</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Project maintainers can access Datadog API Key from logs</h2> An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 9.3 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1 allows a project maintainer to access the DataDog integration API key from webhook logs. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N</code>, 6.8). It is now mitigated in the latest release and is assigned CVE-2022-3018</a></p> This vulnerability has been discovered internally by the GitLab team.</p> Unsafe serialization of Json data could lead to sensitive data leakage</h2> Serialization of sensitive data in GitLab EE affecting all versions from 14.9 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 can leak sensitive information via cache. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-3291</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Import bug allows importing of private local git repos</h2> An issue has been discovered in the Import functionality of GitLab CE/EE affecting all versions starting from 14.4 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. It was possible for an authenticated user to read arbitrary projects' content given the project's ID. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-3067</a></p> Thanks vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Maintainer can leak Github access tokens by changing integration URL (even after 15.2.1 patch)</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. A malicious maintainer could exfiltrate a GitHub integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled server. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N</code>, 5.5). It is now mitigated in the latest release and is assigned CVE-2022-2882</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Unauthorized users able to create issues in any project</h2> An issue has been discovered in GitLab affecting all versions starting from 10.0 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. It was possible for an unauthorised user to create issues in a project. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned CVE-2022-3066</a></p> Thanks vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Bypass group IP restriction on Dependency Proxy</h2> Lack of IP address checking in GitLab EE affecting all versions from 14.2 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows a group member to bypass IP restrictions when using a deploy token. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2022-3286</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Healthcheck endpoint allow list can be bypassed when accessed over HTTP in an HTTPS enabled system</h2> Bypass of healthcheck endpoint allow list affecting all versions from 12.0 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an unauthorized attacker to prevent access to GitLab. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2022-3285</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Disclosure of Todo details to guest users</h2> It was possible for a guest user to read a todo targeting an inaccessible note in Gitlab CE/EE affecting all versions from 15.0 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-3330</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> A user's primary email may be disclosed through group member events webhooks</h2> An issue has been discovered in GitLab EE affecting all versions starting from 13.7 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. A user's primary email may be disclosed to an attacker through group member events webhooks. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-3351</a>.</p> Thanks @joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Content manipulation due to branch/tag name confusion with the default branch name</h2> A branch/tag name confusion in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to manipulate pages where the content of the default branch would be expected. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned CVE-2022-3288</a></p> Thanks st4nly0n</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Leakage of email addresses in WebHook logs</h2> Email addresses were leaked in WebHook logs in GitLab EE affecting all versions from 9.3 prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned CVE-2022-3293</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Specially crafted output makes job logs inaccessible</h2> An unhandled exception in job log parsing in GitLab CE/EE affecting all versions prior to 15.2.5, 15.3 prior to 15.3.4, and 15.4 prior to 15.4.1 allows an attacker to prevent access to job logs. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L</code>, 2.7). It is now mitigated in the latest release and is assigned CVE-2022-3279</a></p> Thanks exem_pt</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Enforce editing approval rules on project level</h2> Improper access control in the GitLab CE/EE API affecting all versions starting from 12.8 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. Allowed for editing the approval rules via the API by an unauthorised user. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</code>, 2.7). It is now mitigated in the latest release and is assigned CVE-2022-3325</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Update Grafana</h2> Grafana has been patched in order to mitigate "CVE-2022-31107 - Grafana account takeover via OAuth vulnerability".</p> Versions affected</h3> Affects all versions of GitLab Omnibus.</p> Update Mattermost</h2> Mattermost has been updated to version 7.1.3 in order to mitigate security issues.</p> Versions affected</h3> Affects all versions of GitLab CE/EE.</p> Backport fix for Geo LFS issue</h2> A non-security issue in Geo LFS is being backported to our 15.2.5</code> release: "Geo: invalid lfs object deletion on secondary when managed object replication is disabled"</a>.</p> Updating</h2> To update GitLab, see the update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab 15.4 released with Suggested Reviewers and better VS Code CI/CD experience 2022-09-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 15.4 with GitLab's first machine learning powered feature: Suggested Reviewers open beta</a>, improved CI/CD integration in VS Code</a>, Pages Pipeline Wizard</a>, email validation bypass for verified domains</a> and much more!</p> These are just a few highlights from the 60+ improvements in this release. Read on to check out all of the great updates below.</p> We thank the wider GitLab community for the 186 contributions they provided to GitLab 15.4! At GitLab, everyone can contribute and we couldn't have done it without you!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 15.5 release kickoff video.</p> GitLab Patch Release: 15.3.3 2022-09-05T00:00:00+00:00 Today we are releasing version 15.3.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 15.3 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Change Tasks documentation to describe the widget experience</a></li> Changed POST API saml_group_links to accept acccess_level as integer</a></li> Add documentation for dormant user period</a></li> Fix user recent activity links for work item actions</a></li> Fix flaky SSH remote mirror spec</a></li> Revert "Merge branch 'tor/feature/interrupt-leaving-pending-review' into 'master'"</a></li> Add Whats New for 15.3</a></li> Bypass earliest date validation in importing of iteration cadences</a></li> Improve blame link feature</a></li> Remove the GIT_CLONE_PATH variable</a></li> Updating image urls to indicate release</a></li> Improve error message when omnibus_gitconfig is not set properly</a></li> Geo: Fix redirects of LFS transfer downloads</a></li> Geo: Do not delete object stored files when not GitLab managed</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Critical Security Release: 15.3.2, 15.2.4 and 15.1.6 2022-08-30T00:00:00+00:00 Today we are releasing versions 15.3.2, 15.2.4 and 15.1.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). Please note, this critical release will also serve as our monthly security release for August.</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Remote Command Execution via GitHub import</a></td> critical</td> </tr> Stored XSS via labels color</a></td> high</td> </tr> Content injection via Incidents Timeline description</a></td> high</td> </tr> Denial of Service via Issue preview</a></td> high</td> </tr> Lack of length validation in Snippets leads to Denial of Service</a></td> medium</td> </tr> Group IP allow-list not fully respected by the Package Registry</a></td> medium</td> </tr> Abusing Gitaly.GetTreeEntries calls leads to denial of service</a></td> medium</td> </tr> Arbitrary HTTP Requests Possible in .ipynb Notebook with Malicious Form Tags</a></td> medium</td> </tr> Read repository content via LivePreview feature</a></td> medium</td> </tr> Regular Expression Denial of Service via special crafted input</a></td> medium</td> </tr> Information Disclosure via Arbitrary GFM references rendered in Incident Timeline Events</a></td> medium</td> </tr> Denial of Service via the Create branch API</a></td> medium</td> </tr> Brute force attack may guess a password even when 2FA is enabled</a></td> low</td> </tr> IDOR in Zentao integration leaked issue details</a></td> low</td> </tr> </tbody> </table> Remote Command Execution via GitHub import</h2> A vulnerability in GitLab CE/EE affecting all versions from 11.10 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. allows an authenticated user to achieve remote code execution via the Import from GitHub API endpoint. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>, 9.9). It is now mitigated in the latest release and is assigned CVE-2022-2992</a>.</p> Thanks vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Stored XSS via labels color</h2> A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It was possible to exploit a vulnerability in setting the labels color feature which could lead to a stored XSS that allowed attackers to perform arbitrary actions on behalf of victims at client side. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N</code>, 7.3). It is now mitigated in the latest release and is assigned CVE-2022-2865</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Content injection via Incidents Timeline description</h2> An issue has been discovered in GitLab affecting all versions starting from 10.0 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N</code>, 7.3). It is now mitigated in the latest release and is assigned CVE-2022-2527</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Lack of length validation in Snippets leads to Denial of Service</h2> A lack of length validation in Snippet descriptions in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2 allows an authenticated attacker to create a maliciously large Snippet which when requested with or without authentication places excessive load on the server, potentially leading to Denial of Service. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-2592</a>.</p> Thanks cryptopone</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Group IP allow-list not fully respected by the Package Registry</h2> An issue has been discovered in GitLab affecting all versions starting from 12.10 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab was not performing correct authentication with some Package Registries when IP address restrictions were configured, allowing an attacker already in possession of a valid Deploy Token to misuse it from any location. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-2533</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Abusing Gitaly.GetTreeEntries calls leads to denial of service</h2> A business logic issue in the handling of large repositories in all versions of GitLab CE/EE from 10.0 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2 allowed an authenticated and authorized user to exhaust server resources by importing a malicious project. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-2455</a>.</p> Thanks 0xn3va</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Arbitrary HTTP Requests Possible in .ipynb Notebook with Malicious Form Tags</h2> A crafted tag in the Jupyter Notebook viewer in GitLab EE/CE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2 allows an attacker to issue arbitrary HTTP requests. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</code>, 6.4). It is now mitigated in the latest release and is assigned CVE-2022-2428</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Read repository content via LivePreview feature</h2> An issue has been discovered in GitLab CE/EE affecting all versions from 10.8 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It was possible to read repository content by an unauthorised user if a project member used a crafted link. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N</code>, 5.7). It is now mitigated in the latest release and is assigned CVE-2022-2907</a>.</p> Thanks niraeth</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Regular Expression Denial of Service via special crafted input</h2> A potential DoS vulnerability was discovered in Gitlab CE/EE versions starting from 10.7 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2 allowed an attacker to trigger high CPU usage via a special crafted input added in the Commit message field. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-2908</a>.</p> Thanks ryhmnlfj</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Information Disclosure via Arbitrary GFM references rendered in Incident Timeline Events</h2> An improper access control issue in GitLab CE/EE affecting all versions starting from 15.2 before 15.2.4, all versions from 15.3 before 15.3.2 allows disclosure of confidential information via the Incident timeline events. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-2630</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Denial of Service via the Create branch API</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. Improper data handling on branch creation could have been used to trigger high CPU usage. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-3639</a>.</p> Thanks elise</a> for reporting this vulnerability.</p> Denial of Service via Issue preview</h2> A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. Malformed content added to the issue description could have been used to trigger high CPU usage. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</code>, 7.5). It is now mitigated in the latest release and is assigned CVE-2022-2931</a>.</p> Thanks legit-security</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> IDOR in Zentao integration leaked issue details</h2> An issue has been discovered in GitLab EE affecting all versions starting from 14.5 before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. GitLab's Zentao integration has an insecure direct object reference vulnerability that may be exploited by an attacker to leak project issues. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned CVE-2022-3331</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Brute force attack may guess a password even when 2FA is enabled</h2> An issue has been discovered in GitLab CE/EE affecting all versions before 15.1.6, all versions starting from 15.2 before 15.2.4, all versions starting from 15.3 before 15.3.2. It may be possible for an attacker to guess a user's password by brute force by sending crafted requests to a specific endpoint, even if the victim user has 2FA enabled on their account. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 3.7). It is now mitigated in the latest release and is assigned CVE-2022-3031</a>.</p> This vulnerability was reported to us by a customer.</p> Updating</h2> To update GitLab, see the update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Critical Security Release: 15.3.1, 15.2.3, 15.1.5 2022-08-22T00:00:00+00:00 Today we are releasing versions 15.3.1, 15.2.3, 15.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Remote Command Execution via Github import</a></td> Critical</td> </tr> </tbody> </table> Remote Command Execution via Github import</h2> A vulnerability in GitLab CE/EE affecting all versions starting from 11.3.4 before 15.1.5, all versions starting from 15.2 before 15.2.3, all versions starting from 15.3 before 15.3.1 allows an an authenticated user to achieve remote code execution via the Import from GitHub API endpoint. This is a Critical severity issue (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>, 9.9). It is now mitigated in the latest release and is assigned CVE-2022-2884</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Workarounds</h3> If you're unable to upgrade right away, you can secure your GitLab installation against this vulnerability using the workaround outlined below until you have time to upgrade.</p> Disable GitHub import</h4> Login using an administrator account to your GitLab installation and perform the following:</p> Click "Menu" -> "Admin".</li> Click "Settings" -> "General".</li> Expand the "Visibility and access controls" tab.</li> Under "Import sources" disable the "GitHub" option.</li> Click "Save changes".</li> </ol> Verifying the workaround</h3> In a browser window, login as any user.</li> Click "+" on the top bar.</li> Click "New project/repository".</li> Click "Import project".</li> Verify that "GitHub" does not appear as an import option.</li> </ol> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab 15.3 released with tasks for managing your work and free GitOps features 2022-08-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 15.3 with tasks in issues</a>, free GitOps features</a>, SAML group link API maintenance</a>, advanced password complexity requirements</a>, and much more!</p> These are just a few highlights from the 63 improvements in this release. Read on to check out all of the great updates below.</p> We thank the wider GitLab community for the 348 contributions they provided to GitLab 15.3! At GitLab, everyone can contribute and we couldn't have done it without you!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 15.4 release kickoff video.</p> GitLab Patch Release: 15.2.2 2022-08-01T00:00:00+00:00 Today we are releasing version 15.2.2 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 15.2 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Add password complexity doc again</a></li> Use CREATE OR REPLACE FUNCTION</code> to define vulnerability reads triggers</a></li> Fixes CI/CD settings error when Secure Files feature flag is disabled</a></li> Resolve "Illegal instruction in json.rb after upgrade to 15.2.0-ce"</a></li> Fix ES client for nil password</a></li> Fix RescheduleBackfillImportedIssueSearchData migration</a></li> Fix CI artifact sizes not logged for some runner endpoints</a></li> Gracefully handle nil created_at values in CI pipelines</a></li> Upgrade Oj to v3.13.19 to fix a seg fault</a></li> Gracefully handle blank CPU information</a></li> Add security mirrors of GitLab projects</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 15.2.1, 15.1.4, and 15.0.5 2022-07-28T00:00:00+00:00 Today we are releasing versions 15.2.1, 15.1.4, and 15.0.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Breaking change</h2> In July 2019 we fixed a vulnerability related to very large CI/CD configuration files and the ci_yaml_limit_size</code> feature flag was introduced as a way to disable the patch, if needed. We are now removing that feature flag as well, to remove the possibility of disabling the patch.</p> You are not affected by this change if the feature flag was not manually disabled. You can refer to our documentation</a> for instructions on how to check the state of a feature flag.</p> If you've disabled this feature flag and like to maintain the existing behavior and avoid a breaking change, you can refer to our documentation</a> for instructions on how to configure the size of your CI/CD configuration file from the rails console.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Maintainer can leak Packagist and other integration access tokens by changing integration URL</a></td> high</td> </tr> Revoke access to confidential notes todos</a></td> medium</td> </tr> Pipeline subscriptions trigger new pipelines with the wrong author</a></td> medium</td> </tr> Ability to gain access to private project through an email invite by using other user's email address as an unverified secondary email</a></td> medium</td> </tr> Import via git protocol allows to bypass checks on repository</a></td> medium</td> </tr> Unauthenticated IP allowlist bypass when accessing job artifacts through GitLab Pages</a></td> medium</td> </tr> Unauthenticated access to victims Grafana datasources through path traversal</a></td> medium</td> </tr> Unauthorized users can filter issues by contact and organization</a></td> medium</td> </tr> Malicious Maintainer may change the visibility of project or a group</a></td> medium</td> </tr> Stored XSS in job error messages</a></td> medium</td> </tr> Enforced group MFA can be bypassed when using Resource Owner Password Credentials grant</a></td> medium</td> </tr> Non project members can view public project's Deploy Keys</a></td> medium</td> </tr> IDOR in project with Jira integration leaks project owner's other projects Jira issues</a></td> low</td> </tr> Group Bot Users and Tokens not deleted after group deletion</a></td> low</td> </tr> Email invited members can join projects even after the member lock has been enabled</a></td> low</td> </tr> Datadog integration returns user emails</a></td> low</td> </tr> </tbody> </table> Maintainer can leak Packagist and other integration access tokens by changing integration URL</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. A malicious maintainer could exfiltrate an integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled server. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N</code>, 8.5). It is now mitigated in the latest release and is assigned CVE-2022-2497</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Revoke access to confidential notes todos</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. Membership changes are not reflected in TODO for confidential notes, allowing a former project members to read updates via TODOs. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-2512</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Pipeline subscriptions trigger new pipelines with the wrong author</h2> An issue in pipeline subscriptions in GitLab EE affecting all versions starting from 12.8 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 triggered new pipelines with the person who created the tag as the pipeline creator instead of the subscription's author. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</code>, 6.4). It is now mitigated in the latest release and is assigned CVE-2022-2498</a>.</p> Thanks vaib25vicky</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Ability to gain access to private project through an email invite by using other user's email address as an unverified secondary email</h2> An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible to gain access to a private project through an email invite by using other user's email address as an unverified secondary email. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</code>, 6.4). It is now mitigated in the latest release and is assigned CVE-2022-2326</a>.</p> Thanks vaib25vicky</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Import via git protocol allows to bypass checks on repository</h2> Insufficient validation in GitLab CE/EE affecting all versions starting from 12.10 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows an authenticated and authorised user to import a project that includes branch names which are 40 hexadecimal characters, which could be abused in supply chain attacks where a victim pinned to a specific Git commit of the project. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N</code>, 6.2). It is now mitigated in the latest release and is assigned CVE-2022-2417</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Unauthenticated IP allowlist bypass when accessing job artifacts through GitLab Pages</h2> An improper access control issue in GitLab EE affecting all versions starting from 12.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows an attacker to bypass IP allow-listing and download artifacts. This attack only bypasses IP allow-listing, proper permissions are still required. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code>, 5.9). It is now mitigated in the latest release and is assigned CVE-2022-2501</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Unauthenticated access to victims Grafana datasources through path traversal</h2> An issue has been discovered in GitLab EE affecting all versions starting from 12.5 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. GitLab was not performing correct authentication on Grafana API under specific conditions allowing unauthenticated users to perform queries through a path traversal vulnerability. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2022-2531</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Unauthorized users can filter issues by contact and organization</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.6 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1, allowed a project member to filter issues by contact and organization. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2022-2539</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Malicious Maintainer may change the visibility of project or a group</h2> An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for malicious group or project maintainers to change their corresponding group or project visibility by crafting a malicious POST request. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N</code>, 4.9). It is now mitigated in the latest release and is assigned CVE-2022-2456</a>.</p> Thanks suruli</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Stored XSS in job error messages</h2> A cross-site scripting issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. A stored XSS flaw in job error messages allows attackers to perform arbitrary actions on behalf of victims at client side. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N</code>, 4.4). It is now mitigated in the latest release and is assigned CVE-2022-2500</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Enforced group MFA can be bypassed when using Resource Owner Password Credentials grant</h2> An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for group members to bypass 2FA enforcement enabled at the group level by using Resource Owner Password Credentials grant to obtain an access token without using 2FA. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-2303</a>.</p> Thanks albatraoz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Non project members can view public project's Deploy Keys</h2> An improper access control check in GitLab CE/EE affecting all versions starting from 13.7 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious authenticated user to view a public project's Deploy Key's public fingerprint and name when that key has write permission. Note that GitLab never asks for nor stores the private key. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-2095</a>.</p> Thanks jimeno</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> IDOR in project with Jira integration leaks project owner's other projects Jira issues</h2> An issue has been discovered in GitLab EE affecting all versions starting from 13.10 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. GitLab's Jira integration has an insecure direct object reference vulnerability that may be exploited by an attacker to leak Jira issues. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned CVE-2022-2499</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Group Bot Users and Tokens not deleted after group deletion</h2> A lack of cascading deletes in GitLab CE/EE affecting all versions starting from 13.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious Group Owner to retain a usable Group Access Token even after the Group is deleted, though the APIs usable by that token are limited. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned CVE-2022-2307</a>.</p> This vulnerability has been discovered by the JiHu team.</p> Email invited members can join projects even after the member lock has been enabled</h2> An issue has been discovered in GitLab EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for email invited members to join a project even after the Group Owner has enabled the setting to prevent members from being added to projects in a group, if the invite was sent before the setting was enabled. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</code>, 2.7). It is now mitigated in the latest release and is assigned CVE-2022-2459</a>.</p> Thanks justas_b</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Datadog integration returns user emails</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 9.3 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. GitLab was returning contributor emails due to improper data handling in the Datadog integration. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N</code>, 2.2). It is now mitigated in the latest release and is assigned CVE-2022-2534</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Update bzip2</h2> The version of bzip2 has been updated to 1.0.8 in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions of GitLab Omnibus.</p> Update exiftool</h2> The version of exiftool has been updated to 12.42 in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions of GitLab Omnibus.</p> Updating</h2> To update GitLab, see the update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab 15.2 released with live wiki diagram previews and redesigned merge request reports 2022-07-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 15.2 with Live preview diagrams in the wiki WYSIWYG editor</a>, Incident timelines</a>, Group and subgroup scan execution policies</a>, Change failure rate chart for visualizing software stability</a>, and much more!</p> These are just a few highlights from the 40+ improvements in this release. Read on to check out all of the great updates below.</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 15.3 release kickoff video.</p> GitLab Patch Release: 15.1.3 2022-07-19T00:00:00+00:00 Today we are releasing version 15.1.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 15.1 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Add praefect list virtual storages subcommand documentation</a></li> Fix flaky feature specs for "user awards emoji"</a></li> Fix flaky repository settings spec</a></li> Fix group access dropdown failure if no subgroups are available</a></li> Fix worker processes not starting up due to 0 processes</a></li> Ensure Ruby platform is set globally for arm64 based operating systems</a></li> Adjust worker processes to use real CPUs instead of cores</a></li> Set force_ruby_platform to true locally for Gitaly and GitLab Rails</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 15.1.2 2022-07-04T00:00:00+00:00 Today we are releasing version 15.1.2 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 15.1 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Refactor add populate commit permission migration</a></li> Resolve "Gitlab doesn't detect the deployment pods after K8s cluster upgrade to v1.22"</a></li> Fix agent token modal</a></li> Geo Sites Form - Remove Beta Badge</a></li> Update gitaly_cgroups metric name in docs</a></li> Geo: Update object storage replication documentation for GA</a></li> Resolve "White screen of death on creating new project"</a></li> Add support for object storage bucket prefixes</a></li> Revert "Merge branch 'use-until_executed-for-ci-sync-events-workers' into 'master'"</a></li> Fix owner of public/uploads directory in UBI-8 Sidekiq image</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Critical Security Release: 15.1.1, 15.0.4, and 14.10.5 2022-06-30T00:00:00+00:00 Today we are releasing versions 15.1.1, 15.0.4, and 14.10.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). Please note, this critical release will also serve as our monthly security release for June</em>.</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Remote Command Execution via Project Imports</a></td> critical</td> </tr> XSS in ZenTao integration affecting self hosted instances without strict CSP</a></td> high</td> </tr> XSS in project settings page</a></td> high</td> </tr> Unallowed users can read unprotected CI variables</a></td> high</td> </tr> IP allow-list bypass to access Container Registries</a></td> medium</td> </tr> 2FA status is disclosed to unauthenticated users</a></td> medium</td> </tr> IDOR in sentry issues</a></td> medium</td> </tr> Reporters can manage issues in error tracking</a></td> medium</td> </tr> CI variables provided to runners outside of a group's restricted IP range</a></td> medium</td> </tr> Regular Expression Denial of Service via malicious web server responses</a></td> medium</td> </tr> Unauthorized read for conan repository</a></td> low</td> </tr> Open redirect vulnerability</a></td> low</td> </tr> Group labels are editable through subproject</a></td> low</td> </tr> Release titles visible for any users if group milestones are associated with any project releases</a></td> low</td> </tr> Restrict membership by email domain bypass</a></td> low</td> </tr> Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint</a></td> low</td> </tr> </tbody> </table> Remote Command Execution via Project Imports</h2> A critical issue has been discovered in GitLab affecting all versions starting from 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 where an authenticated user authorized to import projects could import a maliciously crafted project leading to remote code execution. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>, 9.9). It is now mitigated in the latest release and is assigned CVE-2022-2185</a>.</p> Thanks vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> XSS in ZenTao integration affecting self hosted instances without strict CSP</h2> Insufficient sanitization in GitLab EE's external issue tracker affecting all versions from 14.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to perform cross-site scripting when a victim clicks on a maliciously crafted ZenTao link. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned CVE-2022-2235</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> XSS in project settings page</h2> A Stored Cross-Site Scripting vulnerability in the project settings page in GitLab CE/EE affecting all versions from 14.4 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N</code>, 8.1). It is now mitigated in the latest release and is assigned CVE-2022-2230</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Unallowed users can read unprotected CI variables</h2> An improper authorization issue in GitLab CE/EE affecting all versions from 13.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to extract the value of an unprotected variable they know the name of in public projects or private projects they're a member of. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</code>, 7.5). It is now mitigated in the latest release and is assigned CVE-2022-2229</a>.</p> Thanks shell3c</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> IP allow-list bypass to access Container Registries</h2> Incorrect authorization in GitLab EE affecting all versions from 10.7 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allowed an attacker already in possession of a valid Deploy Key or a Deploy Token to misuse it from any location to access Container Registries even when IP address restrictions were configured. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-1983</a>.</p> This issue was found internally by a member of the GitLab team.</p> 2FA status is disclosed to unauthenticated users</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. GitLab reveals if a user has enabled two-factor authentication on their account in the HTML source, to unauthenticated users. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2022-1963</a>.</p> Thanks albatraoz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> CI variables provided to runners outside of a group's restricted IP range</h2> Information exposure in GitLab EE affecting all versions from 12.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker with the appropriate access tokens to obtain CI variables in a group with using IP-based access restrictions even if the GitLab Runner is calling from outside the allowed IP range. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2022-2228</a>.</p> This vulnerability has been discovered internally by the GitLab team</p> IDOR in sentry issues</h2> An access control vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows authenticated users to enumerate issues in non-linked sentry projects. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N</code>, 5.0). It is now mitigated in the latest release and is assigned CVE-2022-2243</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Reporters can manage issues in error tracking</h2> An improper authorization vulnerability in GitLab EE/CE affecting all versions from 14.8 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows project memebers with reporter role to manage issues in project's error tracking feature. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-2244</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Regular Expression Denial of Service via malicious web server responses</h2> A Regular Expression Denial of Service vulnerability in GitLab CE/EE affecting all versions from 1.0.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows an attacker to make a GitLab instance inaccessible via specially crafted web server response headers. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-1954</a>.</p> Thanks afewgoats</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Unauthorized read for conan repository</h2> An issue has been discovered in GitLab affecting all versions starting from 12.4 before 14.10.5, all versions starting from 15.0 before 15.0.4, all versions starting from 15.1 before 15.1.1. GitLab was leaking Conan packages names due to incorrect permissions verification. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned CVE-2022-2270</a>.</p> Thanks fushbey</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Open redirect vulnerability</h2> An open redirect vulnerability in GitLab EE/CE affecting all versions from 11.1 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows redirect users to a malicious location. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N</code>, 4.7). It is now mitigated in the latest release and is assigned CVE-2022-2250</a>.</p> Thanks stealthy</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Group labels are editable through subproject</h2> An issue has been discovered in GitLab CE/EE affecting all versions from 8.13 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. Under certain conditions, using the REST API an unprivileged user was able to change labels description. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2022-1999</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Release titles visible for any users if group milestones are associated with any project releases</h2> An information disclosure vulnerability in GitLab EE affecting all versions from 12.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows disclosure of release titles if group milestones are associated with any project releases. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 2.6). It is now mitigated in the latest release and is assigned CVE-2022-2281</a>.</p> Thanks ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Restrict membership by email domain bypass</h2> An issue has been discovered in GitLab EE affecting all versions starting from 12.2 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1. In GitLab, if a group enables the setting to restrict access to users belonging to specific domains, that allow-list may be bypassed if a Maintainer uses the 'Invite a group' feature to invite a group that has members that don't comply with domain allow-list. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</code>, 2.7). It is now mitigated in the latest release and is assigned CVE-2022-1981</a>.</p> Thanks muthu_prakash</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Job information is leaked to users who previously were maintainers via the Runner Jobs API endpoint</h2> Improper access control in the runner jobs API in GitLab CE/EE affecting all versions prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows a previous maintainer of a project with a specific runner to access job and project meta data under certain conditions. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2022-2227</a>.</p> Thanks vaib25vicky</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Update rack</h2> The version of rack has been updated to 2.2.3.1 in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions of GitLab CE/EE</p> Updating</h2> To update GitLab, see the update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab 15.1 released with SAML Group Sync and SLSA level 2 build artifact attestation 2022-06-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 15.1 with SAML Group Sync</a>, SLSA level 2 build artifact attestation</a>, links to included CI/CD configuration</a>, enhanced visibility into value stream with DORA metrics</a>, and much more!</p> These are just a few highlights from the 30+ improvements in this release. Read on to check out all of the great updates below.</p> Join us on June 23rd as we celebrate DevOps! GitLab co-founder and CEO, Sid Sijbrandij, will introduce best-selling author and DORA co-founder, Gene Kim. Gene will share his research and expectations for the future of DevOps then GitLab VP of Product, David DeSanto, will share how GitLab is evolving The One DevOps Platform to meet that future. We'll also unveil a new program to support your career aspirations. You won't want to miss this one-hour virtual event. Reserve your seat</a> now!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 15.2 release kickoff video.</p> GitLab Patch Release: 15.0.3 2022-06-16T00:00:00+00:00 Today we are releasing version 15.0.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 15.0 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Add GitLab agent image tag to install command</a></li> Resolve "Add documentation for Opensearch Indexing paused."</a></li> Disconnect alternates when unlinking from a repository pool</a></li> Add version information for new fields in members API</a></li> Upgrade to bundler v2.3.15</a></li> cgroups: Handle nil repo</a></li> catfile: Backport patches to fix leaking catfile processes</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 15.0.2 2022-06-06T00:00:00+00:00 Today we are releasing version 15.0.2 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in last month's 15.0 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Restore DS_ANALYZER_NAME for deprecated jobs</a></li> Hide internal note checkbox on unsupported issuable types</a></li> Fix drag and drop list item bugs</a></li> Move LFK scheduling out from EE check</a></li> Remove existing repository backups when creating a full backup</a></li> docs: Fix DS_DEFAULT_ANALYZERS variable docs</a></li> Fix copy in what's new entry</a></li> Fix focus for linked issues input field & IDE cursor</a></li> Fix issue description list item styling</a></li> Include inherited owners when calculating User#solo_owned_groups</a></li> Add event type in audit event streaming</a></li> Fix Service Ping payload hash key shadowing</a></li> Fix 500 on issues list page</a></li> Fix PG version mentioned for package upgrades</a></li> Fix Advanced Search Opensearch detection</a></li> Update auto-deploy-image to v2.28.2</a></li> Skip auto-restart of PG during reconfigure as part of pg-upgrade</a></li> UBI: fix gitlab-exporter artifact to include libpq</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Critical Security Release: 15.0.1, 14.10.4, and 14.9.5 2022-06-01T00:00:00+00:00 Today we are releasing versions 15.0.1, 14.10.4, and 14.9.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). Please note, this critical release will also serve as our monthly security release for May.</em></p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released approximately one week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Account take over via SCIM email change</a></td> critical</td> </tr> Stored XSS in Jira integration</a></td> high</td> </tr> Quick action commands susceptible to XSS</a></td> high</td> </tr> IP allowlist bypass when using Trigger tokens</a></td> medium</td> </tr> IP allowlist bypass when using Project Deploy Tokens</a></td> medium</td> </tr> Improper authorization in the Interactive Web Terminal</a></td> medium</td> </tr> Subgroup member can list members of parent group</a></td> medium</td> </tr> Group member lock bypass</a></td> low</td> </tr> </tbody> </table> Account take over via SCIM email change</h2> An account takeover issue has been discovered in GitLab EE affecting all versions starting from 11.10 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. When group SAML SSO is configured, the SCIM feature (available only on Premium+ subscriptions) may allow any owner of a Premium group to invite arbitrary users through their username and email, then change those users' email addresses via SCIM to an attacker controlled email address and thus - in the absence of 2FA - take over those accounts. It is also possible for the attacker to change the display name and username of the targeted account. This is a critical severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>, 9.9). It is now mitigated in the latest release and is assigned CVE-2022-1680</a>.</p> This vulnerability was discovered internally by a member of the GitLab team.</p> Self-managed administrators can check whether group_saml</code> is enabled by reviewing "Configuring Group SAML on a self-managed GitLab instance"</a>.</p> Stored XSS in Jira integration</h2> A Stored Cross-Site Scripting vulnerability in Jira integration in GitLab EE affecting all versions from 13.11 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows an attacker to execute arbitrary JavaScript code in GitLab on a victim's behalf via specially crafted Jira Issues. This is a high severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 7.7). It is now mitigated in the latest release and is assigned CVE-2022-1940</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Quick action commands susceptible to XSS</h2> An issue has been discovered in GitLab affecting all versions starting from 15.0 before 15.0.1. Missing validation of input used in quick actions allowed an attacker to exploit XSS by injecting HTML in contact details. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned CVE-2022-1948</a>.</p> Thanks cryptopone</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> IP allowlist bypass when using Trigger tokens</h2> Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1 allowed an attacker already in possession of a valid Project Trigger Token to misuse it from any location even when IP address restrictions were configured. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-1935</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> IP allowlist bypass when using Project Deploy Tokens</h2> Incorrect authorization in GitLab EE affecting all versions from 12.0 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1 allowed an attacker already in possession of a valid Project Deploy Token to misuse it from any location even when IP address restrictions were configured. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-1936</a>.</p> This was reported by a customer through our Responsible Vulnerability Disclosure process.</p> Improper authorization in the Interactive Web Terminal</h2> When the feature is configured, improper authorization in the Interactive Web Terminal in GitLab CE/EE affecting all versions from 11.3 prior to 14.9.5, 14.10 prior to 14.10.4, and 15.0 prior to 15.0.1 allows users with the Developer role to open terminals on other Developers' running jobs. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned CVE-2022-1944</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Subgroup member can list members of parent group</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.8 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. It may be possible for a subgroup member to access the members list of their parent group. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-1821</a>.</p> This vulnerability was discovered internally by a member of the GitLab team.</p> Group member lock bypass</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 14.3 before 14.9.5, all versions starting from 14.10 before 14.10.4, all versions starting from 15.0 before 15.0.1. It may be possible for malicious group maintainers to add new members to a project within their group, through the REST API, even after their group owner enabled a setting to prevent members from being added to projects within that group. This is a low severity issue (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</code>, 2.7). It is now mitigated in the latest release and is assigned CVE-2022-1783</a>.</p> Thanks salh4ckr</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Update Mattermost</h2> The version of Mattermost has been updated to 6.6.1 in order to mitigate security concerns.</p> Versions affected</h3> Affects GitLab Omnibus prior to 15.0.</p> Updating</h2> To update GitLab, see the update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab 15.0 released with WYSIWYG for Wiki, container scanning in all tiers 2022-05-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 15.0 with container scanning in all tiers</a>, internal notes</a>, better links to external organizations and contacts</a>, and much more!</p> These are just a few highlights from the 40+ improvements in this release. Read on to check out all of the great updates below.</p> Along with these exciting new features, there are a few breaking changes in 15.0</a>.</p> Want to learn more about where we're headed from Product leadership? Register now for the GitLab 15 launch event</a>!</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 15.1 release kickoff video.</p> GitLab Patch Release: 14.10.3 2022-05-16T00:00:00+00:00 Today we are releasing version 14.10.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 14.10 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Resolve "Batched background migrations - Add steal method"</a></li> Add upgrade note from the 14.10 Release Post</a></li> Add Git SSH / Shell limits</a></li> Fix assignee filtering on group/project issues list</a></li> Fix gin index detection on routes table</a></li> Fix gin index detection on background_migration/project_namespaces</a></li> Remove Geo database settings only if some services are enabled</a></li> Add object storage configuration key deprecations</a></li> Add option to disable separated caches</a></li> </ul> Important notes on upgrading</h2> For multi-node deployments, this version should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 14.10.2 2022-05-05T00:00:00+00:00 Today we are releasing version 14.10.2 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 14.10 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Fixes HTML browsing for CI artifacts</a></li> Update CI job artifacts verification status</a></li> What's New 14.10</a></li> Fix mappings errors for ES6.8</a></li> Fix: unexpected escaped HTML tag</a></li> doc: Extend Gitaly /tmp workaround to cover Git execution path</a></li> Add documentation for mr settings audit events part 1</a></li> Fix a broken image link in 14.10 What's New</a></li> Clarify cluster deletion behavior in APIs</a></li> Resolve "Fork relationship is not respected for certain projects"</a></li> Add documentation for pending migration in 14.9</a></li> Update deprecations for 15.0</a></li> Fix deprecation of gitlab_rails keys</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 14.10.1, 14.9.4, and 14.8.6 2022-05-02T00:00:00+00:00 Today we are releasing versions 14.10.1, 14.9.4, and 14.8.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Improper access control in CI/CD cache mechanism</a></td> high</td> </tr> ReDoS on CI Editor and CI Pipeline detail pages</a></td> medium</td> </tr> User with developer role (group) can modify Protected branches -> Allowed to merge setting on imported project</a></td> medium</td> </tr> Maintainer can execute scheduled CI pipeline as another user</a></td> medium</td> </tr> Missing input masking on sensitive integration properties</a></td> medium</td> </tr> API discloses issue titles of limited projects</a></td> medium</td> </tr> Confidential notes disclosure</a></td> medium</td> </tr> Improper rack-attack discriminator for authenticated_packages_api</code> with a deploy token</a></td> medium</td> </tr> Improper access control in Project Members-only Wiki</a></td> medium</td> </tr> Guest project member can access trace log of jobs when it is enabled</a></td> medium</td> </tr> HTML and CSS injection in pipeline error messages</a></td> medium</td> </tr> Forging GET Requests through and Denying Service of Simple PyPi API Endpoint</a></td> medium</td> </tr> Missing invalidation of Markdown cache causes potential XSS payloads to persist</a></td> low</td> </tr> Conan API incorrectly processes JWT-encoded Personal Access Tokens</a></td> low</td> </tr> </tbody> </table> Improper access control in CI/CD cache mechanism</h2> Improper access control in the CI/CD cache mechanism in GitLab CE/EE affecting all versions from 1.0.2 before 14.8.6 allows a malicious actor with Developer privileges to perform cache poisoning leading to arbitrary code execution in protected branches. This is a high severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N</code>, 7.1). It is now mitigated in the latest release and is assigned CVE-2022-1423</a>.</p> Thanks wapiflapi</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> ReDoS on CI Editor and CI Pipeline detail pages</h2> An issue has been discovered in GitLab affecting all versions starting from 13.9 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not correctly handling malicious text in the CI Editor and CI Pipeline details page allowing the attacker to cause uncontrolled resource consumption. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-1510</a>.</p> Thanks stunninglemon</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> User with developer role (group) can modify Protected branches -> Allowed to merge setting on imported project</h2> Improper input validation in GitLab CE/EE affecting all versions from 8.12 prior to 14.8.6, all versions from 14.9.0 prior to 14.9.4, and 14.10.0 allows a Developer to read protected Group or Project CI/CD variables by importing a malicious project. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-1406</a>.</p> Thanks @justas_b</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Maintainer can execute scheduled CI pipeline as another user</h2> An issue has been discovered in GitLab affecting all versions starting from 9.2 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not performing correct authorizations on scheduled pipelines allowing a malicious user to run a pipeline in the context of another user. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N</code>, 6.1). It is now mitigated in the latest release and is assigned CVE-2022-1460</a>.</p> Thanks peterl</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Missing input masking on sensitive integration properties</h2> Missing input masking in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6 causes potentially sensitive integration properties to be disclosed in the web interface. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned CVE-2022-1413</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> API discloses issue titles of limited projects</h2> Due to an insecure direct object reference vulnerability in Gitlab EE/CE affecting all versions from 11.0 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1, an endpoint may reveal the issue title to a user who crafted an API call with the ID of the issue from a public project that restricts access to issue only to project members. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2022-1352</a>.</p> Thanks shells3c</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Confidential notes disclosure</h2> It was possible to disclose details of confidential notes created via the API in Gitlab CE/EE affecting all versions from 13.2 prior to 14.8.6, 14.9 prior to 14.9.4, and 14.10 prior to 14.10.1 if an unauthorised project member was tagged in the note. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). We have requested a CVE ID and will update this blog post when it is assigned.</p> This vulnerability has been discovered internally by the GitLab team.</p> Improper rack-attack discriminator for authenticated_packages_api</code> with a deploy token</h2> An issue has been discovered in GitLab affecting all versions before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was incorrectly verifying throttling limits for authenticated package requests which resulted in limits not being enforced. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-1428</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Improper access control in Project Members-only Wiki</h2> Improper access control in GitLab CE/EE affecting all versions starting from 8.12 before 14.8.6, all versions starting from 8.13 before 14.9.4, and all versions starting from 8.14 before 14.10.1 allows non-project members to access contents of Project Members-only Wikis via malicious CI jobs. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-1417</a>.</p> Thanks shells3c</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Guest project member can access trace log of jobs when it is enabled</h2> An improper authorization issue has been discovered in GitLab CE/EE affecting all versions prior to 14.8.6, all versions from 14.9.0 prior to 14.9.4, and 14.10.0, allowing Guest project members to access trace log of jobs when it is enabled. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-1124</a>.</p> Thanks jimeno</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> HTML and CSS injection in pipeline error messages</h2> Missing sanitization of data in Pipeline error messages in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6 allows for rendering of attacker controlled HTML tags and CSS styling. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-1416</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Forging GET Requests through and Denying Service of Simple PyPi API Endpoint</h2> An issue has been discovered in GitLab affecting all versions starting from 12.10 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not correctly handling malicious requests to the PyPi API endpoint allowing the attacker to cause uncontrolled resource consumption. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-1431</a>.</p> Thanks iwis</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Missing invalidation of Markdown cache causes potential XSS payloads to persist</h2> An issue has been discovered in GitLab affecting all versions starting from 14.4 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. Missing invalidation of Markdown caching causes potential payloads from a previously exploitable XSS vulnerability (CVE-2022-1175) to persist and execute. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 2.6). It is now mitigated in the latest release and is assigned CVE-2022-1433</a>.</p> Thanks stacksmashing</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Conan API incorrectly processes JWT-encoded Personal Access Tokens</h2> An issue has been discovered in GitLab affecting all versions starting from 12.6 before 14.8.6, all versions starting from 14.9 before 14.9.4, all versions starting from 14.10 before 14.10.1. GitLab was not correctly authenticating a user that had some certain amount of information which allowed an user to authenticate without a personal access token. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N</code>, 2.0). It is now mitigated in the latest release and is assigned CVE-2022-1426</a>.</p> Thanks firelizzard</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Update Zlib</h2> The version of Zlib has been updated to 1.2.12 in order to mitigate security concerns.</p> Versions affected</h3> Affects GitLab Omnibus prior to 14.8</p> Update Ipynbdiff</h2> The version of Ipynbdiff has been updated to 0.4.5 in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions of GitLab CE/EE prior to 14.10</p> Updating</h2> To update GitLab, see the update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab 14.10 released with individual compliance violation reporting and a UI for streaming audit events 2022-04-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 14.10 with Compliance report individual violation reporting</a>, a UI for streaming audit events</a>, GitLab Runner operator for Kubernetes</a>, escalating manually created incidents</a> and much more!</p> These are just a few highlights from the 25+ improvements in this release. Read on to check out all of the great updates below.</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 15.0 release kickoff video.</p> GitLab Patch Release: 14.9.3 2022-04-12T00:00:00+00:00 Today we are releasing version 14.9.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in last month's 14.9 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Change mp4 to image</a></li> Fix null argument handling in background migration Rake task</a></li> Remove pending builds from the queue on conflict</a></li> Fix URL blocker when object storage enabled but type is disabled</a></li> Fixing regex on grep for cleanup function.</a></li> kubectl: set HOME to /tmp/kube, speed up kubectl</a></li> Revert Protected Environment group access inheritence</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 14.6.7 2022-04-01T00:00:00+00:00 Today we are releasing version 14.6.7 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in December's 14.6 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Doc: Update repository signing key expriation date</a></li> Update OpenSSL to v1.1.1n</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Critical Security Release: 14.9.2, 14.8.5, and 14.7.7 2022-03-31T00:00:00+00:00 Updated 14:50 UTC 2022-04-01</strong> We have updated this blog post with a script to be used by self-managed instance admins to identify user accounts potentially impacted by CVE-2022-1162</a>.</p> Today we are releasing versions 14.9.2, 14.8.5, and 14.7.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). Please note, this critical release will also serve as our monthly security release for March.</em></p> We strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</h3> These versions contain important security fixes. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Static passwords inadvertently set during OmniAuth-based registration</a></td> critical</td> </tr> Stored XSS in notes</a></td> high</td> </tr> Stored XSS on Multi-word milestone reference</a></td> high</td> </tr> Denial of service caused by a specially crafted RDoc file</a></td> medium</td> </tr> GitLab Pages access tokens can be reused on multiple domains</a></td> medium</td> </tr> GitLab Pages uses default (disabled) server Timeouts and a weak TCP Keep-Alive timeout</a></td> medium</td> </tr> Incorrect include in pipeline definition exposes masked CI variables in UI</a></td> medium</td> </tr> Regular expression denial of service in release asset link</a></td> medium</td> </tr> Latest Commit details from private projects leaked to guest users via Merge Requests</a></td> medium</td> </tr> CI/CD analytics are available even when public pipelines are disabled</a></td> medium</td> </tr> Absence of limit for the number of tags that can be added to a runner can cause performance issues</a></td> medium</td> </tr> Client DoS through rendering crafted comments</a></td> medium</td> </tr> Blind SSRF Through Repository Mirroring</a></td> low</td> </tr> Bypass of branch restriction in Asana integration</a></td> low</td> </tr> Readable approval rules by Guest user</a></td> low</td> </tr> Redact InvalidURIError error messages</a></td> low</td> </tr> Project import maps members' created_by_id users based on source user ID</a></td> low</td> </tr> </tbody> </table> Static passwords inadvertently set during OmniAuth-based registration</h2> A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts. This is a critical severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N</code>, 9.1). It is now mitigated in the latest release and is assigned CVE-2022-1162</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Note:</em></strong> We executed a reset of GitLab.com passwords for a selected set of users as of 15:38 UTC. Our investigation shows no indication that users or accounts have been compromised but we’re taking precautionary measures for our users’ security.</p> Stored XSS in notes</h2> Improper neutralization of user input in GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to exploit XSS by injecting HTML in notes. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned CVE-2022-1175</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Stored XSS on Multi-word milestone reference</h2> Improper handling of user input in GitLab CE/EE versions 8.3 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to exploit a stored XSS by abusing multi-word milestone references in issue descriptions, comments, etc. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned CVE-2022-1190</a>.</p> Thanks ryhmnlfj</a> for reporting this vulnerability through our HackerOne bug bounty program</p> Denial of service caused by a specially crafted RDoc file</h2> A denial of service vulnerability when rendering RDoc files in GitLab CE/EE versions 10 to 14.7.7, 14.8.0 to 14.8.5, and 14.9.0 to 14.9.2 allows an attacker to crash the GitLab web application with a maliciously crafted RDoc file. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-1185</a>.</p> Thanks vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> GitLab Pages access tokens can be reused on multiple domains</h2> Improper authorization in GitLab Pages included with GitLab CE/EE affecting all versions from 11.5 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowed an attacker to steal a user's access token on an attacker-controlled private GitLab Pages website and reuse that token on the victim's other private websites. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2022-1148</a>.</p> Thanks ehhthing</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> GitLab Pages uses default (disabled) server Timeouts and a weak TCP Keep-Alive timeout</h2> A lack of appropriate timeouts in GitLab Pages included in GitLab CE/EE all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows an attacker to cause unlimited resource consumption. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2022-1121</a>.</p> Thanks feistel</a> for reporting this vulnerability.</p> Incorrect include in pipeline definition exposes masked CI variables in UI</h2> Missing filtering in an error message in GitLab CE/EE affecting all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 exposed sensitive information when an include directive fails in the CI/CD configuration. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N</code>, 4.8). It is now mitigated in the latest release and is assigned CVE-2022-1120</a>.</p> Thanks bdrich</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Regular expression denial of service in release asset link</h2> A potential DOS vulnerability was discovered in GitLab CE/EE affecting all versions from 13.1 prior to 14.7.7, 14.8.0 prior to 14.8.5, and 14.9.0 prior to 14.9.2. The api to update an asset as a link from a release had a regex check which caused exponential number of backtracks for certain user supplied values resulting in high CPU usage. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-1100</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Latest Commit details from private projects leaked to guest users via Merge Requests</h2> Improper access control in GitLab CE/EE since version 10.7 allows a malicious actor to obtain details of the latest commit in a private project via Merge Requests under certain circumstances. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-1193</a>.</p> Thanks albatraoz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> CI/CD analytics are available even when public pipelines are disabled</h2> An improper access control vulnerability in GitLab CE/EE affecting all versions from 13.11 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows an unauthorized user to access pipeline analytics even when public pipelines are disabled. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-1105</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Absence of limit for the number of tags that can be added to a runner can cause performance issues</h2> Adding a very large number of tags to a runner in GitLab CE/EE affecting all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allows an attacker to impact the performance of GitLab. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-1099</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Client DoS through rendering crafted comments</h2> A potential DoS vulnerability was discovered in Gitlab CE/EE versions 13.7 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 allowed an attacker to trigger high CPU usage via a special crafted input added in Issues, Merge requests, Milestones, Snippets, Wiki pages, etc. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-1174</a>.</p> Thanks scaramouche31</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Blind SSRF Through Repository Mirroring</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.1 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 where a blind SSRF attack through the repository mirroring feature was possible. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 3.7). It is now mitigated in the latest release and is assigned CVE-2022-1188</a>.</p> Thanks jimeno</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Bypass of branch restriction in Asana integration</h2> Incorrect authorization in the Asana integration's branch restriction feature in all versions of GitLab CE/EE starting from version 7.8.0 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 makes it possible to close Asana tasks from unrestricted branches. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2022-0740</a>.</p> Thanks ooooooo_q</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Readable approval rules by Guest user</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.2 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 that allowed for an unauthorised user to read the approval rules of a private project. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2022-1189</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Redact InvalidURIError error messages</h2> Missing sanitization of logged exception messages in all versions prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 of GitLab CE/EE causes potential sensitive values in invalid URLs to be logged. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N</code>, 2.6). It is now mitigated in the latest release and is assigned CVE-2022-1157</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Project import maps members' created_by_id users based on source user ID</h2> A business logic error in Project Import in GitLab CE/EE versions 14.9 prior to 14.9.2, 14.8 prior to 14.8.5, and 14.0 prior to 14.7.7 under certain conditions caused imported projects to show an incorrect user in the 'Access Granted' column in the project membership pages. This is a low severity issue (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N</code>, 2.4). It is now mitigated in the latest release and is assigned CVE-2022-1111</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Update commonmarker</h2> The version of commonmarker has been updated to 0.23.4</code> in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions of GitLab CE/EE</p> Update Grafana</h2> The version of Grafana has been updated to 7.5.15</code> in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions of GitLab Omnibus</p> Update Mattermost</h2> The version of Mattermost has been updated to 6.4.2</code>, 6.3.5</code>, and 6.2.5</code> in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions of GitLab CE/EE.</p> Update Swagger</h2> The version of Swagger has been updated to 4.0.0</code> in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions of GitLab CE/EE</p> Update Python</h2> The version of Python has been updated to 3.8.12</code> in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions of GitLab Charts</a>.</p> Update go-proxyproto</h2> The version of go-proxyproto has been updated to 0.6.2</code> in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions of GitLab Pages</p> Update Devise</h2> The version of devise-two-factor has been updated to 4.0.2</code> in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions of Gitlab CE/EE</p> Non-security updates</h2> 14.7.7 and 14.8.5 include a non-security bug fix addressing Merge Request Approval Rules. The bug is not present in 14.9 releases.</p> Updating</h2> To update GitLab, see the update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Script to identify users potentially impacted by CVE-2022-1162</h2> GitLab has prepared a script which can be used by self-managed instance admins to identify user accounts potentially impacted by CVE-2022-1162.</p> # This script identifies users who may have been impacted by </span> # CVE-2022-1162.</span> # The list is not exhaustive and may not include attackers who have </span> # gained access and modified an account.</span> #</span> # The START_DATE can be changed to the date a vulnerable version was</span> # installed.</span> #</span> # The result is a CSV printed to STDOUT containing potentially affected</span> # users. The columns are:</span> # - User ID (integer)</span> # - Username (string)</span> # - User's email (string)</span> # - Whether the user still has an automatically set password (boolean)</span> #</span> # We strongly recommend that all GitLab installations be upgraded to</span> # 14.9.2, 14.8.5, or 14.7.7 immediately.</span> # See: https://about.gitlab.com/releases/2022/03/31/critical-security-release-gitlab-14-9-2-released/</span> #</span> # To run the script, place this script into a file ie. /tmp/find-impacted-users.rb </span> # on your GitLab instance and then run the following command to execute the script:</span> #</span> # gitlab-rails runner /tmp/find-impacted-users.rb</span> #</span> ActiveRecord</span>::</span>Base</span>.</span>connection</span>.</span>execute</span>(</span>'set statement_timeout to 600000'</span>)</span> START_DATE</span> =</span> Time</span>.</span>utc</span>(</span>2022</span>,</span> 1</span>,</span> 20</span>)</span> user_id</span> =</span> 0</span> csv</span> =</span> CSV</span>.</span>new</span>(</span>STDOUT</span>)</span> begin</span> users</span> =</span> User</span>.</span> joins</span>(</span>:identities</span>).</span> where</span>(</span>'users.created_at >= ?'</span>,</span> START_DATE</span>).</span> where</span>(</span>'identities.created_at >= ?'</span>,</span> START_DATE</span>).</span> where</span>(</span>'users.id > ?'</span>,</span> user_id</span>)</span> users</span>.</span>in_batches</span>(</span>of: </span>250</span>).</span>each_record</span> do</span> |</span>user</span>|</span> csv</span> <<</span> [</span>user</span>.</span>id</span>,</span> user</span>.</span>username</span>,</span> user</span>.</span>email</span>,</span> user</span>.</span>password_automatically_set?</span>]</span> user_id</span> =</span> user</span>.</span>id</span> end</span> rescue</span> retry</span> end</span> </code></pre></div> A false</code> value in the user.password_automatically_set?</code> column means that the user had overwritten the random password that was originally set when creating the user via an Omniauth method (e.g. OAuth, LDAP, or SAML). Double-check these accounts to ensure that this change was intentional and not the result of exploitation.</p> Out of an abundance of caution it is recommended to reset the passwords for all users returned by the script. Users where password_automatically_set?</code> is true</code> will not notice that the password reset happened and can continue logging in using OAuth, LDAP, or SAML. Those where the value is false</code> can also keep logging in using those authentication methods, however the password they had set themselves will not work anymore.</p> Users created before the installation of GitLab 14.7.0 or after the update to GitLab 14.9.2, 14.8.5, or 14.7.7 are not affected and no actions are required.</p> GitLab has conducted limited testing to validate this script. As such this script is provided AS-IS and GitLab makes no warranties of any kind. GITLAB HEREBY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.</p> After identifying potentially affected user accounts, it is recommended to reset a user's password</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Patch Release: 14.7.6 2022-03-24T00:00:00+00:00 Today we are releasing version 14.7.6 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 14.7 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Detect and fix artifacts with backfilled expire_at</a></li> Enable feature flags to resume artifact removal on self-managed</a></li> Update OpenSSL to v1.1.1n</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 14.9.1 2022-03-23T00:00:00+00:00 Today we are releasing version 14.9.1 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 14.9 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Fix backups not working when feature_flags table does not exist</a></li> Add deprecation notices that missed the 14.9.0 release tag</a></li> Alias user_email_lookup_limit to search_rate_limit</a></li> Reverts '353995-feature-flag-enable-geo_job_artifact_replication'</a></li> Geo Upgrade warning for 14.9</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 14.9 released with epic to epic linking and integrated security training 2022-03-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 14.9 with epic to epic linking</a>, integrated security training</a>, a new Environments page design</a>, rule mode for scan result policies</a> and much more!</p> These are just a few highlights from the 40+ improvements in this release. Read on to check out all of the great updates below.</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 14.10 release kickoff video.</p> GitLab Patch Release: 14.8.4 2022-03-16T00:00:00+00:00 Today we are releasing version 14.8.4 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 14.8 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Pass issue ID to merge request creation form</a></li> Detect and fix artifacts with backfilled expire_at</a></li> Enable feature flags to resume artifact removal on self-managed</a></li> Update OpenSSL to v1.1.1n</a></li> Update OpenSSL to 1.1.1k-1+deb11u2</code> for Container Native GitLab</li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 14.8.3 2022-03-15T00:00:00+00:00 Today we are releasing version 14.8.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in last month's 14.8 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Ensure cleanup job artifacts task does not include pipeline artifacts</a></li> Be specific that default.md is not case-sensitive</a></li> Fix handling of resource iteration events when deleting a User</a></li> Fix rake task to setup the Geo tracking database</a></li> Fix startup crash in Puma single mode</a></li> Removes advice not to mix p/c with compliance pipes</a></li> Move postcss to dependencies</a></li> Doc: Update repository signing key expriation date</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 14.7.5 2022-03-09T00:00:00+00:00 Today we are releasing version 14.7.5 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in the 14.7 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Change to truncate table before adding finding_link_url_idx</a></li> Ensure cleanup job artifacts task does not include pipeline artifacts</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 14.6.6 2022-03-02T00:00:00+00:00 Today we are releasing version 14.6.6 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in 14.6 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Resolve "Imports fail in 14.5.2 fail with HTTParty::UnsupportedURIScheme error"</a></li> Fix Geo checksummable check failing when file is nil</a></li> Ensure cleanup job artifacts task does not include pipeline artifacts</a></li> Ensure EE services are added when gitlab-ee::config recipe is included</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Critical Security Release: 14.8.2, 14.7.4, and 14.6.5 2022-02-25T00:00:00+00:00 Updated 00:00 UTC 2022-04-11</strong> We have clarified the hotpatch instructions for self-managed instances running select versions older than 14.6</a> related to the use of token-prefix-patch</code></p> Updated 16:40 UTC 2022-03-04</strong> If you are using Kubernetes runners, you will be required to manually update the Helm chart values with the new registration token. More information about updating the values can be found here: https://docs.gitlab.com/runner/install/kubernetes.html#store-registration-tokens-or-runner-tokens-in-secrets</a></p> Updated 00:00 UTC 2022-02-26</strong> We have updated this blog post with hotpatch instructions for self-managed instances running select versions older than 14.6</a></p> We strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</h3> Note regarding Runner registration token disclosure:</strong> This update will reset runner registration tokens for your group and projects. If you use an automated process (scripts that encode the value of the registration token) to register runners, this update will break that process. However, it should have no affect on previously registered runners. If applicable to your processes, your administrator may choose to save a backup of your existing tokens which can later help identify potentially malicious registration tokens, or rogue runners. For example, if an unauthorized actor tries to register a runner using one of the revoked tokens, knowing that value will help admins monitor that type of activity.</p> Today we are releasing versions 14.8.2, 14.7.4, and 14.6.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). Please note, this critical release will also serve as our monthly security release for February.</em></p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Runner registration token disclosure through Quick Actions</a></td> critical</td> </tr> Unprivileged users can add other users to groups through an API endpoint</a></td> medium</td> </tr> Inaccurate display of Snippet contents can be potentially misleading to users</a></td> medium</td> </tr> Environment variables can be leaked via the sendmail delivery method</a></td> medium</td> </tr> Unauthenticated user enumeration on GraphQL API</a></td> medium</td> </tr> Adding a mirror with SSH credentials can leak password</a></td> medium</td> </tr> Denial of Service via user comments</a></td> low</td> </tr> </tbody> </table> Runner registration token disclosure through Quick Actions</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.6.5, all versions starting from 14.7 before 14.7.4, all versions starting from 14.8 before 14.8.2. An unauthorized user was able to steal runner registration tokens through an information disclosure vulnerability using quick actions commands. This is a critical severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N</code>, 9.6). It is now mitigated in the latest release and is assigned CVE-2022-0735</a>.</p> Thanks 0xn3va</a> for the report on our HackerOne bug bounty program which sparked the internal investigation that uncovered this vulnerability.</p> Unprivileged users can add other users to groups through an API endpoint</h2> An issue has been discovered in GitLab CE/EE affecting all versions before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under certain conditions, GitLab REST API may allow unprivileged users to add other users to groups even if that is not possible to do through the Web UI. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-0549</a>.</p> This vulnerability was reported to us by a customer.</p> Inaccurate display of Snippet contents can be potentially misleading to users</h2> Inaccurate display of Snippet files containing special characters in all versions of GitLab CE/EE allows an unauthorized actor to create Snippets with misleading content, which could trick unsuspecting users into executing arbitrary commands. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-0751</a>.</p> Thanks st4nly0n</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Note</h3> This fix modifies our GraphQL API by adding the hasUnretrievableBlobs</code> field to the SnippetBlobConnection</code> type. It indicates if the snippet has unretrievable blobs. Please be aware of deploying this change if you use multi-version deployments. We encourage users to include this patch in all deployed server instances.</p> Environment variables can be leaked via the sendmail delivery method</h2> Improper input validation in all versions of GitLab CE/EE using sendmail to send emails allowed an unauthorized actor to steal environment variables via specially crafted email addresses. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N</code>, 5.8). It is now mitigated in the latest release and is assigned CVE-2022-0741</a>.</p> Thanks vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Unauthenticated user enumeration on GraphQL API</h2> An issue has been discovered in GitLab CE/EE affecting versions 13.0 to 14.6.5, 14.7 to 14.7.4, and 14.8 to 14.8.2. Private GitLab instances with restricted sign-ups may be vulnerable to user enumeration by unauthenticated users through the GraphQL API. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-4191</a>.</p> Thanks mungsul</a> and todb-r7</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Adding a mirror with SSH credentials can leak password</h2> An issue has been discovered in GitLab affecting all versions starting from 14.6 before 14.6.5, all versions starting from 14.7 before 14.7.4, and all versions starting from 14.8 before 14.8.2. GitLab was leaking user passwords when adding mirrors with SSH credentials under specific conditions. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N</code>, 4.2). It is now mitigated in the latest release and is assigned CVE-2022-0738</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Denial of Service via user comments</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting with 8.15. It was possible to trigger a DOS by using the math feature with a specific formula in issue comments. This is a low severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L</code>, 3.5). It is now mitigated in the latest release and is assigned CVE-2022-0489</a>.</p> Thanks cancerz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Update Grafana</h2> The version of Grafana has been updated to 7.5.12 in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions of GitLab CE/EE.</p> Update Mattermost</h2> The version of Mattermost has been updated to 6.3.3 in order to mitigate security concerns.</p> Versions affected</h3> Affects GitLab Omnibus prior to 14.8.</p> Updating</h2> To update GitLab, see the update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Hotpatch for Runner registration token disclosure through Quick Actions</h2> For self-managed instances not on versions 14.6 or greater, GitLab has published patches</a> which can be applied to mitigate the Runner registration token disclosure through Quick Actions</a> vulnerability. These patches should be considered temporary. Any instances of GitLab should be upgraded to a patched version of 14.8.2, 14.7.4, or 14.6.5 as soon as possible.</p> Patches named security-patch-$VERSION.patch</code> close the vulnerability which exposed runner registration tokens via quick action commands, and patches named token-prefix-patch-$VERSION.patch</code> can be applied to automate a one-time rotation of all project & group registration tokens.</p> Version-specific patches are available for GitLab releases 14.5.4, 14.4.5, 14.3.6, 14.2.7, 14.1.8, 14.0.12 and 13.12.15.</p> To apply the desired patch(es) on a GitLab omnibus instance, first retrieve the appropriate patchfile(s) based on the version of your instance, and then follow the below commands (example here uses patches for 14.0.12):</p> sudo </span>su cd</span> ~ curl -JLO</span> https://gitlab.com/gitlab-org/omnibus-gitlab/-/raw/14.8.2-Security-Hotpatches/config/patches/gitlab-rails/security-patch-14.0.patch curl -JLO</span> https://gitlab.com/gitlab-org/omnibus-gitlab/-/raw/14.8.2-Security-Hotpatches/config/patches/gitlab-rails/token-prefix-patch-14.0.patch cd</span> /opt/gitlab/embedded/service/gitlab-rails/ patch -p1</span> < ~/security-patch-14.0.patch patch -p1</span> < ~/token-prefix-patch-14.0.patch gitlab-ctl restart </code></pre></div> After applying the token-prefix-patch</code>, instances with a small number of groups and projects (under 10,000) can optionally use the following rails console commands to immediately reset all project & group runner registration tokens:</p> Project</span>.</span>in_batches</span>(</span>of: </span>100</span>).</span>update_all</span>(</span>runners_token_encrypted: </span>nil</span>)</span> Group</span>.</span>in_batches</span>(</span>of: </span>100</span>).</span>update_all</span>(</span>runners_token_encrypted: </span>nil</span>)</span> </code></pre></div> GitLab has conducted limited testing to validate these patches. As such these patches are provided AS-IS and GitLab makes no warranties of any kind. GITLAB HEREBY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Patch Release: 14.8.1 2022-02-23T00:00:00+00:00 Today we are releasing version 14.8.1 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 14.8 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Fix toolbar buttons in Markdown field</a></li> Revert: Link by commit and name for pipeline</a></li> Stop backup files from requiring directories to exist when skipped</a></li> Allow assigning users with private profiles with quick-actions</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 14.8 released with new SSH key types and security approval policies 2022-02-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 14.8 with new SSH key types</a>, security approval policies</a>, pipeline editor autocomplete</a>, impersonation audit events</a>, and much more!</p> These are just a few highlights from the 25+ improvements in this release. Read on to check out all of the great updates below.</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 14.9 release kickoff video.</p> GitLab Patch Release: 14.7.3 2022-02-14T00:00:00+00:00 Today we are releasing version 14.7.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 14.7 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Properly exclude pending_destruction packages when creating one</a></li> Update Import/Export ObjectBuilder for merge requests</a></li> Fix Geo checksummable check failing when file is nil</a></li> Update GitHub PRs Importer to force update repository</a></li> Update Mattermost to 6.2.2 (GitLab 14.7)</a></li> Specify fetch_workers config option to omnibus</a></li> Update Omnibus to v8.2.1.7</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 14.7.2 2022-02-08T00:00:00+00:00 Today we are releasing version 14.7.2 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 14.7 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Create 14.7 What's New entry</a></li> Fix cluster integration HTTP adapter</a></li> Revert "Merge branch 'wc-gitaly-keepalive-limit' into 'master'"</a></li> Fix broken mermaid diagrams</a></li> GitLab Version - CE Admin Dashboard [RUN ALL RSPEC] [RUN AS-IF-FOSS]</a></li> Geo: Fix verification failures of remote stored files</a></li> Update to ruby-magic v0.5.4</a></li> Geo: Fix reverify object stored files</a></li> Update PG runtime conf before restarting</a></li> Ensure EE services are added when gitlab-ee::config recipe is included</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 14.7.1, 14.6.4, and 14.5.4 2022-02-03T00:00:00+00:00 Today we are releasing versions 14.7.1, 14.6.4, and 14.5.4 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Arbitrary POST requests via special HTML attributes in Jupyter Notebooks</a></td> high</td> </tr> DNS Rebinding vulnerability in Irker IRC Gateway integration</a></td> medium</td> </tr> Missing certificate validation for external CI services</a></td> medium</td> </tr> Blind SSRF Through Project Import</a></td> medium</td> </tr> Open redirect vulnerability in Jira Integration</a></td> medium</td> </tr> Issue link was disclosing the linked issue</a></td> medium</td> </tr> Service Desk email accessible by project non-members</a></td> medium</td> </tr> Authenticated users can search other users by their private email</a></td> medium</td> </tr> "External status checks" can be accepted by users below developer access if the user is either author or assignee of the target merge request</a></td> medium</td> </tr> Deleting packages in bulk from package registries may cause table locks</a></td> medium</td> </tr> Autocomplete enabled on specific pages</a></td> low</td> </tr> Possible SSRF due to not blocking shared address space</a></td> low</td> </tr> System notes reveals private project path when Issue is moved to a public project</a></td> low</td> </tr> Timeout for pages using Markdown</a></td> low</td> </tr> Certain branch names could not be protected</a></td> low</td> </tr> </tbody> </table> Arbitrary POST requests via special HTML attributes in Jupyter Notebooks</h2> Missing sanitization of HTML attributes in Jupyter notebooks in all versions of GitLab CE/EE since version 14.5 allows an attacker to perform arbitrary HTTP POST requests on a user's behalf leading to potential account takeover. This is a high severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 7.7). It is now mitigated in the latest release and is assigned CVE-2022-0427</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> DNS Rebinding vulnerability in Irker IRC Gateway integration</h2> A DNS rebinding vulnerability in the Irker IRC Gateway integration in all versions of GitLab CE/EE since version 7.9 allows an attacker to trigger Server Side Request Forgery (SSRF) attacks. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-0425</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Missing certificate validation for external CI services</h2> An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab does not validate SSL certificates for some of external CI services which makes it possible to perform MitM attacks on connections to these external services. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 5.9). It is now mitigated in the latest release and is assigned CVE-2022-0123</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Blind SSRF Through Project Import</h2> A vulnerability was discovered in GitLab starting with version 10.5. GitLab was vulnerable to a blind SSRF attack through the Project Import feature. . This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L</code>, 5.4). It is now mitigated in the latest release and is assigned CVE-2022-0136</a>.</p> Thanks no1zy</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Open redirect vulnerability in Jira Integration</h2> An issue has been discovered affecting GitLab versions prior to 13.5. An open redirect vulnerability was fixed in GitLab integration with Jira that a could cause the web application to redirect the request to the attacker specified URL. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N</code>, 4.7). It is now mitigated in the latest release and is assigned CVE-2022-0283</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Issue link was disclosing the linked issue</h2> Improper access control allowed for project non-members to retrieve issue details when it was linked to an item form the vulnerability dashboard in GitLab CE/EE. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-0390</a>.</p> Thanks wi11</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Service Desk email accessible by project non-members</h2> Improper access control allows project non-members to retrieve the Service Desk email address in GitLab CE/EE. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-0373</a>.</p> Thanks albatraoz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Authenticated users can search other users by their private email</h2> GitLab search may allow authenticated users to search other users by their respective private emails even if a user set their email to private. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-0371</a>.</p> Customers may continue to search GitLab through the following methods:</p> Search via public email</li> Search via username</li> Query Users API for user id</li> Use our new Provisioned Users endpoint</a> (if you use Group SAML or SCIM)</li> Use an Admin token to search for the users via the API (if you are on a GitLab self-managed instance)</li> </ul> This vulnerability was found internally by a member of the GitLab team.</p> "External status checks" can be accepted by users below developer access if the user is either author or assignee of the target merge request</h2> An authorization logic error in the External Status Check API in GitLab EE affecting all versions starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allowed a user to update the status of the check via an API call. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39943</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Deleting packages in bulk from package registries may cause table locks</h2> An issue has been discovered in GitLab affecting all versions starting from 11.9 before 14.5.4, all versions starting from 14.6.0 before 14.6.4, all versions starting from 14.7.0 before 14.7.1. GitLab was not correctly handling bulk requests to delete existing packages from the package registries which could result in a Denial of Service under specific conditions. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H</code>, 4.9). It is now mitigated in the latest release and is assigned AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H</a>.</p> This vulnerability was found internally by a member of the GitLab team.</p> Autocomplete enabled on specific pages</h2> An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, all versions starting from 14.6.0 before 14.6.2. GitLab was not disabling the Autocomplete</code> attribute of fields related to sensitive information making it possible to be retrieved under certain conditions. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2022-0167</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Possible SSRF due to not blocking shared address space</h2> A vulnerability was discovered in GitLab starting with version 12. GitLab was vulnerable to a blind SSRF attack since requests to shared address space were not blocked. . This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2022-0249</a>.</p> Thanks no1zy</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> System notes reveals private project path when Issue is moved to a public project</h2> An issue has been discovered in GitLab affecting all versions starting from 10.0 before 14.5.4, all versions starting from 10.1 before 14.6.4, all versions starting from 10.2 before 14.7.1. Private project paths can be disclosed to unauthorized users via system notes when an Issue is closed via a Merge Request and later moved to a public project. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2022-0344</a>.</p> Thanks ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Timeout for pages using Markdown</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting with version 8.10. It was possible to trigger a timeout on a page with markdown by using a specific amount of block-quotes. This is a low severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L</code>, 3.5). It is now mitigated in the latest release and is assigned CVE-2022-0488</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Certain branch names could not be protected</h2> In some cases, branch names containing HTML tags were not properly being protected. This is a follow-up to CVE-2021-39931</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Update Mattermost</h2> The version of Mattermost has been updated to 6.1.1 in order to mitigate security concerns.</p> Versions affected</h3> Affects GitLab Omnibus prior to 14.7</p> Update Go</h2> The version of Go used in the GitLab Omnibus .gitlab-ci.yml</code> file has been updated to 2.9.1 in order to mitigate security concerns.</p> Versions affected</h3> Affects GitLab Omnibus prior to 14.7</p> Update Rouge</h2> The version of Rouge has been updated to 3.27.0 in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions of GitLab CE/EE</p> Update Mermaid</h2> The version of Mermaid has been updated to 8.13.10 in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions of GitLab CE/EE</p> Updating</h2> To update GitLab, see the update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab 14.7 released with Streaming Audit Events, GitLab Runner compliance with FIPS 140-2, and Group Access Tokens 2022-01-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 14.7 with Streaming Audit Events</a>, GitLab Runner compliance with FIPS 140-2</a>, Group Access Tokens</a> and much more!</p> These are just a few highlights from the 25+ improvements in this release. Read on to check out all of the great updates.</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 14.8 release kickoff video.</p> GitLab Patch Release: 14.6.3 2022-01-17T00:00:00+00:00 Today we are releasing version 14.6.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in last month's 14.6 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Geo: adapt verification timed out query to use state table</a></li> Fix migration for cases with empty strings</a></li> Fix the order of subsequent jobs when requeuing a job</a></li> Geo: Resolve "undefined method each_batch"</a></li> Fix destruction of projects with pipelines</a></li> Revert chef-acme cookbook update</a></li> Update golang to 1.16.12</a></li> Pass knapsack generate report var to gitlab-qa</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 14.6.2, 14.5.3, and 14.4.5 2022-01-11T00:00:00+00:00 Today we are releasing versions 14.6.2, 14.5.3, and 14.4.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Arbitrary file read via group import feature</a></td> high</td> </tr> Stored XSS in notes</a></td> high</td> </tr> Lack of state parameter on GitHub import project OAuth</a></td> high</td> </tr> Vulnerability related fields are available to unauthorized users on GraphQL API</a></td> medium</td> </tr> Deleting packages may cause table locks</a></td> medium</td> </tr> IP restriction bypass via GraphQL</a></td> medium</td> </tr> Repository content spoofing using Git replacement references</a></td> medium</td> </tr> Users can import members from projects that they are not a maintainer on through API</a></td> medium</td> </tr> Possibility to direct user to malicious site through Slack integration</a></td> medium</td> </tr> Bypassing file size limits to the NPM package repository</a></td> medium</td> </tr> User with expired password can still access sensitive information</a></td> low</td> </tr> Incorrect port validation allows access to services on ports 80 and 443 if GitLab is configured to run on another port</a></td> low</td> </tr> </tbody> </table> Arbitrary file read via group import feature</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting with 14.5. Arbitrary file read was possible by importing a group due to incorrect file handling. This is a critical severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N</code>, 8.6). It is now mitigated in the latest release and is assigned CVE-2022-0244</a>.</p> Thanks vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Stored XSS in notes</h2> Improper neutralization of user input in GitLab CE/EE versions 14.3 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed an attacker to exploit XSS by abusing the generation of the HTML code related to emojis. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned CVE-2021-39946</a>.</p> Thanks jarij</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Lack of state parameter on GitHub import project OAuth</h2> An issue has been discovered in GitLab affecting all versions starting from 7.7 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, and all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to a Cross-Site Request Forgery attack that allows a malicious user to have their GitHub project imported on another GitLab user account. This is a high severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H</code>, 7.5). It is now mitigated in the latest release and is assigned CVE-2022-0154</a>.</p> Thanks aryan2808</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Vulnerability related fields are available to unauthorized users on GraphQL API</h2> An issue has been discovered in GitLab affecting all versions starting from 13.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, and all versions starting from 14.6.0 before 14.6.2. GitLab was vulnerable to unauthorized access to some particular fields through the GraphQL API. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-0152</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Deleting packages may cause table locks</h2> An issue has been discovered in GitLab affecting all versions starting from 12.10 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, and all versions starting from 14.6.0 before 14.6.2. GitLab was not correctly handling requests to delete existing packages which could result in a Denial of Service under specific conditions. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-0151</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> IP restriction bypass via GraphQL</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.3. Under certain conditions it was possible to bypass the IP restriction for public projects through GraphQL allowing unauthorised users to read titles of issues, merge requests and milestones. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2022-0172</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Repository content spoofing using Git replacement references</h2> An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab is configured in a way that it doesn't ignore replacement references with git</code> sub-commands, allowing a malicious user to spoof the contents of their commits in the UI. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2022-0090</a>.</p> Thanks star-labs</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Users can import members from projects that they are not a maintainer on through API</h2> An issue has been discovered in GitLab affecting all versions starting from 12.0 before 14.4.5, all versions starting from 14.5.0 before 14.5.3, and all versions starting from 14.6.0 before 14.6.2. GitLab was not verifying that a maintainer of a project had the right access to import members from a target project. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-0125</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Possibility to direct user to malicious site through Slack integration</h2> An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. Gitlab's Slack integration is incorrectly validating user input and allows crafting of malicious URLs that are sent to slack. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2022-0124</a>.</p> Thanks rafaltrojniak</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Bypassing file size limits to the NPM package repository</h2> A denial of service vulnerability in GitLab CE/EE affecting all versions starting from 12.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, and all versions starting from 14.5 before 14.5.2, allows low-privileged users to bypass file size limits in the NPM package repository to potentially cause denial of service. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39942</a>.</p> Thanks 0xn3va</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> User with expired password can still access sensitive information</h2> An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab allows a user with an expired password to access sensitive information through RSS feeds. This is a low severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned CVE-2022-0093</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Incorrect port validation allows access to services on ports 80 and 443 if GitLab is configured to run on another port</h2> Server side request forgery protections in GitLab CE/EE versions between 8.4 and 14.4.x, between 14.5.0 and 14.5.x, and between 14.6.0 and 14.6.x would fail to protect against attacks sending requests to localhost on port 80 or 443 if GitLab was configured to run on a port other than 80 or 443. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned CVE-2021-39927</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Update Prometheus</h2> The version of Prometheus included in GitLab Omnibus has been updated to 2.25.2 in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions of GitLab Omnibus.</p> Updating</h2> To update GitLab, see the update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Patch Release: 14.6.1 2022-01-04T00:00:00+00:00 Today we are releasing version 14.6.1 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in last month's 14.6 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Fix re-use of extensions between instances</a></li> Ignore new line differences when deciding whether to squash MR</a></li> Drop LetsEncrypt X3 expired root test</a></li> Fix date-dependent failing spec in export_service_spec.rb</a></li> Fix an issue with sidekiq starting in docker compose</a></li> Fix the final chown of the rails ubi image</a></li> Fix sha256 digest of nginx-ingress controller image</a></li> Fix duplicate NGINX labels</a></li> Restore loadBalancerIP=global.hosts.externalIP on NGINX Controller Service</a> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 14.6 adds seamless Geo experience and supports .NET 6 in SAST 2021-12-22T00:00:00+00:00 Today, we are thrilled to announce the release of GitLab 14.6, the last release for 2021. This release brings simplified Geo configuration</a> that helps globally distributed teams accelerate Git clone or Git pull commands by automatically using the geo site closest to them, an activity list for GitLab's Agent</a> that logs real-time events such as connection and token status, and various SAST improvements including SAST execution policies</a> and support for .NET 6</a>.</p> These are just a few highlights from the 30+ improvements in this release. Read on to check out all of the great updates below.</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 14.7 release kickoff video.</p> GitLab Runner Critical Security Release: 14.5.2, 14.4.2, and 14.3.4 2021-12-10T00:00:00+00:00 Today we are releasing versions 14.5.2, 14.4.2, and 14.3.4 for GitLab Runner.</p> These versions contain important security fixes and we strongly recommend that all GitLab Runner installations for both GitLab.com and self-managed instances be upgraded to one of them immediately. This critical security release is for two security vulnerabilities that have been assigned a CVSS with medium severity, but that have a critical impact on GitLab.com users.</p> GitLab.com Shared Runners are already running the patched version.</p> We estimate that the number of self-managed GitLab Runner installations vulnerable to these exploits to be small due to a very specific combination of settings required to take advantage of this vulnerability. Even so, again: we strongly recommend that all GitLab Runner installations be upgraded to one of these versions immediately.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Specially crafted docker images can exhaust resources on managers</a></td> medium</td> </tr> Golang vulnerability CVE-2021-44717: don’t close fd 0 on ForkExec error</a></td> medium</td> </tr> </tbody> </table> Specially crafted docker images can exhaust resources on managers</h2> An uncontrolled resource consumption vulnerability in GitLab Runner affecting all versions starting from 13.7 before 14.3.4, all versions starting from 14.4 before 14.4.2, all versions starting from 14.5 before 14.5.2, allows an attacker triggering a job with a specially crafted docker image to exhaust resources on a runner manager. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2021-39939</a>.</p> This vulnerability was discovered internally by the GitLab team.</p> Temporary workaround</h3> A temporary workaround, in cases when GitLab Runner can't be updated immediately, would be to disable the FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR</code> feature flag in Runner's config.toml</code> configuration file. This will turn off the vulnerable feature and make it impossible for users to turn it on from the job level.</p> Open the config.toml</code> file of the Runner that you want to update.</p> </li> In each [[runners]]</code> section add:</p> [runners.feature_flags]</span> FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR</span> =</span> false</span> </code></pre></div> </li> Save the file and exit.</p> </li> </ol> After that, the runner's process should detect the change and start applying the configuration within a minute. For this configuration change, restarting the GitLab Runner process is not required.</p> Golang vulnerability CVE-2021-44717: don’t close fd 0 on ForkExec error</h2> All previous versions of GitLab Runner were susceptible to Golang security issue CVE-2021-44717: don’t close fd 0 on ForkExec error</a>, which could result in misdirected I/O such as writing network traffic intended for one connection to a different connection, or content intended for one file to a different one. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-39947</a>.</p> This vulnerability was discovered internally by the GitLab team.</p> Temporary workaround</h3> A temporary workaround, in cases when GitLab Runner can't be updated immediately, would be to increase the file descriptor limit set for the runner process. However, this is dependent on how it's specifically configured and deployed.</p> Please keep in mind that updating the file descriptors limit requires restarting the runner process. To do that without interrupting any running jobs one should send a SIGQUIT</code> signal to the runner process. This will initiate a graceful shutdown, during which the runner will not accept any new jobs but will finish all the jobs that were already started before exiting.</p> The ability to determine the best value for the file descriptors limit will vary depending on the load that the runners are handling and their specific configuration. Setting the limit at 50 for each potential job that can run concurrently on the runner manager is a good starting point. However, to find the best value we highly recommend monitoring the runner process and the number of file descriptors that it uses and adjust as needed depending on the specific needs.</p> Updating</h2> To update GitLab, see the update page</a>. To update Gitlab Runner, find your installation method and steps for updating here</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Security Release: 14.5.2, 14.4.4, and 14.3.6 2021-12-06T00:00:00+00:00 Today we are releasing versions 14.5.2, 14.4.4, and 14.3.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Group members with developer role can escalate their privilege to maintainer on projects that they import</a></td> high</td> </tr> When user registration is limited, external users that aren't developers shouldn't have access to the CI Lint API</a></td> medium</td> </tr> Collision in access memoization leads to potential elevated privileges on groups and projects</a></td> medium</td> </tr> Project access token names are returned for unauthenticated requesters</a></td> medium</td> </tr> Sensitive info disclosure in logs</a></td> medium</td> </tr> Disclosure of a user's custom project and group templates</a></td> medium</td> </tr> ReDoS in Maven package version</a></td> medium</td> </tr> Potential denial of service via the Diff feature</a></td> medium</td> </tr> Regular Expression Denial of Service via user comments</a></td> medium</td> </tr> Service Desk email accessible by any project member</a></td> medium</td> </tr> Regular Expression Denial of Service via quick actions</a></td> medium</td> </tr> IDOR in "external status check" API leaks data about any status check on the instance</a></td> medium</td> </tr> Default branch name visible in public projects restricting access to the source code repository</a></td> low</td> </tr> Deploy token allows access to disabled project Wiki</a></td> low</td> </tr> Regular Expression Denial of Service via deploy Slash commands</a></td> low</td> </tr> Users can reply to Vulnerability Report discussions despite Only Project Members settings</a></td> low</td> </tr> Unauthorised deletion of protected branches</a></td> low</td> </tr> Author can approve Merge Request after having access revoked</a></td> low</td> </tr> HTML Injection via Swagger UI</a></td> low</td> </tr> </tbody> </table> Group members with developer role can escalate their privilege to maintainer on projects that they import</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A permissions validation flaw allowed group members with a developer role to elevate their privilege to a maintainer on projects they import. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N</code>, 7.1). It is now mitigated in the latest release and is assigned CVE-2021-39944</a>.</p> Thanks @justas_b for reporting this vulnerability through our HackerOne bug bounty program.</p> When user registration is limited, external users that aren't developers shouldn't have access to the CI Lint API</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.5 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Unauthorized external users could perform Server Side Requests via the CI Lint API. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N</code>, 6.8). It is now mitigated in the latest release and is assigned CVE-2021-39935</a>.</p> Thanks @minhli</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Collision in access memoization leads to potential elevated privileges on groups and projects</h2> A collision in access memoization logic in all versions of GitLab CE/EE before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, leads to potential elevated privileges in groups and projects under rare circumstances. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N</code>, 5.9). It is now mitigated in the latest release and is assigned CVE-2021-39937</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Project access token names are returned for unauthenticated requesters</h2> Improper access control in the GraphQL API in GitLab CE/EE affecting all versions starting from 13.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to see the names of project access tokens on arbitrary projects. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-39915</a>.</p> Thanks @joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Sensitive info disclosure in logs</h2> In all versions of GitLab CE/EE starting version 14.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, the reset password token and new user email token are accidentally logged which may lead to information disclosure. This is a medium severity issue (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N</code>, 4.4). It is now mitigated in the latest release and is assigned CVE-2021-39919</a>.</p> This vulnerability was discovered internally by a member of the GitLab team.</p> Disclosure of a user's custom project and group templates</h2> Missing authorization in GitLab EE versions starting from 12.4 before 14.3.6, starting from 14.4.0 before 14.4.4, and starting from 14.5.0 before 14.5.2 allowed an attacker to access a user's custom project and group templates. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39930</a>.</p> Thanks @ngalog</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> ReDoS in Maven package version</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab Maven Package registry is vulnerable to a regular expression denial of service when a specifically crafted string is sent. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39940</a>.</p> Thanks @anyday</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Potential denial of service via the Diff feature</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.0 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Using large payloads, the diff feature could be used to trigger high load time for users reviewing code changes. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39932</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Regular Expression Denial of Service via user comments</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression used for handling user input (notes, comments, etc) was susceptible to catastrophic backtracking that could cause a DOS attack. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39933</a>.</p> Thanks @hashkitten</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Service Desk email accessible by any project member</h2> Improper access control allows any project member to retrieve the Service Desk email address in GitLab CE/EE versions starting from 12.10 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39934</a>.</p> Thanks @gratitude101</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Regular Expression Denial of Service via quick actions</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.9 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. A regular expression related to quick actions features was susceptible to catastrophic backtracking that could cause a DOS attack. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39917</a>.</p> Thanks @hashkitten</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> IDOR in "external status check" API leaks data about any status check on the instance</h2> Lack of an access control check in the External Status Check feature allowed any authenticated user to retrieve the configuration of any External Status Check in GitLab EE starting from 14.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39916</a>.</p> Thanks @joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Default branch name visible in public projects restricting access to the source code repository</h2> An information disclosure vulnerability in GitLab CE/EE versions 12.0 to 14.3.6, 14.4 to 14.4.4, and 14.5 to 14.5.2 allowed non-project members to see the default branch name for projects that restrict access to the repository to project members. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 3.7). It is now mitigated in the latest release and is assigned CVE-2021-39941</a>.</p> Thanks @ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Deploy token allows access to disabled project Wiki</h2> Improper access control in GitLab CE/EE affecting all versions starting from 10.7 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker in possession of a deploy token to access a project's disabled wiki. This is a low severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned CVE-2021-39936</a>.</p> Thanks @vaib25vicky</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Regular Expression Denial of Service via deploy Slash commands</h2> A vulnerable regular expression pattern in GitLab CE/EE since version 8.15 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an attacker to cause uncontrolled resource consumption leading to Denial of Service via specially crafted deploy Slash commands. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2021-39938</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Users can reply to Vulnerability Report discussions despite Only Project Members settings</h2> Incorrect Authorization in GitLab EE affecting all versions starting from 11.1 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows a user to add comments to a vulnerability which cannot be accessed. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2021-39918</a>.</p> Thanks @wi11</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Unauthorised deletion of protected branches</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.11 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. Under specific condition an unauthorised project member was allowed to delete a protected branches due to a business logic error. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2021-39931</a>.</p> Thanks @joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Author can approve Merge Request after having access revoked</h2> Improper access control in the GitLab CE/EE API affecting all versions starting from 9.4 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2, allows an author of a Merge Request to approve the Merge Request even after having their project access revoked. This is a low severity issue (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N</code>, 2.7). It is now mitigated in the latest release and is assigned CVE-2021-39945</a>.</p> Thanks @muthu_prakash</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> HTML Injection via Swagger UI</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 14.3.6, all versions starting from 14.4 before 14.4.4, all versions starting from 14.5 before 14.5.2. GitLab was vulnerable to HTML Injection through the Swagger UI feature. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 2.6). It is now mitigated in the latest release and is assigned CVE-2021-39910</a>.</p> Thanks @kannthu</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Update Ruby</h2> The version of Ruby included in GitLab Omnibus has been updated to 2.7.5 in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions of GitLab Omnibus.</p> Update Rails</h2> The version of Rails included in GitLab Omnibus has been updated to 6.1.4.1 in order to mitigate security concerns.</p> Versions affected</h3> Affects versions 12.8 and later.</p> Update ncurses</h2> The version of ncurses included in GitLab Omnibus has been updated to 6.3 in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions of GitLab Omnibus.</p> Update libgcrypt</h2> The version of libgcrypt included in GitLab Omnibus has been updated to 1.9.4 in order to mitigate security concerns.</p> Versions affected</h3> Affects versions 10.3 and later.</p> Update mattermost</h2> The version of mattermost included in GitLab Omnibus versions 14.4.4 and 14.5.2 has been updated to 5.39.2 in order to mitigate security concerns. The version of mattermost included in GitLab Omnibus versions 14.3.6 has been updated to 5.38.4 in order to mitigate security concerns.</p> Versions affected</h3> Affects versions 14.1 and later.</p> Update graphql</h2> The version of graphql included in GitLab Omnibus has been updated to 1.11.10 in order to mitigate security concerns.</p> Versions affected</h3> Affects versions 8.11 and later.</p> Update mermaid</h2> The version of mermaid included in GitLab Omnibus has been updated to 8.13.4 in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions of GitLab Omnibus.</p> Updating</h2> To update GitLab, see the update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Patch Release: 14.4.3 2021-12-01T00:00:00+00:00 Today we are releasing version 14.4.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in October's 14.4 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Fix 2FA setup for LDAP users</a></li> Allow SSO callbacks through maintenance mode</a></li> Prevent Git operations from checking replication lag on non-Geo-secondary sites</a></li> Geo - Fix no repo error message for group-level wikis</a></li> Fix for hexadecimal branch deletion</a></li> Add praefect prometheus_exclude_database_from_default_metrics config value</a></li> Check validation only if new record of license</a></li> Wrap Sidekiq scheduler threads in Rails reloader</a></li> Materialize valid_primaries view </a></li> praefect: Backport separate endpoint for datastore collector</a></li> sql-migrate: Update storage_repositories table</a></li> datastore: Revert use of materialized views</a></li> list-untracked-repositories: Praefect sub-command to show untracked repositories</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 14.5.1 2021-12-01T00:00:00+00:00 Today we are releasing version 14.5.1 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in last month's 14.5 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Support Action Cable on GCP Memorystore</a></li> Fix the SSL_CERT_DIR logging on git operations</a></li> Fix for hexadecimal branch deletion</a></li> Check validation for license only if new record</a></li> Fix Google Memorystore support for Action Cable</a></li> catfile: Ensure structs are properly aligned in memory for 32-bit CPUs</a></li> praefect: Backport separate endpoint for datastore collector</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 14.3.5 2021-11-26T00:00:00+00:00 Today we are releasing version 14.3.5 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in September's 14.3 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Available in GitLab Free, Premium, and Ultimate:</p> Remove defaultAuthors from MR Analytics and VSA</a></li> Fix error 500 loading branch with UTF-8 characters with performance bar</a></li> Prevent Git operations from checking replication lag on non-Geo-secondary sites</a></li> Geo - Fix no repo error message for group-level wikis</a></li> Allow SSO callbacks through maintenance mode</a></li> Conditionally generate public_attributes.json</a></li> Downgrade grafana to the 7.x release branch</a></li> Fix URL for unzip v6.0 download</a></li> Add praefect prometheus_exclude_database_from_default_metrics config value</a></li> ubi8: Install Ruby binstubs for Gitaly gems</a></li> Update GitLab MailRoom to v0.0.14</a></li> Praefect: Backport separate endpoint for datastore collector</a></li> Materialize valid_primaries view</a></li> Fix for regression with Postgres 11 due to MATERIALIZED views</a></li> Backport praefect sub-commands to 14.3</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 14.2.7 2021-11-26T00:00:00+00:00 Today we are releasing version 14.2.7 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in August's 14.2 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Available in GitLab Free, Premium, and Ultimate:</p> Let non-members set confidential flag when creating an issue in public project</a></li> Geo: Reduce frequency of redownload attempts</a></li> Remove defaultAuthors from MR Analytics and VSA</a></li> Prevent Git operations from checking replication lag on non-Geo-secondary sites</a></li> Delay praefect database_no_proxy removals</a></li> Conditionally generate public_attributes.json</a></li> Fix URL for unzip v6.0 download</a></li> Add praefect prometheus_exclude_database_from_default_metrics config value</a></li> Symlink OpenSSL default cert file to Debian cert path</a></li> ubi8: Install Ruby binstubs for Gitaly gems</a></li> Update GitLab MailRoom to v0.0.14</a></li> Praefect: Backport separate endpoint for datastore collector</a></li> Materialize valid_primaries view</a></li> Fix for regression with Postgres 11 due to MATERIALIZED views</a></li> Backport praefect sub-commands to 14.2</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 14.5 released with infrastructure as code security scanning and group-level merge request approvals 2021-11-22T00:00:00+00:00 Today, we are thrilled to announce the release of GitLab 14.5 with infrastructure as code security scanning</a>, group-level merge request approvals settings</a>, Kubernetes Agent available in GitLab Free</a>, project topics</a>, and much more!</p> These are only a selection of highlights from the 40+ improvements in this release. Read on to check out all of the super updates below.</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 14.6 release kickoff video.</p> GitLab Patch Release: 14.1.8 2021-11-15T00:00:00+00:00 Today we are releasing version 14.1.8 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in July's 14.1 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Backport praefect sub-commands to 14.1</a></li> Geo: Reduce frequency of redownload attempts</a></li> Prevent Git operations from checking replication lag on non-Geo-secondary sites</a></li> Delay praefect database__no_proxy removals</a></li> Conditionally generate public_attributes.json</a></li> Update gitlab-mail_room to 0.0.14</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 14.4.2 2021-11-08T00:00:00+00:00 Today we are releasing version 14.4.2 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in last month's 14.4 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Fix focus mode on boards</a></li> Prevent Sidekiq size limiter middleware from running multiple times on the same job</a></li> Skip st_diff callback setting on LegacyDiffNote when importing</a></li> Create 14.4 What's New entry</a></li> Fix error 500 loading branch with UTF-8 characters with performance bar</a></li> Fix issue_metrics index creation error</a></li> Remove skip_legacy_diff_note_callback_on_import from legacy diff note</a></li> Document track-repository praefect subcommand</a></li> Skip retrying for reads on connection errors if primary only</a></li> Bump Go dependency to 1.16</a></li> Build and publish ARM64 AMIs</a></li> Fix URL for unzip v6.0 download</a></li> ubi8: Install Ruby binstubs for Gitaly gems</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 14.0.12 2021-11-05T00:00:00+00:00 Today we are releasing version 14.0.12 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in June's 14.0 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Backport praefect sub-commands to 14.0</a></li> Geo: Reduce frequency of redownload attempts</a></li> Conditionally generate public_attributes.json</a></li> Update gitlab-mail_room to 0.0.14</a></li> Allow nil for CI CD settings</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 13.12.15 2021-11-03T00:00:00+00:00 Today we are releasing version 13.12.15 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in 13.12's release</a>.</p> GitLab Community Edition and Enterprise Edition</h2> Geo: Reduce frequency of redownload attempts</a></li> Conditionally generate public_attributes.json</a></li> Update gitlab-mail_room to 0.0.14</a></li> Add new sub-command for Praefect to remove repository</a></li> Add new sub-command for Praefect to show untracked repositories</a></li> Add new sub-command for Praefect to show repositories that exist on disk but not in the database</a></li> Allow nil for remaining ci cd settings</a>)</li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 14.4.1, 14.3.4, and 14.2.6 2021-10-28T00:00:00+00:00 Today we are releasing versions 14.4.1, 14.3.4, and 14.2.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Stored XSS via ipynb files</a></td> high</td> </tr> Unicode characters can be abused to commit malicious code into projects without notice</a></td> medium</td> </tr> Pipeline schedules on imported projects can be set to automatically active after import</a></td> medium</td> </tr> Potential Denial of service via Workhorse</a></td> medium</td> </tr> Improper Access Control allows Merge Request creator to bypass locked status</a></td> medium</td> </tr> Projects API discloses ID and name of private groups</a></td> medium</td> </tr> Severity of an incident can be changed by a guest user</a></td> medium</td> </tr> System root password accidentally written to log file</a></td> medium</td> </tr> Potential DoS via a malformed TIFF image</a></td> medium</td> </tr> Bypass of CODEOWNERS Merge Request approval requirement</a></td> medium</td> </tr> Change project visibility to a restricted option</a></td> medium</td> </tr> Project exports leak external webhook token value</a></td> low</td> </tr> Invited group members, with access inherited from parent group, continue to have project access even after invited subgroup is transfered</a></td> low</td> </tr> SCIM token is visible after creation</a></td> low</td> </tr> Regular expression denial of service issue when cleaning namespace path</a></td> low</td> </tr> Prevent creation of scopeless apps using applications API</a></td> low</td> </tr> Webhook data exposes assignee's private email address</a></td> low</td> </tr> </tbody> </table> Stored XSS via ipynb files</h2> Improper validation of ipynb files in GitLab CE/EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned CVE-2021-39906</a>.</p> Thanks @saleemrashid for reporting this vulnerability through our HackerOne bug bounty program.</p> Unicode characters can be abused to commit malicious code into projects without notice</h2> In all versions of GitLab CE/EE, certain Unicode characters can be abused to commit malicious code into projects without being noticed in merge request or source code viewer UI. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2021-39908</a>. The general attack vector was also assigned CVE-2021-42574</a> by the original researchers and is known as a "Trojan Source Attack".</p> Thanks @nickboucher for reporting this vulnerability through our HackerOne bug bounty program.</p> Pipeline schedules on imported projects can be set to automatically active after import</h2> In all versions of GitLab CE/EE since version 8.0, an attacker can set the pipeline schedules to be active in a project export so when an unsuspecting owner imports that project, pipelines are active by default on that project. Under specialized conditions, this may lead to information disclosure if the project is imported from an untrusted source. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L</code>, 6.0). It is now mitigated in the latest release and is assigned CVE-2021-39895</a>.</p> Thanks @justas_b for reporting this vulnerability through our HackerOne bug bounty program.</p> Potential Denial of service via Workhorse</h2> A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 13.7. The stripping of EXIF data from certain images resulted in high CPU usage. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-39907</a>.</p> Thanks @ajxchapman for reporting this vulnerability through our HackerOne bug bounty program.</p> Improper Access Control allows Merge Request creator to bypass locked status</h2> An Improper Access Control vulnerability in the GraphQL API in GitLab CE/EE since version 13.1 allows a Merge Request creator to resolve discussions and apply suggestions after a project owner has locked the Merge Request. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39904</a>.</p> Thanks @jimeno for reporting this vulnerability through our HackerOne bug bounty program.</p> Projects API discloses ID and name of private groups</h2> An information disclosure vulnerability in the GitLab CE/EE API since version 8.9.6 allows a user to see basic information on private groups that a public project has been shared with. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39905</a>.</p> Thanks @rafiem for reporting this vulnerability through our HackerOne bug bounty program.</p> Severity of an incident can be changed by a guest user</h2> Incorrect Authorization in GitLab CE/EE 13.4 or above allows a user with guest membership in a project to modify the severity of an incident. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39902</a>.</p> Thanks @cradlr for reporting this vulnerability through our HackerOne bug bounty program.</p> System root password accidentally written to log file</h2> Accidental logging of system root password in the migration log in all versions of GitLab CE/EE allows an attacker with local file system access to obtain system root-level privileges. This is a medium severity issue (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N</code>, 4.4). It is now mitigated in the latest release and is assigned CVE-2021-39913</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Potential DoS via a malformed TIFF image</h2> A potential DoS vulnerability was discovered in GitLab CE/EE starting with version 13.7. Using a malformed TIFF images was possible to trigger memory exhaustion. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-39912</a>.</p> Thanks @haquaman for reporting this vulnerability through our HackerOne bug bounty program.</p> Bypass of CODEOWNERS Merge Request approval requirement</h2> Lack of email address ownership verification in the CODEOWNERS feature in all versions of GitLab EE since version 11.3 allows an attacker to bypass CODEOWNERS Merge Request approval requirement under rare circumstances. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-39909</a>.</p> Thanks @vaib25vicky for reporting this vulnerability through our HackerOne bug bounty program.</p> Change project visibility to a restricted option</h2> In all versions of GitLab CE/EE since version 13.0, a low privileged user, through an API call, can change the visibility level of a group or a project to a restricted option even after the instance administrator sets that visibility option as restricted in settings. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2021-39903</a>.</p> Thanks @s4nderdevelopment for reporting this vulnerability through our HackerOne bug bounty program.</p> Project exports leak external webhook token value</h2> In all versions of GitLab CE/EE since version 10.6, a project export leaks the external webhook token value which may allow access to the project which it was exported from. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 3.7). It is now mitigated in the latest release and is assigned CVE-2021-39898</a>.</p> Thanks @xanbanx for reporting this vulnerability through our HackerOne bug bounty program.</p> Invited group members, with access inherited from parent group, continue to have project access even after invited subgroup is transfered</h2> Improper access control in GitLab CE/EE version 10.5 and above allowed subgroup members with inherited access to a project from a parent group to still have access even after the subgroup is transferred. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N</code>, 3.7). It is now mitigated in the latest release and is assigned CVE-2021-39897</a>.</p> Thanks @joaxcar for reporting this vulnerability through our HackerOne bug bounty program.</p> SCIM token is visible after creation</h2> In all versions of GitLab CE/EE since version 11.10, an admin of a group can see the SCIM token of that group by visiting a specific endpoint. This is a low severity issue (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N</code>, 2.7). It is now mitigated in the latest release and is assigned CVE-2021-39901</a>.</p> Thanks @ngalog for reporting this vulnerability through our HackerOne bug bounty program.</p> Regular expression denial of service issue when cleaning namespace path</h2> A regular expression denial of service issue in GitLab versions 8.13 to 14.2.5, 14.3.0 to 14.3.3 and 14.4.0 could cause excessive usage of resources when a specially crafted username was used when provisioning a new user. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2021-39914</a>.</p> This vulnerability has been discovered internally by the GitLab team</p> Prevent creation of scopeless apps using applications API</h2> The application api in GitLab CE/EE version 10.5 and above allowed creation of scopeless apps. This is a low severity issue and is now mitigated in latest release.</p> This vulnerability has been discovered internally by the GitLab team</p> Webhook data exposes assignee's private email address</h2> An improper access control flaw in GitLab CE/EE since version 13.9 exposes private email address of Issue and Merge Requests assignee to Webhook data consumers. This is a low severity issue (CVSS:3.0/AV:P/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 1.7). It is now mitigated in the latest release and is assigned CVE-2021-39911</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Update Redis</h2> The version of Redis included in GitLab Omnibus has been updated to 6.0.16 in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions of GitLab Omnibus</p> Update OpenSSL</h2> The version of OpenSSL included in GitLab Omnibus has been updated to 1.1.1l in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions of GitLab Omnibus</p> Update Curl</h2> The version of Curl included in GitLab Omnibus has been updated to 7.79.1 in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions of GitLab Omnibus</p> Updating</h2> To update GitLab, see the update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab 14.4 released with Scheduled DAST scans and Integrated error tracking 2021-10-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 14.4</code> with Scheduled DAST scans</a>, Integrated error tracking inside GitLab without a Sentry instance</a>, Remote Repositories for GitLab in Visual Studio Code</a>, DevOps Adoption trend graph</a>, GA for GitLab Operator</a> and much more!</p> These are just a few highlights from the 30+</code> improvements in this release. Read on to check out all of the great updates below.</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 14.5 release kickoff video.</p> GitLab Patch Release: 14.3.3 2021-10-12T00:00:00+00:00 Today we are releasing version 14.3.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 14.3 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Fix dependency proxy image prefix</a></li> Drop taggings index if exists during migration</a></li> Fix 2FA setup for users with no password</a></li> Disable caching of MergeToRefService call in mergeability check</a></li> Delay praefect database_*_no_proxy removals</a></li> Update cacerts to 2021-09-30</a></li> Symlink OpenSSL default cert file to Debian cert path</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 14.3.2 2021-10-01T00:00:00+00:00 Today we are releasing version 14.3.2 GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in the 14.3 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Add OR REPLACE when creating function</a></li> Top 7 Highlight items for 14.3</a></li> Update GitLab Shell to v13.21.1</a></li> Remove feature flag check for candece finder</a></li> Remove unexpected FK prior to swapping columns</a></li> Allow ee images to be skipped on CE pipelines</a></li> Bump kas to v14.3.3</a></li> </ul> Important notes on upgrading</h2> These versions do not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 14.3.1, 14.2.5, and 14.1.7 2021-09-30T00:00:00+00:00 Today we are releasing versions 14.3.1, 14.2.5, and 14.1.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Stored XSS in merge request creation page</a></td> high</td> </tr> Denial-of-service attack in Markdown parser</a></td> high</td> </tr> Stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown</a></td> high</td> </tr> DNS Rebinding vulnerability in Gitea importer</a></td> medium</td> </tr> Exposure of trigger tokens on project exports</a></td> medium</td> </tr> Improper access control for users with expired password</a></td> medium</td> </tr> Access tokens are not cleared after impersonation</a></td> medium</td> </tr> Reflected Cross-Site Scripting in Jira Integration</a></td> medium</td> </tr> DNS Rebinding vulnerability in Fogbugz importer</a></td> medium</td> </tr> Access tokens persist after project deletion</a></td> medium</td> </tr> User enumeration vulnerability</a></td> medium</td> </tr> Potential DOS via API requests</a></td> medium</td> </tr> Pending invitations of public groups and public projects are visible to any user</a></td> medium</td> </tr> Bypass Disabled Repo by URL Project Creation</a></td> medium</td> </tr> Low privileged users can see names of the private groups shared in projects</a></td> medium</td> </tr> API discloses sensitive info to low privileged users</a></td> medium</td> </tr> Epic listing do not honour group memberships</a></td> medium</td> </tr> Insecure Direct Object Reference vulnerability may lead to protected branch names getting disclosed</a></td> medium</td> </tr> Low privileged users can import users from projects that they they are not a maintainer on</a></td> medium</td> </tr> Potential DOS via dependencies API</a></td> medium</td> </tr> Create a project with unlimited repository size through malicious Project Import</a></td> medium</td> </tr> Bypass disabled Bitbucket Server import source project creation</a></td> medium</td> </tr> Requirement to enforce 2FA is not honored when using git commands</a></td> medium</td> </tr> Content spoofing vulnerability</a></td> medium</td> </tr> Improper session management in impersonation feature</a></td> low</td> </tr> Create OAuth application with arbitrary scopes through content spoofing</a></td> low</td> </tr> LDAP users can bypass 2FA and load certain pages with HTTP Basic Auth</a></td> low</td> </tr> Lack of account lockout on change password functionality</a></td> low</td> </tr> Epic reference was not updated while moved between groups</a></td> low</td> </tr> Missing authentication allows disabling of two-factor authentication</a></td> low</td> </tr> Information disclosure in SendEntry</a></td> low</td> </tr> </tbody> </table> Stored XSS in merge request creation page</h2> A Stored XSS in merge request creation page in Gitlab EE version 13.5 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious approval rule names. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned CVE-2021-39885</a>.</p> Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.</p> Denial-of-service attack in Markdown parser</h2> A vulnerability was discovered in GitLab starting with version 12.2 that allows an attacker to cause uncontrolled resource consumption with a specially crafted file. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H</code>, 7.7). It is now mitigated in the latest release and is assigned CVE-2021-39877</a>.</p> Thanks phill for reporting this vulnerability through our HackerOne bug bounty program.</p> Stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown</h2> A stored Cross-Site Scripting vulnerability in the GitLab Flavored Markdown in GitLab CE/EE version 8.4 and above allowed an attacker to execute arbitrary JavaScript code on the victim's behalf. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N</code>, 7.3). It is now mitigated in the latest release and is assigned CVE-2021-39887</a>.</p> Thanks saleemrashid for reporting this vulnerability through our HackerOne bug bounty program.</p> DNS Rebinding vulnerability in Gitea importer</h2> In all versions of GitLab CE/EE since version 8.15, a DNS rebinding vulnerability in Gitea Importer may be exploited by an attacker to trigger Server Side Request Forgery (SSRF) attacks. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2021-39867</a>.</p> This issue was found internally by a member of the GitLab team.</p> Exposure of trigger tokens on project exports</h2> In all versions of GitLab CE/EE since version 8.9, project exports may expose trigger tokens configured on that project. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2021-39869</a>.</p> Thanks @mishre for reporting this vulnerability through our HackerOne bug bounty program.</p> Improper access control for users with expired password</h2> In all versions of GitLab CE/EE since version 14.1, an improper access control vulnerability allows users with expired password to still access GitLab through git and API through access tokens acquired before password expiration. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2021-39872</a>.</p> Thanks @joaxcar for reporting this vulnerability through our HackerOne bug bounty program.</p> Access tokens are not cleared after impersonation</h2> In all versions of GitLab CE/EE since version 8.0, access tokens created as part of admin's impersonation of a user are not cleared at the end of impersonation which may lead to unnecessary sensitive info disclosure. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 5.9). It is now mitigated in the latest release and is assigned CVE-2021-39891</a>.</p> This vulnerability was found internally by a member of the GitLab team.</p> Reflected Cross-Site Scripting in Jira Integration</h2> A stored Reflected Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.0 up to 14.3.1 allowed an attacker to execute arbitrary javascript code. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N</code>, 5.8). It is now mitigated in the latest release and is assigned CVE-2021-39878</a>.</p> Thanks ooooooo_q for reporting this vulnerability through our HackerOne bug bounty program.</p> DNS Rebinding vulnerability in Fogbugz importer</h2> In all versions of GitLab CE/EE since version 8.0, a DNS rebinding vulnerability exists in Fogbugz importer which may be used by attackers to exploit Server Side Request Forgery attacks. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned CVE-2021-39894</a>.</p> This vulnerability was discovered internally by the GitLab team.</p> Access tokens persist after project deletion</h2> A business logic error in the project deletion process in GitLab 13.6 and later allows persistent access via project access tokens. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned CVE-2021-39866</a>.</p> Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program.</p> User enumeration vulnerability</h2> In all versions of GitLab CE/EE, provided a user ID, anonymous users can use a few endpoints to retrieve information about any GitLab user. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-39882</a>.</p> This issue was found internally by a member of the GitLab team.</p> Potential DOS via API requests</h2> A potential DOS vulnerability was discovered in GitLab starting with version 9.1 that allowed parsing files without authorisation. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-39893</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Pending invitations of public groups and public projects are visible to any user</h2> In all versions of GitLab CE/EE since version 13.6, it is possible to see pending invitations of any public group or public project by visiting an API endpoint. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-39875</a>.</p> Thanks @ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.</p> Bypass Disabled Repo by URL Project Creation</h2> In all versions of GitLab CE/EE since version 11.11, an instance that has the setting to disable Repo by URL import enabled is bypassed by an attacker making a crafted API call. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39870</a>.</p> Thanks @ngalog for reporting this vulnerability through our HackerOne bug bounty program.</p> Low privileged users can see names of the private groups shared in projects</h2> In all versions of GitLab EE since version 8.13, an endpoint discloses names of private groups that have access to a project to low privileged users that are part of that project. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39884</a>.</p> Thanks @ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.</p> API discloses sensitive info to low privileged users</h2> In all versions of GitLab EE since version 13.10, a specific API endpoint may reveal details about a private group and other sensitive info inside issue and merge request templates. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39888</a>. Thanks @0xn3va for reporting this vulnerability through our HackerOne bug bounty program.</p> Epic listing do not honour group memberships</h2> Improper authorization checks in GitLab EE > 13.11 allows subgroup members to see epics from all parent subgroups. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39883</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Insecure Direct Object Reference vulnerability may lead to protected branch names getting disclosed</h2> In all versions of GitLab EE since version 14.1, due to an insecure direct object reference vulnerability, an endpoint may reveal the protected branch name to a malicious user who makes a crafted API call with the ID of the protected branch. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39889</a>.</p> Thanks @ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.</p> Low privileged users can import users from projects that they they are not a maintainer on</h2> In all versions of GitLab CE/EE since version 12.0, a lower privileged user can import users from projects that they don't have a maintainer role on and disclose email addresses of those users. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39892</a>.</p> Thanks @ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.</p> Potential DOS via dependencies API</h2> A potential DOS vulnerability was discovered in GitLab EE starting with version 12.6 due to lack of pagination in dependencies API. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-22259</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Create a project with unlimited repository size through malicious Project Import</h2> In all versions of GitLab CE/EE since version 8.12, an authenticated low-privileged malicious user may create a project with unlimited repository size by modifying values in a project export. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39868</a>.</p> Thanks @ngalog for reporting this vulnerability through our HackerOne bug bounty program.</p> Bypass disabled Bitbucket Server import source project creation</h2> In all versions of GitLab CE/EE since version 13.0, an instance that has the setting to disable Bitbucket Server import enabled is bypassed by an attacker making a crafted API call. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39871</a>.</p> This issue was discovered internally by a member of the GitLab team.</p> Requirement to enforce 2FA is not honored when using git commands</h2> In all versions of GitLab CE/EE since version 11.0, the requirement to enforce 2FA is not honored when using git commands. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39874</a>.</p> Thanks @melar_dev for reporting this vulnerability through our HackerOne bug bounty program.</p> Content spoofing vulnerability</h2> In all versions of GitLab CE/EE, there exists a content spoofing vulnerability which may be leveraged by attackers to trick users into visiting a malicious website by spoofing the content in an error response. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-39873</a>.</p> Thanks @w00t1 for reporting this vulnerability through our HackerOne bug bounty program.</p> Improper session management in impersonation feature</h2> In all versions of GitLab CE/EE since version 8.0, when an admin uses the impersonate feature twice and stops impersonating, the admin may be logged in as the second user they impersonated, which may lead to repudiation issues. This is a low severity issue (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N</code>, 3.8). It is now mitigated in the latest release and is assigned CVE-2021-39896</a>.</p> This vulnerability was reported to GitLab by a customer.</p> Create OAuth application with arbitrary scopes through content spoofing</h2> In all versions of GitLab CE/EE since version 7.7, the application may let a malicious user create an OAuth client application with arbitrary scope names which may allow the malicious user to trick unsuspecting users to authorize the malicious client application using the spoofed scope name and description. This is a low severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 3.5). It is now mitigated in the latest release and is assigned CVE-2021-39881</a>.</p> Thanks @executor for reporting this vulnerability through our HackerOne bug bounty program.</p> LDAP users can bypass 2FA and load certain pages with HTTP Basic Auth</h2> It was possible to bypass 2FA for LDAP users and access some specific pages with Basic Authentication in GitLab 14.1.1 and above. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2021-39890</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Lack of account lockout on change password functionality</h2> In all versions of GitLab CE/EE, an attacker with access to a user’s session may brute force the user’s password via the change password function. There is a rate limit in place, but the attack may still be conducted by splitting the attack over several IP addresses. This is a low severity issue (CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N</code>, 2.9). It is now mitigated in the latest release and is assigned CVE-2021-39899</a>.</p> This vulnerability was discovered internally by the GitLab team.</p> Epic reference was not updated while moved between groups</h2> Permissions rules were not applied while issues were moved between projects of the same group in GitLab versions starting with 10.6 and up to 14.1.7 allowing users to read confidential Epic references. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 2.6). It is now mitigated in the latest release and is assigned CVE-2021-39886</a>.</p> This vulnerability was discovered internally by the GitLab team.</p> Missing authentication allows disabling of two-factor authentication</h2> Missing authentication in all versions of GitLab CE/EE since version 7.11.0 allows an attacker with access to a victim's session to disable two-factor authentication. This is a low severity issue (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 2.2). It is now mitigated in the latest release and is assigned CVE-2021-39879</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Information disclosure in SendEntry</h2> Information disclosure from SendEntry in GitLab starting with 10.8 allowed exposure of full URL of artifacts stored in object-storage with a temporary availability via Rails logs. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N</code>, 2.0). It is now mitigated in the latest release and is assigned CVE-2021-39900</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Patch Release: 14.1.6 2021-09-27T00:00:00+00:00 Today we are releasing version 14.1.6 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 14.1 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Derive virtual storage's filesystem id from its name</a></li> Fix Elastic::MigrationWorker current_migration</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 14.0.11 2021-09-27T00:00:00+00:00 Today we are releasing version 14.0.11 GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in the 14.0 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Derive virtual storage's filesystem id from its name</a></li> Fix Elastic::MigrationWorker current_migration</a></li> </ul> Important notes on upgrading</h2> These versions do not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 14.3 releases Project Security Policies & Next Gen SAST 2021-09-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 14.3 with project-level security scan execution policies</a>, next generation SAST to reduce Ruby false positives</a>, group-level permissions for protected environments</a>, group access for the GitLab Agent for Kubernetes</a>, and much more!</p> These are just a few highlights from the 40+ improvements in this release. Read on to check out all of the great updates below.</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 14.4 release kickoff video.</p> GitLab Patch Release: 13.12.12 2021-09-22T00:00:00+00:00 Today we are releasing version 13.12.12 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in the 13.12 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Derive virtual storage's filesystem id from its name</a></li> Allow Raspberry Pi builds on Graviton</a></li> Stop pinning versions of perl related packages in UBI images</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 14.2.4 2021-09-17T00:00:00+00:00 Today we are releasing version 14.2.4 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in last month's 14.2 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Available in GitLab Free, Premium, and Ultimate:</p> Removes cleanup job from Terraform.latest</a></li> Run AWS Release rake task only if on latest stable tag</a></li> Fix Elastic::MigrationWorker current_migration</a></li> Derive virtual storage's filesystem id from its name</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 14.0.10 and 14.1.5 2021-09-02T00:00:00+00:00 Today we are releasing versions 14.0.10 and 14.1.5 for GitLab Community Edition and Enterprise Edition.</p> These versions resolve a number of regressions and bugs in the 14.0</a> and 14.1</a> releases.</p> GitLab Community Edition and Enterprise Edition</h2> The main purpose of these two releases is to resolve high CPU usage by the Gitaly server</a>:</p> Only activate Git pack-objects hook if cache is enabled</a></li> Backport improved replication logic</a></li> </ul> Additionally, 14.1.5 includes the following fixes:</p> Geo: Replicate multi-arch containers</a></li> Run AWS Release rake task only if on latest stable tag</a></li> </ul> Important notes on upgrading</h2> These versions do not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 13.12.11 2021-09-02T00:00:00+00:00 Today we are releasing version 13.12.11 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in the 13.12 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> The main purpose of this release is to resolve high CPU usage by the Gitaly server</a>:</p> Only activate Git pack-objects hook if cache is enabled</a></li> Backport improved replication logic</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 14.2.3 2021-09-01T00:00:00+00:00 Today we are releasing version 14.2.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in last month's 14.2 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Available in GitLab Free, Premium, and Ultimate:</p> Geo: Replicate multi-arch containers</a></li> Reset severity_levels default</a></li> Create 14.2 In-app top 7 product highlights</a></li> Fix OrphanedInviteTokensCleanup migration</a></li> Fix Live Markdown Preview in personal and subgroup projects</a></li> Downgrade grpc from 1.38.0 to 1.30.2 for compatibility with older CPUs</a></li> Restore proper contents to toolbox ubi8 image</a></li> Only activate Git pack-objects hook if cache is enabled</a></li> </ul> Important notes on upgrading</h2> This version does include post deploy db migrations. For multi-node deployments, it should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 14.2.2, 14.1.4, and 14.0.9 2021-08-31T00:00:00+00:00 Today we are releasing versions 14.2.2, 14.1.4, and 14.0.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Stored XSS in DataDog Integration</a></td> high</td> </tr> Invited group members continue to have project access even after invited group is deleted</a></td> medium</td> </tr> Specially crafted requests to apollo_upload_server middleware leads to denial of service</a></td> medium</td> </tr> Privilege escalation of an external user through project token</a></td> medium</td> </tr> Missing access control allows non-admin users to add/remove Jira Connect Namespaces</a></td> medium</td> </tr> User enumeration on private instances</a></td> medium</td> </tr> Member e-mails can be revealed via project import/export feature</a></td> medium</td> </tr> Stored XSS in Jira integration</a></td> medium</td> </tr> Stored XSS in markdown via the Design reference</a></td> medium</td> </tr> </tbody> </table> Stored XSS in DataDog Integration</h2> A stored Cross-Site Scripting vulnerability in the DataDog integration in GitLab CE/EE version 13.7 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf. This is a high severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 7.7). We have requested a CVE ID and will update this blog post when it is assigned.</p> Thanks shells3c for reporting this vulnerability through our HackerOne bug bounty program.</p> Invited group members continue to have project access even after invited group is deleted</h2> Under specialized conditions, an invited group member may continue to have access to a project even after the invited group, which the member was part of, is deleted. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N</code>, 6.8). We have requested a CVE ID and will update this blog post when it is assigned.</p> This vulnerability was discovered internally by the member of the GitLab team.</p> Specially crafted requests to apollo_upload_server middleware leads to denial of service</h2> A Denial Of Service vulnerability in the apollo_upload_server Ruby gem in GitLab CE/EE version 11.11 and above allows an attacker to deny access to all users via specially crafted requests to the apollo_upload_server middleware. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). We have requested a CVE ID and will update this blog post when it is assigned.</p> Thanks 0xn3va for reporting this vulnerability through our HackerOne bug bounty program.</p> Privilege escalation of an external user through project token</h2> A user account with 'external' status which is granted 'Maintainer' role on any project on the GitLab instance where 'project tokens' are allowed may elevate its privilege to 'Internal' and access Internal projects. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N</code>, 5.5). We have requested a CVE ID and will update this blog post when it is assigned.</p> Thanks @joaxcar for reporting this vulnerability through our HackerOne bug bounty program.</p> Missing access control allows non-admin users to add/remove Jira Connect Namespaces</h2> Missing access control in GitLab version 13.10 and above with Jira Cloud integration enabled allows Jira users without administrative privileges to add and remove Jira Connect Namespaces via the GitLab.com for Jira Cloud application configuration page. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L</code>, 5.4). We have requested a CVE ID and will update this blog post when it is assigned.</p> Thanks updatelap for reporting this vulnerability through our HackerOne bug bounty program.</p> User enumeration on private instances</h2> An issue has been discovered in GitLab affecting all versions starting from 14.0 before 14.0.9, all versions starting from 14.1 before 14.1.4, all versions starting from 14.2 before 14.2.2. The route for /user.keys is not restricted on instances with public visibility disabled. This allows user enumeration on such instances. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-22257</a>.</p> GitLab would like to thank a customer who reported this issue.</p> Upgrade note: Please be aware that the fix for this finding makes the /:username.keys</code> and /api/v4/users/:id/keys</code> endpoints behave the same. The result is that these endpoints will not be publicly accessible when the restricted public visibility setting is enabled by the instance admin. This could result in some workflows breaking. In this situation, the solution would be to create a Personal Access Token with the read_user</code> scope.</p> Member e-mails can be revealed via project import/export feature</h2> The project import/export feature in GitLab 8.9 and greater could be used to obtain otherwise private email addresses. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-22258</a>.</p> Thanks ngalog for reporting this vulnerability through our HackerOne bug bounty program.</p> Stored XSS in Jira integration</h2> A stored Cross-Site Scripting vulnerability in the Jira integration in GitLab version 13.7 and above allows an attacker to execute arbitrary JavaScript code on the victim's behalf via malicious Jira API responses. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N</code>, 4.0). We have requested a CVE ID and will update this blog post when it is assigned.</p> Thanks thornguyen for reporting this vulnerability through our HackerOne bug bounty program.</p> Stored XSS in markdown via the Design reference</h2> An issue has been discovered in GitLab affecting all versions starting with 13.3. GitLab was vulnerable to a stored XSS by using the design feature in issues. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N</code>, 6.8). It is now mitigated in the latest release and is assigned CVE-2021-22238</a>.</p> Thanks vakzz for reporting this vulnerability through our HackerOne bug bounty program.</p> Update cURL</h2> The version of cURL included in GitLab Omnibus has been updated to 7.77.0 in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions of GitLab Omnibus</p> Update PostgreSQL</h2> The version of PostgreSQL that is bundled with GitLab Omnibus was updated to 12.7 in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions of GitLab Omnibus</p> Patch nginx</h2> A patch was applied in GitLab Omnibus version 14.0.9 to mitigate a security concern related to nginx. Versions 14.1 and later already contain fixes for this security concern.</p> Versions affected</h3> Affects GitLab Omnibus 14.0 until 14.0.9</p> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Patch Release: 14.0.8 2021-08-26T00:00:00+00:00 Today we are releasing version 14.0.8 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in the 14.0 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Revert backfill on ci_build_trace_sections</a></li> Resolve "operator does not exist: integer[] || bigint in app/models/namespace/traversal_hierarchy.rb"</a></li> Fix Sidekiq workers delete each other's metrics</a></li> Geo 2.0 Regression - Add ability to remove primary</a></li> Backport fix for flaky spec to 14.0</a></li> </ul> Important notes on upgrading</h2> This version includes a post deploy migration. For multi-node deployments, it should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 14.2.1 2021-08-23T00:00:00+00:00 Today we are releasing version 14.2.1 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 14.2 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Adding upgrade messaging for PK migrations</a></li> Don't override vulnerability feedback UUID anymore</a></li> Reorder vulnerability check criteria</a></li> Fix "getAction is undefined" bug</a></li> Drop un-used db/ci_migrate symlink</a></li> Fix migration NameError in rails env helper</a></li> Bump Container Registry to v3.9.0-gitlab</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 14.2 released with the Build Cloud for macOS beta and Markdown preview 2021-08-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 14.2 with introduction of the Build Cloud for macOS beta</a>, Markdown preview</a>, expanded Gitpod integration</a>, new DevOps adoption metrics</a>, and much more!</p> These are just a few highlights of the 50+ improvements in this release. Read on to check out all of the great updates below.</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 14.3 release kickoff video.</p> GitLab Patch Release: 14.1.3 2021-08-17T00:00:00+00:00 Today we are releasing version 14.1.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in last month's 14.1 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> AS Fix SAML SSO login redirects not working</a></li> Bump kas to v14.1.1</a></li> Resolve operator does not exist: integer[] || bigint in app/models/namespace/traversal_hierarchy.rb</code></a></li> Geo 2.0 Regression - Add ability to remove primary</a></li> Add AES256-GCM-SHA384 to allowed list of Nginx SSL ciphers</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 13.12.10 2021-08-10T00:00:00+00:00 Today we are releasing version 13.12.10 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in May's 13.12 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Available in GitLab Free, Premium, and Ultimate:</p> Fix: Sidekiq workers delete each other's metrics</a></li> Do not create audit event for failed logins on read-only DB</a></li> Fix validation method regarding MIME type keys</a></li> Resolve "operator does not exist" in app/models/namespace/traversal_hierarchy.rb</a></li> gitlab-rails: checks/postgresql detect silent NoDatabaseError</a></li> Adding -ubi8 to version to find UBI images</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 14.1.2, 14.0.7, and 13.12.9 2021-08-03T00:00:00+00:00 Today we are releasing versions 14.1.2, 14.0.7, and 13.12.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Recommended Action</h3> We strongly recommend</strong> that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible</strong>.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Stored XSS in Mermaid when viewing Markdown files</a></td> high</td> </tr> Stored XSS in default branch name</a></td> high</td> </tr> Perform Git actions with an impersonation token even if impersonation is disabled</a></td> medium</td> </tr> Tag and branch name confusion allows Developer to access protected CI variables</a></td> medium</td> </tr> New subscriptions generate OAuth tokens on an incorrect OAuth client application</a></td> medium</td> </tr> Ability to list and delete impersonation tokens for your own user</a></td> medium</td> </tr> Pipelines page is partially visible for users that have no right to see CI/CD</a></td> medium</td> </tr> Improper email validation on an invite URL</a></td> medium</td> </tr> Unauthorised user was able to add meta data upon issue creation</a></td> medium</td> </tr> Unauthorized user can trigger deployment to a protected environment</a></td> medium</td> </tr> Guest in private project can see CI/CD Analytics</a></td> medium</td> </tr> Guest users can create issues for Sentry errors and track their status</a></td> medium</td> </tr> Private user email disclosure via group invitation</a></td> medium</td> </tr> Projects are allowed to add members with email address domain that should be blocked by group settings</a></td> medium</td> </tr> Misleading username could lead to impersonation in using SSH Certificates</a></td> low</td> </tr> Unauthorized user is able to access and view project vulnerability reports</a></td> low</td> </tr> Denial of service in repository caused by malformed commit author</a></td> low</td> </tr> </tbody> </table> Stored XSS in Mermaid when viewing Markdown files</h2> Insufficient input sanitization in Mermaid markdown in GitLab CE/EE version 11.4 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted markdown. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned CVE-2021-22242</a>.</p> Thanks @saleemrashid for reporting this vulnerability through our HackerOne bug bounty program.</p> Note</h3> Users will no longer be able to configure htmlLabels</code> setting in Mermaid charts.</p> Stored XSS in default branch name</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4. It was possible to exploit a stored cross-site-scripting via a specifically crafted default branch name. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N</code>, 8.7). It is now mitigated in the latest release and is assigned CVE-2021-22241</a>.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Perform Git actions with an impersonation token even if impersonation is disabled</h2> Under specialized conditions, GitLab may allow a user with an impersonation token to perform Git actions even if impersonation is disabled. This vulnerability is present in GitLab CE/EE versions before 13.12.9, 14.0.7, 14.1.2. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H</code>, 6.6). It is now mitigated in the latest release and is assigned CVE-2021-22237</a>.</p> GitLab would like to thank a customer who reported this issue.</p> Tag and branch name confusion allows Developer to access protected CI variables</h2> A confusion between tag and branch names in GitLab CE/EE affecting all versions since 13.7 allowed a Developer to access protected CI variables which should only be accessible to Maintainers. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2021-22252</a>.</p> Thanks @rodrigopetter for reporting this vulnerability through our HackerOne bug bounty program.</p> New subscriptions generate OAuth tokens on an incorrect OAuth client application</h2> Due to improper handling of OAuth client IDs, new subscriptions generated OAuth tokens on an incorrect OAuth client application. This vulnerability is present in GitLab CE/EE since version 14.1. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L</code>, 5.5). It is now mitigated in the latest release and is assigned CVE-2021-22236</a>.</p> This vulnerability was found internally by the GitLab team.</p> Ability to list and delete impersonation tokens for your own user</h2> Improper authorization in GitLab CE/EE affecting all versions since 13.3 allowed users to view and delete impersonation tokens that administrations created for their account. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N</code>, 5.4). It is now mitigated in the latest release and is assigned CVE-2021-22250</a>.</p> Thanks @jimeno for reporting this vulnerability through our HackerOne bug bounty program.</p> Pipelines page is partially visible for users that have no right to see CI/CD</h2> Improper authorization on the pipelines page in GitLab CE/EE affecting all versions since 13.12 allowed unauthorized users to view some pipeline information for public projects that have access to pipelines restricted to members only. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-22248</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Improper email validation on an invite URL</h2> Under specialized conditions, GitLab CE/EE versions starting 7.10 may allow existing GitLab users to use an invite URL meant for another email address to gain access into a group. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L</code>, 5.0). It is now mitigated in the latest release and is assigned CVE-2021-22243</a>.</p> This vulnerability was found internally by the GitLab team.</p> Unauthorised user was able to add meta data upon issue creation</h2> An unauthorized user was able to insert metadata when creating new issue on GitLab CE/EE 14.0 and later. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N</code>, 5.0). It is now mitigated in the latest release and is assigned CVE-2021-22239</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Unauthorized user can trigger deployment to a protected environment</h2> Improper authorization in GitLab EE affecting all versions since 13.4 allowed a user who previously had the necessary access to trigger deployments to protected environments under specific conditions after the access has been removed. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:L</code>, 4.9). It is now mitigated in the latest release and is assigned CVE-2021-22253</a>.</p> Thanks @vaib25vicky for reporting this vulnerability through our HackerOne bug bounty program.</p> Guest in private project can see CI/CD Analytics</h2> Improper authorization in GitLab CE/EE affecting all versions since 13.0 allows guests in private projects to view CI/CD analytics. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-22247</a>.</p> Thanks @ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.</p> Guest users can create issues for Sentry errors and track their status</h2> Improper authorization in GitLab CE/EE affecting all versions since 12.6 allowed guest users to create issues for Sentry errors and track their status. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-22256</a>.</p> Thanks @maruthi12 for reporting this vulnerability through our HackerOne bug bounty program.</p> Private user email disclosure via group invitation</h2> A verbose error message in GitLab EE affecting all versions since 12.2 could disclose the private email address of a user invited to a group. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-22249</a>.</p> Thanks @jimeno for reporting this vulnerability through our HackerOne bug bounty program.</p> Projects are allowed to add members with email address domain that should be blocked by group settings</h2> Improper validation of invited users' email address in GitLab EE affecting all versions since 12.2 allowed projects to add members with email address domain that should be blocked by group settings. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-22251</a>.</p> Thanks @ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program.</p> Misleading username could lead to impersonation in using SSH Certificates</h2> Under very specific conditions a user could be impersonated using Gitlab shell. This vulnerability affects GitLab CE/EE 13.1 and later through 14.1.2, 14.0.7 and 13.12.9. This is a low severity issue (CVSS:3.0/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2021-22254</a>.</p> Thanks ledz1996 for reporting this vulnerability through our HackerOne bug bounty program.</p> Unauthorized user is able to access and view project vulnerability reports</h2> Improper authorization in the vulnerability report feature in GitLab EE affecting all versions since 13.1 allowed a reporter to access vulnerability data. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2021-22244</a>.</p> Thanks @vaib25vicky for reporting this vulnerability through our HackerOne bug bounty program.</p> Denial of service in repository caused by malformed commit author</h2> Improper validation of commit author in GitLab CE/EE affecting all versions allowed an attacker to make several pages in a project impossible to view. This is a low severity issue (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L</code>, 2.7). It is now mitigated in the latest release and is assigned CVE-2021-22245</a>.</p> Thanks @stanlyoncm for reporting this vulnerability through our HackerOne bug bounty program.</p> Update Mattermost</h2> Mattermost has been upgraded to 5.35.4 in order to mitigate security concerns.</p> Versions affected</h3> Affects GitLab Omnibus versions 13.10 and later</p> Update oauth ruby gem</h2> The oauth ruby gem has been upgraded to 0.5.6 in order to mitigate security concerns.</p> Versions affected</h3> Affects versions 10.6 and later</p> Update libgcrypt</h2> libgcrypt has been upgraded to 1.9.3 in order to mitigate security concerns.</p> Versions affected</h3> Affects all previous versions of GitLab Omnibus</p> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Patch Release: 14.1.1 2021-07-28T00:00:00+00:00 Today we are releasing version 14.1.1 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 14.1 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Available in GitLab Free, Premium, and Ultimate:</p> Extend RackAttack basic authentication detection for rate limiting</a></li> Enable bulk dismissal checkboxes on group vulnerability report"</a></li> Fix syntax highlighting inline background on darkmode</a></li> Fix: Sidekiq workers delete each other's metrics</a></li> Prevent terms from being created if blank</a></li> Remove backfill migration for ci_build_trace_sections</a></li> Geo: Fix snippet verification by replicating the HEAD ref</a></li> Remove securityScansSucceeded from DevOps adoption</a></li> Fix markdown in development docs</a></li> Fix deployer task</a></li> Don't ask users to upgrade to PG 13 yet</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 14.1 released with Helm Chart Registry and Escalation Policies 2021-07-22T00:00:00+00:00 Today, we are excited to announce the release of GitLab 14.1 with the ability to build, publish, and share Helm charts</a>, create escalation policies to page responders</a>, connect GitLab Runners to your Kubernetes clusters</a>, enforce code coverage decisions</a>, and much more!</p> These are just a few highlights from the 50+ improvements in this release. Read on to check out all of the great updates below.</p> To preview what's coming in next month’s release, check out our Upcoming Releases page</a>, which includes our 14.2 release kickoff video.</p> GitLab Patch Release: 14.0.6 2021-07-20T00:00:00+00:00 Today we are releasing version 14.0.6 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 14.0 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Available in GitLab Free, Premium, and Ultimate:</p> Replace Excon with Faraday for requesting object storage</a></li> Fix LFS objects not downloading with Bitbucket</a></li> Resolve "Terraform module usage instructions are incorrect"</a></li> Geo: Fix snippet verification by replicating the HEAD ref</a></li> Fix validation method regarding MIME type keys</a></li> coordinator: Fix repo creation/removal race for up-to-date secondaries for 14-0-stable</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 14.0.5 2021-07-08T00:00:00+00:00 Today we are releasing version 14.0.5 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 14.0 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Resolve "404 for package details link under Infrastructure Registry for projects nested under 2 group levels"</a></li> Resolve "Terraform module usage instructions are incorrect"</a></li> Add documentation for boards epic create</a></li> Initialize conversion of ci_builds_metadata.id for bigint migration</a></li> Fix git clone for projects with a trailing dot over HTTP</a></li> Do not create audit event for failed logins on read-only DB</a></li> Add prefix to autocomplete path</a></li> Return empty strings for Jira links when URL is not set</a></li> Fix libmagic not being able to find magic files</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Critical Security Release: 14.0.4, 13.12.8, and 13.11.7 2021-07-07T00:00:00+00:00 Today we are releasing versions 14.0.4, 13.12.8, and 13.11.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Arbitrary file read via design feature</a></td> critical</td> </tr> </tbody> </table> Arbitrary file read via design feature</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting with 13.11, 13.12 and 14.0. A specially crafted design</a> allowed attackers to read arbitrary files on the server. This is a critical severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N</code>, 9.6). It is now mitigated in the latest release and is assigned CVE-2021-22234</a>.</p> Thanks vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Patch Release: 14.0.3 2021-07-06T00:00:00+00:00 Today we are releasing version 14.0.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 14.0 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Reintroduce recursive_approach_for_all_projects default-enabled</a></li> Fix pages deployment storage migration</a></li> Fix frequent items timestamps not updated</a></li> Fix bug where Milestone page led to console error</a></li> Fix broken Time Tracking Reports on Issuable sidebar</a></li> Geo - Fix state value in the lfs_object_registry table</a></li> Revert a 14.0 change in the deployments API</a></li> DevOps Adoption - ensure displayNamespaceId is included</a></li> Geo - Move migration to a pre-deployment migration</a></li> Run batched migrations on self-managed instances</a></li> Fix deploy keys not working with LFS auth check</a></li> Repository: Fix repo replication with transactions</a></li> Repository: Fix excessive voting in CreateRepositoryFromBundle</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 13.12.7 2021-07-05T00:00:00+00:00 Today we are releasing version 13.12.7 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.12 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Available in GitLab Free, Premium, and Ultimate:</p> Fix pages deployment storage migration</a></li> Reintroduce recursive_approach_for_all_projects default-enabled</a></li> Exempt unicorn['svlogd_prefix'] from deprecation check</a></li> Gitaly: fixes to issues with strong consistency/transactional voting</a></li> Geo - Fix state value in the lfs_object_registry table</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 14.0.2, 13.12.6, and 13.11.6 2021-07-01T00:00:00+00:00 Today we are releasing versions 14.0.2, 13.12.6, and 13.11.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> DoS using Webhook connections </a></td> high</td> </tr> CSRF on GraphQL API allows executing mutations through GET requests</a></td> high</td> </tr> Private projects information disclosure</a></td> medium</td> </tr> Single sign-on users not getting blocked</a></td> medium</td> </tr> Some users can push to Protected Branch with Deploy keys</a></td> medium</td> </tr> A deactivated user can access data through GraphQL</a></td> medium</td> </tr> Reflected XSS in release edit page</a></td> medium</td> </tr> Clipboard DOM-based XSS</a></td> medium</td> </tr> Stored XSS on Audit Log</a></td> medium</td> </tr> Forks of public projects by project members could leak codebase</a></td> medium</td> </tr> Improper text rendering</a></td> medium</td> </tr> HTML Injection in full name field</a></td> low</td> </tr> Denial of service of user profile page</a></td> medium</td> </tr> Update Nokogiri</a></td> low</td> </tr> Update Mattermost</a></td> medium</td> </tr> Update Redis</a></td> medium</td> </tr> Update Rdoc</a></td> medium</td> </tr> Update libxml2</a></td> medium</td> </tr> Update Rails gem</a></td> medium</td> </tr> </tbody> </table> DoS using Webhook connections</h2> A vulnerability was discovered in GitLab versions before 14.0.2, 13.12.6, 13.11.6. GitLab Webhook feature could be abused to perform denial of service attacks. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H</code>, 7.7). We have requested a CVE ID and will update this blog post when it is assigned.</p> Thanks afewgoats</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> CSRF on GraphQL API allows executing mutations through GET requests</h2> A cross-site request forgery vulnerability in the GraphQL API in GitLab since version 13.12 and before versions 13.12.6 and 14.0.2 allowed an attacker to call mutations as the victim. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N</code>, 7.1). We have requested a CVE ID and will update this blog post when it is assigned.</p> Thanks az3z3l</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Private projects information disclosure</h2> An information disclosure vulnerability was found in GitLab EE versions 13.10 and later allowed a user to read project details. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). We have requested a CVE ID and will update this blog post when it is assigned.</p> Thanks 0xn3va</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Single sign-on users not getting blocked</h2> Improper access control in GitLab EE before versions 13.11.6, 13.12.6, and 14.0.2 allowed users to be created via single sign on despite user cap being enabled. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N</code>, 4.2). We have requested a CVE ID and will update this blog post when it is assigned.</p> Thanks bingomzan</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Some users can push to Protected Branch with Deploy keys</h2> Under certain conditions, some users were able to push to protected branches that were restricted to deploy keys in GitLab CE/EE since version 13.9. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N</code>, 6.5). We have requested a CVE ID and will update this blog post when it is assigned.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> A deactivated user can access data through GraphQL</h2> An issue has been discovered in GitLab affecting all versions. Improper access control allows unauthorised users to access project details using Graphql. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N</code>, 6.5). We have requested a CVE ID and will update this blog post when it is assigned.</p> Thanks joaxcar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Reflected XSS in release edit page</h2> A reflected cross-site scripting vulnerability in GitLab before versions 13.11.6, 13.12.6 and 14.0.2 allowed an attacker to send a malicious link to a victim and trigger actions on their behalf if they clicked it. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</code>, 6.1). We have requested a CVE ID and will update this blog post when it is assigned.</p> Thanks ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Clipboard DOM-based XSS</h2> Improper input sanitization in markdown in GitLab CE/EE version 13.11 and up allowed an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted input. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N</code>, 4.7). We have requested a CVE ID and will update this blog post when it is assigned.</p> Thanks vovohelofor</a> reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Stored XSS on Audit Log</h2> Client-Side code injection through Feature Flag name starting with GitLab CE/EE 11.9 allows a specially crafted feature flag name to PUT requests on behalf of other users via clicking on a link. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</code>, 6.1). It is now mitigated in the latest release and is assigned CVE-2021-22223</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Forks of public projects by project members could leak codebase</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.8. Under a special condition it was possible to access data of an internal repository through project fork done by a project member. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code>, 5.9). We have requested a CVE ID and will update this blog post when it is assigned.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Improper text rendering</h2> Improper text rendering while rendering merge requests could be exploited to submit malicious code. This vulnerability affects GitLab CE/EE 9.3 and later through 13.11.6, 13.12.6, and 14.0.2. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N</code>, 4.9). We have requested a CVE ID and will update this blog post when it is assigned.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> HTML Injection in full name field</h2> HTML injection was possible via the full name field before versions 13.11.6, 13.12.6, and 14.0.2 in GitLab CE. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 3.5). We have requested a CVE ID and will update this blog post when it is assigned.</p> Thanks andor404</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Denial of service of user profile page</h2> A denial of service in user's profile page is found starting with GitLab CE/EE 8.0 that allows attacker to reject access to their profile page via using a specially crafted username. This is a low severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:L/S:U/C:N/I:N/A:L</code>, 3.5). We have requested a CVE ID and will update this blog post when it is assigned.</p> Thanks maruthi12</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Update Nokogiri</h2> Nokogiri has been upgraded to 1.11.4 in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Update Mattermost</h2> Mattermost has been upgraded to 5.33.5 in order to mitigate security concerns.</p> Versions affected</h3> Affects versions 13.10 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Update Redis</h2> Redis has been upgraded to 6.0.14 in order to mitigate security concerns.</p> Versions affected</h3> Affects versions 13.9 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Update Rdoc</h2> Rdoc has been upgraded to 6.3.1 in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Update libxml2</h2> libxml2 has been upgraded to 2.9.11 in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Update Rails gem</h2> The Rails gem has been upgraded to 6.0.3.7 in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Patch Release: 14.0.1 2021-06-24T00:00:00+00:00 Today we are releasing version 14.0.1 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 14.0 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Available in GitLab Free, Premium, and Ultimate:</p> Update Geo UI screenshots in docs page</a></li> Update admin docs with new admin area access info</a></li> Add Helm-2to3.gitlab-ci.yml to Auto DevOps</a></li> Update docs for new Members page location on GitLab navigation</a></li> DevOps Adoption - ensure displayNamespaceId is included</a></li> Remove add button from Devops Adoption</a></li> Geo: Add Terraform Module to datatypes doc</a></li> Create 14.0 What's New entry</a></li> Toggle codequality diff annotations flag</a></li> Bump kas to v14.0.1</a></li> Exempt unicorn 'svlogd_prefix' from deprecation check</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 14.0 released with a celebration of GitLab 14 2021-06-22T00:00:00+00:00 When we think of everything released in the year since GitLab 13.0, we could not be more proud of our community and our team. This month, we celebrate our release of GitLab 14.0 by first taking a step back.</p> Together, we’ve made so much progress over the last year that we want to talk about everything it took to get to GitLab 14</a>.</p> We use semantic versioning so a point release, like 14.0, represents everything new in this month. GitLab 14 is the culmination of the past year. Even more than that, GitLab 14 represents the future of GitLab, and the future of DevOps.</p> With GitLab 14, teams of all sizes are moving from maintaining DIY DevOps toolchains to adopting modern DevOps. GitLab 14 is a complete DevOps platform with security embedded in its DNA, visibility and insights enabled by its single data store, and a seamless experience and extensible system, so end users and enterprises alike reap the benefits of speed and efficiency.</p> We’re so excited that we’ve written a post where you can read more about GitLab 14 and our vision for modern DevOps</a>, and how it enables any team to build and deliver software with velocity, visibility, and trust.</p> As ever, we are also excited about what’s new this month in 14.0. Read on for our regular highlights from dozens of significant new features and improvements. Along with these exciting new features, there are a few breaking changes in 14.0</a>. To preview what's coming in next month’s release, check out our Upcoming Releases</a> page, which includes our 14.1 release kickoff video.</p> GitLab Patch Release: 13.12.5 2021-06-21T00:00:00+00:00 Today we are releasing version 13.12.5 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.12 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Available in GitLab Free, Premium, and Ultimate:</p> Only update required instance ci template when the parameter is present</a></li> Fix Password expired error on git fetch via SSH for LDAP user</a></li> Advanced Search Settings page does not load if the ES url is unreachable</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 13.12.4 2021-06-14T00:00:00+00:00 Today we are releasing version 13.12.4 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.12 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Available in GitLab Free, Premium, and Ultimate:</p> Fix double render in project's git URL redirect</a></li> Fix MR diff compare with previous version</a></li> Add alias method usage_ping_enabled?</a></li> Do not show Praefect deprecation if Praefect is disabled</a></li> Update Mattermost to 5.34.4</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 13.12.3 2021-06-07T00:00:00+00:00 Today we are releasing version 13.12.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in last month's 13.12 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Fix maven & gradle examples in the docs, enabling line-by-line display of test coverage in merge requests out-of-the-box (for java & kotlin)</a></li> Fix issue with frames not loading in Safari</a></li> Improve SSH key expiration warning emails</a></li> Add an option to expose description_html</code> in Release API [RUN ALL RSPEC] [RUN AS-IF-FOSS]</a></li> Fix CSP issues related to captchas</a></li> Set CSP back to disabled by default</a></li> Fix referrer option passed to Akismet client</a></li> Fix passing environment variables for migrations</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 13.12.2, 13.11.5, and 13.10.5 2021-06-01T00:00:00+00:00 Today we are releasing versions 13.12.2, 13.11.5, and 13.10.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Additional notes</h2> In GitLab 13.10 the CI Lint API started requiring authentication</a> for GitLab instances where registration is disabled. Starting with this release, the CI Lint API endpoint will also require authentication when registration is limited (for example where an email domain allowlist is configured).</p> This version also includes a data migration to fix some records with incorrect data that causes 2FA to not be enforced for some users even if they are members of groups that require it. The root cause for the issue was already fixed but some records created before the fix need to be corrected. The migration is a background migration that will be scheduled in batches of 10,000 users at two minute intervals.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Stealing GitLab OAuth access tokens using XSLeaks in Safari</a></td> high</td> </tr> Denial of service through recursive triggered pipelines</a></td> high</td> </tr> Unauthenticated CI lint API may lead to information disclosure and SSRF</a></td> medium</td> </tr> Server-side DoS through rendering crafted Markdown documents</a></td> medium</td> </tr> Issue and merge request length limit is not being enforced</a></td> medium</td> </tr> Insufficient Expired Password Validation</a></td> medium</td> </tr> XSS in blob viewer of notebooks</a></td> medium</td> </tr> Logging of Sensitive Information</a></td> medium</td> </tr> On-call rotation information exposed when removing a member</a></td> low</td> </tr> Spoofing commit author for signed commits</a></td> low</td> </tr> </tbody> </table> Stealing GitLab OAuth access tokens using XSLeaks in Safari</h2> A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Safari. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</code>, 8.8). It is now mitigated in the latest release and is assigned CVE-2021-22213</a>.</p> Thanks hubblebubble for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Denial of service through recursive triggered pipelines</h2> A denial of service vulnerability in GitLab CE/EE affecting all versions since 11.8 allows an attacker to create a recursive pipeline relationship and exhaust resources. This is a high severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H</code>, 7.7). It is now mitigated in the latest release and is assigned CVE-2021-22181</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Unauthenticated CI lint API may lead to information disclosure and SSRF</h2> When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab CE/EE affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is limited. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N</code>, 6.8). It is now mitigated in the latest release and is assigned CVE-2021-22214</a>.</p> Thanks @myster</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Server-side DoS through rendering crafted Markdown documents</h2> A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a specially crafted issue or merge request. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2021-22217</a>.</p> Thanks phli for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Issue and merge request length limit is not being enforced</h2> A denial of service vulnerability in all versions of GitLab CE/EE before 13.12.2, 13.11.5 or 13.10.5 allows an attacker to cause uncontrolled resource consumption with a very long issue or merge request description. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2021-22216</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Insufficient Expired Password Validation</h2> An issue has been discovered in GitLab affecting all versions starting from 12.9.0 before 13.10.5, all versions starting from 13.11.0 before 13.11.5, all versions starting from 13.12.0 before 13.12.2. Insufficient expired password validation in various operations allow user to maintain limited access after their password expired. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N</code>, 6.5). It is now mitigated in the latest release and is assigned CVE-2021-22221</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> XSS in blob viewer of notebooks</h2> An issue has been discovered in GitLab affecting all versions starting with 13.10. GitLab was vulnerable to a stored XSS in blob viewer of notebooks. This is a medium severity issue (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</code>, 6.1). It is now mitigated in the latest release and is assigned CVE-2021-22220</a>.</p> Thanks (@yvvdwf)[https://hackerone.com/yvvdwf] for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Logging of Sensitive Information</h2> GitLab CE/EE since version 9.5 allows a high privilege user to obtain sensitive information from log files because the sensitive information was not correctly registered for log masking. This is a medium severity issue (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N</code>, 4.4). It is now mitigated in the latest release and is assigned CVE-2021-22219</a>.</p> This vulnerability has been discovered internally by the GitLab team https://gitlab.com/dcouture.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> On-call rotation information exposed when removing a member</h2> An information disclosure vulnerability in GitLab EE versions 13.11 and later allowed a project owner to leak information about the members' on-call rotations in other projects. This is a low severity issue (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N</code>, 2.7). It is now mitigated in the latest release and is assigned CVE-2021-22215</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Spoofing commit author for signed commits</h2> All versions of GitLab CE/EE starting with 12.8 were affected by an issue in the handling of x509 certificates that could be used to spoof author of signed commits. This is a low severity issue (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N</code>, 2.6). It is now mitigated in the latest release and is assigned CVE-2021-22218</a>.</p> Thanks subbotin for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Enable qsh verification for Atlassian Connect</h2> qsh verification has been enabled for Atlassian Connect to address a breaking change in the Atlassian Connect API.</p> If you are using Jira Connect with a self-managed instance you need to update to these latest security releases before June 7th. If you are on GitLab.com, you do not need to do anything. For more details see this GitLab issue</a>.</p> Versions affected</h3> Affects all versions of GitLab.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Update bindata dependency</h2> The dependency on bindata has been upgraded to 2.4.10 in order to mitigate security concerns.</p> Versions affected</h3> Affects versions 12.0 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Update grafana dependency</h2> The dependency on Grafana has been upgraded to 7.5.4 in order to mitigate security concerns.</p> Versions affected</h3> Affects versions 13.11, 13.10 and 13.9.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive release notifications via RSS, subscribe to our security release RSS feed</a> or our RSS feed for all releases</a>.</p> GitLab Patch Release: 13.12.1 2021-05-25T00:00:00+00:00 Today we are releasing version 13.12.1 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.12 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Add deprecation notice for implicit grant flow</a></li> Fix pipeline security tab scanner filter not working</a></li> Fix the Create new cluster feature</a></li> Handle nil Content-Type in Service Desk emails</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 13.12 released with On-Demand DAST and Deployment Frequency Chart 2021-05-22T00:00:00+00:00 This month, we are excited to introduce usability and pipeline management improvements that strive to make your teams more productive, updates to make your deployments more secure, and insights to make your DevOps adoption more mature. These are just a few highlights from the 44 improvements</strong> in this release.</p> Helping you manage security before it manages you</h2> To ensure your production environment is always secure, On-demand DAST scanning</a> is now generally available for all GitLab Ultimate customers. These on-demand scans will allow you to scan an already deployed application or API in any of your configured environments outside of a CI/CD pipeline i.e., without requiring any code changes or merge requests to start a scan.</p> The Semgrep SAST analyzer</a> for JavaScript, TypeScript, and Python is also generally available. Semgrep's flexible rule syntax is ideal for streamlining the GitLab Custom Rulesets</a> feature for extending and modifying detection rules, a popular request from GitLab SAST customers. It also allows GitLab customers access to Semgrep's community rules. Thanks to the community contribution from @proletarius101</a>, we are also extending the Mobile Application Security Testing</a> to support .ipa</code> (iOS) and .apk</code> (Android) binary files, in addition to Xcode projects and Android manifest files that are already supported.</p> Many customers integrate their existing scanners into GitLab to benefit from a unified view. The Project Vulnerability Report now gives you the ability to filter by scanner and vendor</a>, allowing you to filter scan results for only third-party scanners or for all scanners including those from GitLab.</p> Application Security is a key focus area for GitLab for this year and your feedback is important to us. As the preference of web application development shifts rapidly towards building JavaScript-heavy and single-page applications, we have identified a need for a purpose built tool that provides more application testing coverage than a traditional proxy based crawler. We are inviting GitLab Ultimate customers to a public beta for a new browser-based crawler for DAST</a> which is expected to provide significantly better security testing coverage for these modern applications compared to our current proxy-based crawler.</p> Easier pipeline management for enhanced usability</h2> Pipelines are at the heart of our customers' CI/CD success, and we want to make it easier to use for new and experienced users of GitLab. The pipeline editor will now come with a collapsible panel of guided instructions</a> that will help new CI/CD users create their first pipeline in a breeze.</p> For experienced CI/CD users that require more flexibility in creating their pipelines, we are now supporting wildcards in the include:</code> keyword</a> that will help you break your .gitlab-ci.yml</code> file into multiple smaller files to improve reusability and readability. We also introduced the ability to define variables within rules</a>, giving you the flexibility to set pipeline variables when certain conditions are met. Defining complex pipelines means there could be dependencies between jobs. The pipeline graph now shows dependencies between jobs</a>, which is helpful to visually track and understand the expected order in which the jobs will be run.</p> Insights to improve your DevOps maturity</h2> You cannot fix what you cannot measure. In that spirit, we are continuing to natively support DORA4 metrics. We are happy to announce the introduction of a group-level deployment frequency chart</a>, which will help you understand the efficiency of your deployments over time, find bottlenecks, and focus on improvement areas that span across your projects and teams.</p> Value stream analytics help you identify inefficiencies and identify the root cause of those inefficiencies in your workflow. In 13.12, we have introduced pagination and sorting of workflow items</a>, which allows you to easily visualize and sort items in a specific stage to pinpoint bottlenecks. The Days to Completion chart</a> has been updated to show the average time to completion</a>, which helps identify meaningful trends over time.</p> In this release, thanks to the community contribution from @leetickett</a>, we introduced the ability to view a time tracking report</a> within an individual issue or merge request to provide visibility into how much time each contributor spent.</p> For many of our customers, merge requests are the central space for collaboration. We have introduced the ability to see code quality violations</a> and screenshots of failed tests</a> within the merge request to give you necessary context as a part of your normal workflow within GitLab.</p> And so much more!</h2> We continue to invest in improving the product usability in every release. Some of our favorite quality of life improvements in 13.12 include:</p> Users' group counts now displayed in Admin Area</a></li> Bring your own Elastic Stack</a></li> Create incidents via API</a></li> Warn administrator when removing an on-call user</a></li> Deleting deploy keys will inform the user if in use</a></li> </ul> Read on for more features, performance enhancements and changes! To preview what's coming in next month’s release, check out our Upcoming Releases</a> page and our 14.0 release kickoff video</a>.</p> GitLab Patch Release: 13.11.4 2021-05-14T00:00:00+00:00 Today we are releasing version 13.11.4 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.11 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Fix N+1 SQL queries in PipelinesController#show</a></li> Omit trailing slash when proxying pre-authorized routes with no suffix</a></li> Omit trailing slash when checking allowed requests in the read-only middleware</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 13.11.3 2021-04-30T00:00:00+00:00 Today we are releasing version 13.11.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.11 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Fix broken build job for Auto DevOps</a></li> Fix Instance-level Project Integration Management page for GitLab FOSS</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 13.11.2, 13.10.4, and 13.9.7 2021-04-28T00:00:00+00:00 Today we are releasing versions 13.11.2, 13.10.4, and 13.9.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Read API scoped tokens can execute mutations</a></td> high</td> </tr> Pull mirror credentials are exposed</a></td> medium</td> </tr> Denial of Service when querying repository branches API</a></td> medium</td> </tr> Non-owners can set system_note_timestamp when creating / updating issues</a></td> medium</td> </tr> DeployToken will impersonate a User with the same ID when using Dependency Proxy</a></td> low</td> </tr> Update Python dependency</a></td> Dependency Update - critical</td> </tr> Update Redis dependency</a></td> Dependency Update - high</td> </tr> Update carrierwave gem</a></td> Dependency Update - high</td> </tr> Update Mermaid npm package</a></td> Dependency Update - high</td> </tr> </tbody> </table> Read API scoped tokens can execute mutations</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N</code>, 7.5). It is now mitigated in the latest release and is assigned CVE-2021-22209</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Pull mirror credentials were exposed</h2> An issue has been discovered in GitLab affecting all versions starting from 11.6. Pull mirror credentials were exposed and could allow other maintainers to view the credentials in plain-text. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N</code>, 6.8). It is now mitigated in the latest release and is assigned CVE-2021-22206</a>.</p> Thanks jlneel</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Denial of Service when querying repository branches API</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2. When querying the repository branches through API, GitLab was ignoring a query parameter and returning a considerable amount of results. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-22210</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Non-owners can set system_note_timestamp when creating / updating issues</h2> An issue has been discovered in GitLab affecting versions prior to 13.5. Improper permission check could allow the change of timestamp for issue creation or update. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-22208</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> DeployToken will impersonate a User with the same ID when using Dependency Proxy</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7. GitLab Dependency Proxy, under certain circumstances, can impersonate a user resulting in possibly incorrect access handling. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 3.1). It is now mitigated in the latest release and is assigned CVE-2021-22211</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Update Python dependency</h2> The dependency on Python has been upgraded to 3.7.10 in order to mitigate security concerns.</p> Versions affected</h3> Affects Omnibus versions 12.0 and later.</p> Update Redis dependency</h2> The dependency on Redis has been upgraded to 6.0.12 in order to mitigate security concerns.</p> Versions affected</h3> Affects versions 12.7 and later.</p> Update carrierwave gem</h2> The carrierwave gem has been upgraded to 1.3.2 in order to mitigate security concerns.</p> Versions affected</h3> Affects all versions.</p> Update Mermaid npm package</h2> The Mermaid npm package has been upgraded to 8.9.2 in order to mitigate security concerns.</p> Versions affected</h3> Affects versions 13.9 and later.</p> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive security release blog notifications via RSS, subscribe to our RSS feed</a>.</p> GitLab Patch Release: 13.11.1 2021-04-23T00:00:00+00:00 Today we are releasing version 13.11.1 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.11 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Change unsubscribe language for email campaign</a></li> Remove legacy storage key from notification check</a></li> Documentation about Pages Deployment migration</a></li> Fix DAST_AUTH_VERIFICATION_URL docs</a></li> Fix Geo replication for incident metrics uploads</a></li> Fix zero count of vulnerability severity count</a></li> Add docs about project upload API size enforcement</a></li> Fix Rake command for Pages deploys to object storage</a></li> Change search string that does not return results</a></li> Bump gitlab-exporter to 10.2.0 (fixes Puma crash)</a></li> Update git vendor to gitlab</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 13.11 released with Kubernetes Agent and Pipeline Compliance 2021-04-22T00:00:00+00:00 On this Earth Day we are thinking about growth. Our customers are scaling their DevOps practices and with growth comes the need for even greater efficiencies and automated controls. The GitLab Agent for Kubernetes</a> is now available on GitLab.com to help you benefit from fast, pull-based deployments to your cluster, while GitLab.com manages the necessary server-side components of the Agent. Compliant Pipeline Configurations</a> let you define enforceable pipelines that will run for any project assigned a corresponding compliance framework, even custom ones</a>. We also have a host of features to improve pipeline efficiency and measurement, to provide On-call Scheduling</a>, and even more security enhancements. These are just a few of the 50+ significant new features and improvements in this release.</p> Controls to help you grow safely and efficiently</h2> Controls can keep your automation on track as you grow and scale while simplifying compliance efforts. The GitLab Agent for Kubernetes</a> is core to GitLab's Kubernetes integrations and is now available on GitLab.com</a>. The Agent-based integration supports pull-based deployments which are preferred by security and quickly becoming a popular method for Kubernetes deployment practices. The agent also supports Network Security policy integration and alerts which enables fine-tuned RBAC controls within your clusters. Compliant Pipeline Configurations</a> let you enforce a higher degree of separation of duties and reduce your business risks by defining enforceable pipelines that will run for any project assigned a corresponding compliance framework. At the same time, Custom Compliance Framework Labels</a> allow you to use your own requirements beyond the usual ones like PCI, HIPPA and such. The new Admin Mode</a> increases security and control of your GitLab instance by requiring admin users to reverify their credentials before running administrative commands. Audit reports are easier now too with a new export</a> feature in your self-managed GitLab instance to see, all in one place, what groups, subgroups, and projects users have access to.</p> Speedier pipelines</h2> “Speedy, reliable pipelines” is one of our core product themes</a>, and we’ve delivered on that promise this month with a host of pipeline improvements.</p> The Pipeline Editor</a> helps you get to work even faster and stay more productive once you begin. The new Empty State</a> enhancement will allow new users to begin working with the pipeline editor on a new, blank pipeline file without having to create a config file first. The ability to configure multiple cache keys in a single job</a> will help you increase your pipeline performance and you can measure these improvements from the CI/CD dashboard, where a new DORA 4 graph</a> will show lead time for changes via time for code to be committed and deployed to production. As a related note, metrics on DevOps Adoption</a> are now available at the group level allowing users to understand how GitLab's DevOps capabilities are being adopted.</p> Securing your software supply chain</h2> Security pros will be happy to see the addition of the Semgrep flexible rule syntax</a> to extend and modify custom detection rules, a popular request from GitLab SAST customers. We've also added support for custom certificates</a> and email alerts for key expirations</a>. You can now improve your security posture by enforcing SAML for Git activity</a>. The new On-call Schedule Management</a> routes alerts received in GitLab to the on-call engineer in the schedule for that project. This will be particularly helpful as we mature our security alerts in the future</a>, providing a valuable incident management capability with end-to-end visibility across the entire DevOps process.</p> Read on for more features, performance enhancements and changes! To preview what's coming in next month’s release, check out our Upcoming Releases</a> page and our 13.12 release kickoff</a> video.</p> GitLab Critical Security Release: 13.10.3, 13.9.6, and 13.8.8 2021-04-14T00:00:00+00:00 Today we are releasing versions 13.10.3, 13.9.6, and 13.8.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc secu rity releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, t he issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Remote code execution when uploading specially crafted image files</a></td> critical</td> </tr> Update Rexml</a></td> Dependency update - critical</td> </tr> </tbody> </table> Remote code execution when uploading specially crafted image files</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.9. GitLab was not properly validating image files that is passed to a file parser which resulted in a remote command execution. This is a critical severity issue (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>, 9.9). It is now mitigated in the latest release and is assigned CVE-2021-22205</a>.</p> Thanks vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Update Rexml</h2> The Rexml ruby gem was upgraded to version 3.2.5 in order to mitigate CVE-2021-28965</a>.</p> Versions affected</h3> Affects versions 7.12 and later.</p> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive security release blog notifications via RSS, subscribe to our RSS feed</a>.</p> GitLab Patch Release: 13.10.2 2021-04-01T00:00:00+00:00 Today we are releasing version 13.10.2 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.10 release</a>.</p> GitLab Community Edition and Enterprise Edition</h2> Fixes the old emoji menu showing a undefined category</a></li> Added frequently used emojis to new picker</a></li> Improve performance for composer v2 clients</a></li> Epic boards documentation</a></li> Remove incorrect and misleading statement in SAST documentation</a></li> Document configuring external KAS with GitLab</a></li> Create 13.10 What's New entry</a></li> Remove admin mode entry from What's New</a></li> Fix Deploy Keys text in What's New</a></li> Fix epic boards tier in docs</a></li> Fixed rendering of the image blobs</a></li> Revert "Fix long polling to default to 50 s instead of 50 ns"</a></li> Update gitlab-org/gitlab-exporter from 10.0.0 to 10.1.0</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 13.10.1, 13.9.5, and 13.8.7 2021-03-31T00:00:00+00:00 Today we are releasing versions 13.10.1, 13.9.5, and 13.8.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Arbitrary File Read During Project Import</a></td> critical</td> </tr> Kroki Arbitrary File Read/Write</a></td> high</td> </tr> Stored Cross-Site-Scripting in merge requests</a></td> medium</td> </tr> Access data of an internal project through a public project fork as an anonymous user</a></td> medium</td> </tr> Incident metric images can be deleted by any user</a></td> medium</td> </tr> Infinite Loop When a User Access a Merge Request</a></td> low</td> </tr> Stored XSS in scoped labels</a></td> low</td> </tr> Admin CSRF in System Hooks Execution Through API</a></td> low</td> </tr> Update OpenSSL dependency</a></td> Dependency update - high</td> </tr> Update PostgreSQL dependency</a></td> Dependency update - medium</td> </tr> </tbody> </table> Arbitrary File Read During Project Import</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.9. A specially crafted import file could read files on the server. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N</code>, 9.6). This issue is now mitigated in the latest release and is assigned CVE-2021-22201</a>.</p> Thanks saltyyolk</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Kroki Arbitrary File Read/Write</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting with 13.7.9. A specially crafted Wiki page allowed attackers to read arbitrary files on the server. This is a high severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N</code>, 7.5). This issue is now mitigated in the latest release and is assigned CVE-2021-22203</a>.</p> Thanks @ledz1996</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Stored Cross-Site-Scripting in merge requests</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4. It was possible to exploit a stored cross-site-scripting in merge request via a specifically crafted branch name. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N</code>, 6.3). This issue is now mitigated in the latest release and is assigned CVE-2021-22196</a>.</p> Thanks @yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Access data of an internal project through a public project fork as an anonymous user</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting with 12.6. Under a special condition it was possible to access data of an internal repository through a public project fork as an anonymous user. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N</code>, 5.9). This issue is now mitigated in the latest release and is assigned CVE-2021-22200</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Incident metric images can be deleted by any user</h2> An issue has been discovered in GitLab CE/EE affecting all versions from 13.8 and above allowing an authenticated user to delete incident metric images of public projects. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N</code>, 4.3). This issue is now mitigated in the latest release and is assigned CVE-2021-22198</a>.</p> Thanks @ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Infinite Loop When a User Access a Merge Request</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 10.6 where an infinite loop exist when an authenticated user with specific rights access a MR having source and target branch pointing to each other. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L</code>, 3.5). This issue is now mitigated in the latest release and is assigned CVE-2021-22197</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Stored XSS in scoped labels</h2> An issue has been discovered in GitLab affecting all versions starting with 12.9. GitLab was vulnerable to a stored XSS if scoped labels were used. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N</code>, 3.5). This issue is now mitigated in the latest release and is assigned CVE-2021-22199</a>.</p> Thanks mike12</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Admin CSRF in System Hooks Execution Through API</h2> An issue has been discovered in GitLab CE/EE affecting all previous versions. If the victim is an admin, it was possible to issue a CSRF in System hooks through the API. This is a low severity issue (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N</code>, 2.4). This issue is now mitigated in the latest release and is assigned CVE-2021-22202</a>.</p> Thanks @mishre</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Update OpenSSL dependency</h2> The dependency on OpenSSL has been upgraded to 1.1.1j in order to mitigate security concerns.</p> Versions affected</h3> Affects versions 13.8 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Update PostgreSQL dependency</h2> The dependency on PostgreSQL 11 and 12 has been upgraded to 11.11 and 12.6 in order to mitigate security concerns.</p> Versions affected</h3> Affects versions 9.0 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive security release blog notifications via RSS, subscribe to our RSS feed</a>.</p> GitLab 13.10 released with Admin Enhancements and Vulnerability Management 2021-03-22T00:00:00+00:00 GitLab 13.10 is now available! This month, we’ve focused on scalability and manageability across the product so you can iterate and innovate faster, with greater security and fewer headaches. 13.10 offers administrative enhancements to help scale DevOps in your org, Geo package integrity verification to improve Disaster Recovery, vulnerability management automation to apply efficiency and consistency to security processes, and—as always—a ton of fantastic contributions from the wider community. These are just a few of the 40+ new features and improvements</strong> in this release.</p> Scaling DevOps</h2> Managing a growing DevOps org is challenging. GitLab 13.10 introduces several new features to automate routine tasks, boost your efficiency, and grow DevOps within the organization without losing control. We’ve leveled up support for DORA metrics with a new API to track lead time for changes (via merge requests)</a> on the project level, as well as Deployment Frequency metrics via API at the group level</a>, so you can track and identify blockers across a portfolio of projects.</p> When issues do</em> arise, we've added tools to help you integrate and manage alerts from multiple monitoring solutions</a>. 13.10 also enhances disaster recovery (DR) for customers using GitLab Geo by automatically verifying the data integrity of replicated Package Registries</a> and replicating group wikis</a>. And finally, we're extremely excited to announce General Availability of GitLab Runner Operator on Red Hat OpenShift</a>, bringing GitLab to even more platforms!</p> Scaling Vulnerability Management</h2> In 13.10, our security team has focused on reducing the overhead of managing and sharing vulnerabilities. Bulk Status Updates</a> allow security teams to modify the status of multiple vulnerabilities simultaneously. To help you identify and triage relevant information quickly, we've introduced clickable file and line number links</a> in vulnerability reports that will deep-link you directly to relevant vulnerability details. We've also enhanced the interactivity of the vulnerability trends chart to make it easier to find and share information.</a></p> Wider community contribution highlights</h2> Every month we receive hundreds of contributions from the wider community, and in addition to this month's MVP</a>, we'd like to show our appreciation to a few of our many outstanding contributors.</p> Ongoing thanks to Yogi</a> for dozens of contributions to 13.10, as well as months of amazingly consistent contributions and throughput. You are an example of iteration</a> in action, and you continue to tackle challenges with boring solutions</a> that deliver amazing results!</p> Thank you, Daniel Schömer</a> for your iterations toward a more consistent UX in project settings</a>!</p> Thanks to Felix Haase</a> for his work on cloning projects from within Visual Studio Code</a>!</p> Thank you to @KevSlashNull</a> for his work enabling one-click opening of projects in VS Code</a>!</p> GitLab is a DevOps platform, and a huge reason for that is you. We're a community, and in 13.10 alone we enjoyed over 250 merged wider community contributions</a>. Selecting one MVP wasn't easy; thank you all for your professionalism and hard work.</p> And so much more!</h2> Some of our favorite quality of life improvements in 13.10 include:</p> Dozens of quality of life usability improvements</a></li> Search for and autocomplete by full name in mentions in comments</a></li> Automatically retarget merge requests</a></li> Horizontal navigation for Value Stream Analytics</a></li> </ul> Read on for more features, performance enhancements and changes! To preview what's coming in next month’s release, check out our Upcoming Releases</a> page and our 13.11 release kickoff video</a>.</p> GitLab Critical Security Release: 13.9.4, 13.8.6, and 13.7.9 2021-03-17T00:00:00+00:00 Today we are releasing versions 13.9.4, 13.8.6, and 13.7.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Table of Fixes</h2> Title</th> Severity</th> </tr> </thead> Remote code execution via unsafe user-controlled markdown rendering options</a></td> critical</td> </tr> </tbody> </table> Remote code execution via unsafe user-controlled markdown rendering options</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorised authenticated users to execute arbitrary code on the server. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H</code>, 9.9). It is now mitigated in the latest release and is assigned CVE-2021-22192</a>.</p> Thanks @vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive security release blog notifications via RSS, subscribe to our RSS feed</a>.</p> GitLab Patch Release: 13.9.3 2021-03-08T00:00:00+00:00 Today we are releasing version 13.9.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.9 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Upgrade gitlab-shell to v13.17.0</a></li> Use new temp index for backfilling artifact expiry</a></li> Fix disabling of Kroki optional formats</a></li> Rename asset_proxy_allowlist column</a></li> Document how to disable S3 multi-threaded copying</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 13.9.2, 13.8.5 and 13.7.8 2021-03-04T00:00:00+00:00 Today we are releasing versions 13.9.2, 13.8.5 and 13.7.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> JWT token leak via Workhorse</h2> A path traversal vulnerability via the GitLab Workhorse in all versions of GitLab could result in the leakage of a JWT token. This issue is now mitigated in the latest release and is assigned CVE-2021-22190</a>.</p> Thanks @ledz1996</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Stored XSS in wiki pages</h2> Insufficient input sanitization in wikis in GitLab version 13.8 and up allows an attacker to exploit a stored cross-site scripting vulnerability via a specially-crafted commit to a wiki. It is now mitigated in the latest release and is assigned CVE-2021-22185</a>.</p> Thanks @yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Group Maintainers are able to use the Group CI/CD Variables API</h2> An authorization issue in GitLab CE/EE version 9.4 and up allowed a group maintainer to modify group CI/CD variables which should be restricted to group owners. It is now mitigated in the latest release and is assigned CVE-2021-22186</a>.</p> Thanks to a customer for reporting this vulnerability to the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Insecure storage of GitLab session keys</h2> In all versions of GitLab, marshalled session keys were being stored in Redis. This issue is now mitigated in the latest release and is assigned CVE-2021-22194</a>.</p> Thanks to a customer for reporting this vulnerability to the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Update thrift gem</h2> The thrift gem has been upgraded to 0.14.0 in order to mitigate security concerns.</p> Versions Affected</h3> Affects versions 11.8 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Update swagger-ui-dist dependency</h2> The dependency on swagger-ui-dist has been upgraded to 3.43.0 in order to mitigate security concerns.</p> Thanks @kannthu</a> for reporting this through our HackerOne bug bounty program.</p> Versions Affected</h3> Affects versions 13.7 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Updating</h2> To update GitLab, see the update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive security release blog notifications via RSS, subscribe to our RSS feed</a>.</p> GitLab Patch Release: 13.9.1 2021-02-23T00:00:00+00:00 Today we are releasing version 13.9.1 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.9 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Fix N+1 SQL regression in exporting issues to CSV</a></li> Fix issue email participants migration version</a></li> Send SIGINT instead of SIGQUIT to puma</a></li> Updates authorization for lint</a></li> Log disk_path instead of path for importer</a></li> Reset templates cache key</a></li> Restore missing scrollbar on boards</a></li> Fix: keep latest artifacts checkbox shows always disabled</a></li> Fix 'Open in your IDE' buttons don’t open the IDE</a></li> Fix Metric tab not showing up on operations page</a></li> Fix S3 object storage failing when endpoint is not specified</a></li> Fix broken What's New image</a></li> Fix duplicate text in What's New</a></li> Ensure Marketplace AMIs have licenses embedded</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Premium</a> and Ultimate</a> features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 13.9 released with a Security Alert Dashboard and Maintenance Mode 2021-02-22T00:00:00+00:00 GitLab 13.9 is now available to strengthen DevSecOps at scale, with a Security Alert Dashboard to triage high priority alerts, Maintenance Mode for unfailing support of distributed teams, better visibility including additional support for DORA metrics, and advanced automation capabilities that will help you deliver “better products, faster.” These are just a few of the 60+ significant new features and improvements</strong> in this release.</p> DevSecOps at scale</h2> Keeping a production environment both secure and available are top priorities, but they can be difficult to balance. Our new Security Alert Dashboard</a> will help you balance security and reliability, by discerning between suspicious network activity that needs to be blocked immediately or that only needs further attention, minimizing disruption to users. We're also excited to add JavaScript and Python support for coverage-guided fuzz testing</a>, making it easier to build secure and reliable software, with results piped into your Security Dashboard.</p> GitLab is built for distributed teams. Our new Maintenance Mode</a> enables read-only availability of your instance during more admin tasks, further reducing downtime. Scale and redundancy in data storage are improved with variable Gitaly replication factors</a>, so you can tune your cluster to your own storage and budget constraints, while also enabling horizontal scaling.</p> Visibility is another core requirement in scaling DevOps, and Release Analytics at the group level</a> continues to grow our support of DORA metrics, now aggregated for projects in a group. The new failed-test counter in Unit Test Reports</a> and a new merge request metric, mean time to merge</a> help you achieve and understand underlying efficiencies.</p> Automate your way to better products, faster</h2> If you’re new to DevOps or renewing stalled efforts, an edict to deliver “better products, faster” can sound a little like “doing more, with less;” it may feel counterintuitive. But DevOps is the answer and automation is the key to doing both well.</p> One sure way to build and test faster is to look for redundancies in configuration. A new function in 13.9 saves you time by enabling reuse in your pipeline of a CI/CD configuration from any job</a>, even if it's in another file.</p> Automating at scale often requires mitigating complexity. When you’ve broken down your pipeline configuration into many files, you’ll like that you can now view an expanded version of the configuration</a>. Deployment processes using parent-child or multi-project pipelines can also now use resource groups to manage concurrency across stages, jobs, and even projects</a>.</p> Wider community contribution highlights</h2> We’re thrilled to introduce GPU and smart scheduling support for GitLab Runner</a>, supporting specialized compute workloads like those in machine learning, and contributed by this month's MVP, Andreas Gravgaard Andersen</a>! Andreas showed awesome perseverance through reviews that spanned 10 months.</p> Thanks to another brilliant contribution, you can now follow other GitLab users’ activity</a>! You might start by following its contributor, Roger Meier @bufferoverflow</a> from Siemens</a>, himself a GitLab Hall of Famer</a> and sage of Open Source and InnerSource.</p> Thank you to Marshall Cottrell @marshall007 from NASA</a> for creating a 1-liner installer for the GitLab Agent for Kubernetes</a> and simplifying its configuration</a>, enabling users to get started with the Agent much more easily. Marshall's feedback, ideas, and collaboration beyond merged contributions were also called "invaluable."</p> Thank you to Kev @KevSlashNull</a> of SiegeGG, who added an Activity filter to Vulnerability Reports</a>, helping you drill into precisely the vulnerability list view you need. GitLab's own AppSec team are grateful as are many others, for this and Kev's many contributions.</p> GitLab isn't only a DevOps platform</a>, or a company, we're also a community, and in 13.9 alone we enjoyed an incredible 299 merged wider community contributions</a>. Selecting one MVP wasn't easy; thank you all for your professionalism and hard work.</p> And so much more!</h2> Some of our favorite quality of life improvements in 13.9 include:</p> Create changelogs using the GitLab API</a></li> Mark changes as viewed in merge requests</a></li> Request a follow-up review from a Reviewer</a></li> Create Jira issues from Vulnerabilities</a></li> Assign incidents to milestones</a></li> Markdown links for Feature Flags</a></li> Allow Deploy Keys to push to protected branches</a></li> </ul> Read on for more, and to preview what's coming in next month’s release, check out our Upcoming Releases</a> page and our 13.10 release kickoff video</a>.</p> GitLab Security Release: 13.8.4, 13.7.7 and 13.6.7 2021-02-11T00:00:00+00:00 Today we are releasing versions 13.8.4, 13.7.7 and 13.6.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Improper Certificate Validation for Fortinet OTP</h2> Starting with version 13.7 the Gitlab CE/EE editions were affected by a security issue related to the validation of the certificates for the Fortinet OTP that could result in authentication issues. This issue is now mitigated in the latest release and is assigned CVE-2021-22189</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Denial of Service Attack on gitlab-shell</h2> Potential DoS was identified in gitlab-shell in GitLab CE/EE version 12.6.0 or above, which allows an attacker to spike the server resource utilization via gitlab-shell command. This issue is now mitigated in the latest release and is assigned CVE-2021-22177</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Resource exhaustion due to pending jobs</h2> An issue has been discovered in GitLab affecting all versions of Gitlab EE/CE before 12.6.7. A potential resource exhaustion issue that allowed running or pending jobs to continue even after project was deleted. This issue is now mitigated in the latest release and is assigned CVE-2021-22187</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Confidential issue titles were exposed</h2> An issue has been discovered in GitLab affecting all versions starting with 13.0. Confidential issue titles in Gitlab were readable by an unauthorised user via branch logs. This issue is now mitigated in the latest release and is assigned CVE-2021-22188</a>.</p> Thanks @aemirercin</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Improper access control allowed demoted project members to access authored merge requests</h2> An issue has been discovered in GitLab affecting all versions starting with 3.0.1. Improper access control allows demoted project members to access details on authored merge requests. This issue is now mitigated in the latest release and is assigned CVE-2021-22176</a>.</p> Thanks @muthu_prakash</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Improper access control allowed unauthorized users to access analytic pages</h2> An issue has been discovered in GitLab affecting all versions starting with 13.4. Improper access control allows unauthorized users to access details on analytic pages. This issue is now mitigated in the latest release and is assigned CVE-2021-22180</a>.</p> Thanks @ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Unauthenticated CI lint API may lead to information disclosure and SSRF</h2> When requests to the internal network for webhooks are enabled, a server-side request forgery vulnerability in GitLab affecting all versions starting from 10.5 was possible to exploit for an unauthenticated attacker even on a GitLab instance where registration is disabled. This issue is now mitigated in the latest release and is assigned CVE-2021-22175</a>.</p> Thanks @myster</a> for reporting this vulnerability through our HackerOne bug bounty program</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Prometheus integration in Gitlab may lead to SSRF</h2> An issue has been discovered in GitLab affecting all versions starting from 13.2. Gitlab was vulnerable to server-side request forgery vulnerability attack due when Prometheus was used. This issue is now mitigated in the latest release and is assigned CVE-2021-22178</a>.</p> Thanks @yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Updating</h2> To update GitLab, see the update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive security release blog notifications via RSS, subscribe to our RSS feed</a>.</p> GitLab Patch Release: 13.8.3 2021-02-05T00:00:00+00:00 Today we are releasing version 13.8.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.8 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Fix Geo replication status for replicables with no data to sync</a></li> Use the shells background feature to put it into background</a></li> Revert multipart URL optimization for AWS S3</a></li> Fix regression with old wiki image uploads</a></li> Wait up to 60 seconds instead of 30 seconds till PIDs should exist</a></li> Handle unreachable ES host in settings check</a></li> Ensure the packagecloud binary is available for the raspberry pi release</a></li> Fix a nil error when workhorse is set to use tcp</a></li> </ul> Important notes on upgrading</h2> For multi-node deployments, this version should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab Security Release: 13.8.2, 13.7.6 and 13.6.6 2021-02-01T00:00:00+00:00 Today we are releasing versions 13.8.2, 13.7.6 and 13.6.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Stored XSS in merge request</h2> An issue has been discovered in GitLab affecting all versions starting with 13.7. GitLab was vulnerable to a stored XSS in merge requests. This issue is now mitigated in the latest release and is assigned CVE-2021-22182</a>.</p> Thanks ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Stored XSS in epic's pages</h2> An issue has been discovered in GitLab affecting all versions starting with 11.8. GitLab was vulnerable to a stored XSS in the epics page, which could be exploited with user interactions. This issue is now mitigated in the latest release and is assigned CVE-2021-22183</a>.</p> Thanks mike12</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Sensitive GraphQL variables exposed in structured log</h2> An information disclosure issue in GitLab 12.0+ allowed a user with access to the server logs to see sensitive information that wasn't properly redacted. This is a medium severity issue (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</code>, 6.2). This issue is now mitigated in the latest release and is assigned CVE-2021-22184</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Guest user can see tag names in private projects</h2> Improper authorization in GitLab 12.8+ allows a guest user in a private project to view tag data that should be inaccessible on the releases page. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-22172</a>.</p> Thanks @izzsec</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Information disclosure via error message</h2> An issue was identified in GitLab EE 13.4 or later which could disclose internal IP address via error messages. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-22169</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> DNS rebinding protection bypass</h2> An issue has been discovered in GitLab affecting all versions starting with 12.2. GitLab was vulnerable to a DNS rebinding protection bypass. This issue is now mitigated in the latest release and is assigned CVE-2021-22179</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Validate existence of private project</h2> An issue has been discovered in GitLab affecting all versions. Validate the use of a specific name for private project in a group was posible. This issue is now mitigated in the latest release and is assigned CVE-2021-22193</a>.</p> Thanks milindpurswani</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Updating</h2> To update GitLab, see the update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive security release blog notifications via RSS, subscribe to our RSS feed</a>.</p> GitLab Patch Release: 13.8.1 2021-01-26T00:00:00+00:00 Today we are releasing version 13.8.1 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.8 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Available in GitLab Core, Starter, Premium, and Ultimate:</p> Fix LFS not working with S3 specific-storage settings</a></li> Skip the auth settings for pages when access control is not enabled</a></li> Fix missing setting LDAP servers</a></li> Add notification email event for SAML/SCIM</a></li> Create What's New for 13.8</a></li> Clean up artifact expiry migration problem</a></li> Resolve "Update Approval Rule documentation"</a></li> Docs: Reviewer approval rules</a></li> </ul> Available in GitLab Premium</a> and Ultimate</a>:</p> Fix browser performance widget issue body import</a></li> Geo: clarify how to migrate single PostgreSQL to Patroni on secondary node</a></li> </ul> Available in GitLab Ultimate:</p> Failsafe access to current user's email</a></li> </ul> Important notes on upgrading</h2> This version does include new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 13.7.5 2021-01-25T00:00:00+00:00 Today we are releasing version 13.7.5 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.7 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Available in GitLab Core, Starter, Premium, and Ultimate:</p> Disable ref tx hooks for FetchRemote calls</a></li> Fix brand_new_project_guidelines not being displayed</a></li> Resolve "The gitlab-ctl patroni failover</code> command does not work"</a></li> Fix https pages settings</a></li> Convert external_http pages setting to bool for rails</a></li> Fix LFS not working with S3 specific-storage settings</a></li> Only use top level groups in devops adoption</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 13.8 released with a Pipeline Editor and DORA metrics 2021-01-22T00:00:00+00:00 Today, we are excited to introduce a dedicated Pipeline Editor, a deployment frequency dashboard, and several quality of life improvements that will make using GitLab every day even more enjoyable. These are just a few highlights from the 50+ improvements in this release.</p> The new Pipeline Editor makes CI/CD easy to use</h2> Since its inception, the defining feature of GitLab CI/CD has been the .gitlab-ci.yml</code> configuration file. Configuring pipelines as code means you can version control and collaborate on pipelines using the same interfaces you use for your application code. Additionally, GitLab's advanced syntax provides a high degree of customization for sophisticated and demanding CI/CD use cases. However, all of this power and flexibility comes with a fair bit of complexity. This is why our vision for CI/CD</a> is to create a visual pipeline authoring experience, built-in to GitLab, that simplifies the complexity letting you quickly create and edit pipelines while still exposing advanced options when you need them.</p> Today, we’re pleased to introduce the first iteration of the Pipeline Editor</a>. Starting in 13.8, you'll have a dedicated editor designed for CI/CD with some enhanced functionality such as built-in linting</a> and configuration validation</a>. A pipeline visualizer</a> in the editor will show you what your pipelines will look like before you commit your changes. These capabilities allow new users to get started with GitLab CI/CD quickly and make experienced power users more efficient. This is just the beginning of what's in store for the Pipeline Editor. We can't wait for you to try it out so you can share your feedback, suggestions, and code contributions.</p> Improve your DevOps maturity with deployment frequency metrics</h2> IT leaders and practitioners alike love DevOps. Developers and software engineers love that DevOps makes their job easier while IT leaders love that DevOps makes the business perform better. For several years, DORA, the DevOps Research and Assessment firm</a>, has conducted primary research on the impact of DevOps in the enterprise. Their published results</a> have shown that DevOps maturity leads to positive business outcomes like happier customers, greater market share, and increased revenue. Four metrics in particular, commonly known as the “DORA 4”, are highly correlated with business performance. These are deployment frequency, lead time for changes, time to restore service, and change failure rate.</p> We’ve heard from many of you that you want to measure these metrics so that you can improve them. However, instrumenting your systems to capture and report on these metrics can be difficult and time-consuming. We decided to build them into GitLab for you so you can focus on improving your DevOps maturity instead of instrumentation. Starting with GitLab 13.8 you can find deployment frequency charts</a> in your CI/CD analytics. This is just the first of the DORA 4 metrics to come to GitLab. Our vision for the coming year</a> will be to add the additional three metrics so you’ll be able to measure and optimize your DevOps practices.</p> A few small features to improve your quality of life</h2> As GitLab gets better with every iteration sometimes the most exciting improvements aren’t the big new features, but the small UX improvements that take a tedious task and make it simple and easy. In this release, we’ve shipped several long-asked-for enhancements that we think you’ll enjoy such as the ability to:</p> Send an email to an issue</a>.</li> Click and drag to make multi-line comments</a>.</li> Download artifacts from an MR widget</a>.</li> Identify flaky tests with a repeat failed test counter</a>.</li> Rebase an MR branch with a quick action</a>.</li> </ul> And much more!</h2> These are just a few of many ways GitLab has been made better in this release. Read on to see more. And, if you'd like to preview what's coming in next month’s release, check out our Upcoming Releases</a> page as well as our 13.9 release kick-off video</a>.</p> GitLab Critical Security Release: 13.7.4, 13.6.5 and 13.5.7 2021-01-14T00:00:00+00:00 Today we are releasing versions 13.7.4, 13.6.5 and 13.5.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ</a>. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Ability to steal a user's API access token through GitLab Pages</h2> A way to bypass the fix released in the previous security release</a> was discovered internally by the GitLab team. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N</code>, 7.3). We have requested a CVE ID and will update this blog post when it is assigned.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Updating</h2> To update GitLab, see the Update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive security release blog notifications via RSS, subscribe to our RSS feed</a>.</p> GitLab Patch Release: 13.7.3 2021-01-08T00:00:00+00:00 Today we are releasing version 13.7.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.7 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Available in GitLab Core, Starter, Premium, and Ultimate:</p> Fix Canary Ingress weight is not reflected on UI immediately</a></li> Change pages deployments size column to bigint</a></li> Set registry fields to nullable</a></li> Update Helm 2 version to 2.17.0</a></li> Follow-up from "Fix project access token regression"</a></li> Note feature flag for user cap</a></li> Job Trace polling solution</a></li> </ul> Important notes on upgrading</h2> This version does include new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 13.7.2, 13.6.4, and 13.5.6 2021-01-07T00:00:00+00:00 Today we are releasing versions 13.7.2, 13.6.4, and 13.5.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Upgrade Note</h2> This release applies a database migration to configure as Confidential</code> all instance-wide OAuth applications that are configured as Trusted</code>. This will require the applications to send the client_secret</code> as part of the OAuth flow, which is a best practice. The change is required to correct one of the issues in this security release. If you have any custom instance-wide applications that are having issues following this migration, it means that you have clients that aren't sending the client_secret</code> or are using the implicit flow during the OAuth authentication process. Here is how to solve the problem:</p> The preferred way is to make the client send the client_secret</code> using the Authorization Code flow.</li> If impossible, or if there's no way to keep the client_secret</code> secret, then you can switch the application back to non-confidential. However, we suggest making the application non-trusted as well so that users are required to explicitly authorize the application when it requests access tokens on their behalf without the client_secret</code>.</li> </ul> Ability to steal a user's API access token through GitLab Pages</h2> Insufficient validation of authentication parameters in GitLab Page for GitLab 11.5+. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N</code>, 8.1). It is now mitigated in the latest release and is assigned CVE-2021-22171</a>.</p> Thanks @ngalog</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Prometheus denial of service via HTTP request with custom method</h2> An attacker could cause a Prometheus denial of service in GitLab 13.7+ by sending an HTTP request with a malformed method. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-22166</a>. .</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Unauthorized user is able to access private repository information under specific conditions</h2> An issue has been discovered in GitLab affecting all versions starting from 12.1. Incorrect headers within a specific project page allows attacker to have temporary read access to a public repository with project features restricted to only members. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2021-22167</a>.</p> Thanks @anshraj_srivastava for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Regular expression denial of service in NuGet API</h2> A regular expression denial of service issue has been discovered in NuGet API affecting all versions of GitLab starting from version 12.8. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2021-22168</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Regular expression denial of service in package uploads</h2> An issue has been discovered in GitLab affecting all versions starting from 12.4. The regex used for package names is written in a way that makes execution time have quadratic growth based on the length of the malicious input string. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2020-26414</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Update curl dependency</h2> The curl dependency has been upgraded to 7.74.0 in order to mitigate security concerns.</p> Versions Affected</h3> Affects all GitLab Omnibus versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> CVE-2019-3881 mitigation</h2> A patch has been applied to mitigate CVE-2019-3881 in the bundler dependency.</p> Versions Affected</h3> Affects all GitLab Omnibus versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible</strong>.</p> Updating</h2> To update GitLab, see the update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive security release blog notifications via RSS, subscribe to our RSS feed</a>.</p> GitLab Patch Release: 13.7.1 2020-12-23T00:00:00+00:00 Today we are releasing version 13.7.1 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.7 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Fix project transfer corrupting shared runners state</a></li> Add roadmap filters to docs</a></li> Fix DAST profiles deletion</a></li> Update automation instructions for DB setup</a></li> Improve AWS EKS troubleshooting documentation</a></li> Fix Redis HLL weekly keys</a></li> Geo: Fix LFS for location-aware Git URL</a></li> Fix error for projects without security setting</a></li> Ensure patroni and consul remain up during upgrade migrations</a></li> </ul> Important notes on upgrading</h2> For multi-node deployments, this version should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 13.7 released with merge request reviewers and automatic rollback upon failure 2020-12-22T00:00:00+00:00 What a year 2020 has been! We're excited to share what's new in 13.7 with over 45</strong> features and improvements shipping just in time for the holidays!</p> On behalf of everyone at GitLab, I want to take a second to thank everyone in our community for your contributions and the positive impact you've made. Without you, GitLab would not be what it is today.</p> Here's to you and all of our team members that helped make 2020 an incredible year despite the adversity and unprecedented times. Please continue staying safe, happy, and healthy this holiday season.</p> Here's what you can look forward to in 13.7:</p> Enhanced project management for cross-collaboration</h2> Merge Requests (MRs) are crucial to foster cross-collaboration and can be directly linked to relevant issues, providing a central location to communicate via comments, suggest code changes, perform code reviews, and much more. In this release, we've added merge request reviewers</a>, a capability to improve the code review process by making reviews easier and more organized. Now you'll be able to quickly find out who's involved in the merge request or request a formal review that will send them a notification.</p> Context switching and manual tasks in your workflow hinder your ability to efficiently collaborate across groups and projects. It means you spend less time developing valuable features and more time managing your projects, which is why the ability to clone issues with quick actions</a> is so valuable for you to streamline agile planning and project management.</p> Collaborating</a> on projects and iterating</a> rapidly to develop your applications means you need to be able to quickly determine the order of importance of your issues, identify any blockers, and use that information to prioritize what you'll work on next. Now, you can sort issues by blockers</a> to quickly find out which of your issues are blocking progress for other issues, as well as easily sort by the number of blockers in your issue list.</p> Improved release automation and deployment flexibility</h2> You need flexibility to control how you orchestrate, automate, and deploy your applications on a regular basis. Deploying your applications reliably and frequently gets value into the hands of your customers sooner.</p> To improve how GitLab automates releases, we've added automatic rollback in case of failure</a>. This feature automatically reverts an unsuccessful deployment back to the last successful deployment and sends an automatic notification to alert you of the status. You won't have to manually make any changes and can be confident that potential problems won't cause downtime or intensify while you work towards a fix.</p> An improvement that goes well with automatic rollback in the event of a failure is the ability to see the deployment status in the Environment page</a>. Now you can easily find deployment statuses and identify what actions you need to take, such as stopping or rolling back a deployment.</p> We've also shipped the first officially supported beta of GitLab Runner container on Red Hat OpenShift and our Certified Runner Operator</a> to give you more flexibility over how you release with GitLab. We're working to make this generally available soon, so stay tuned for more information in future releases.</p> More reliable and efficient package and dependency management</h2> Your workflow depends on a wide variety of programming languages, binaries, integrations, and artifacts that are all important inputs or outputs as a result of your development process. The more efficiently you can manage your packages and dependencies, the less development time goes to waste, and with efficiency in mind, we've added the option to quickly find and view generic packages</a>.</p> We've also made improvements to GitLab's Dependency Proxy, which, by the way, was made available in Core</a> in GitLab 13.6.</p> You can now avoid Docker rate-limits and speed up your pipelines with the Dependency Proxy</a> to assure confidence in reliability and improve efficiency when caching your container images hosted on DockerHub.</p> Another improvement that many of you in the community were anticipating, the Dependency Proxy now works with private projects</a> and addresses the limitations that prevented those of you with private projects from taking advantage of this feature.</p> Last but not least, you'll be able to use pre-defined variables with the Dependency Proxy</a> instead of relying on your own defined variables or hard-coding values in your gitlab.ci-yml</code> file. This provides a more scalable and efficient way to get started proxying and caching images.</p> And more</h2> Check out a few other awesome features shipping in 13.7 below:</p> Import requirements from a CSV file</a></li> SAML user provisioning</a></li> Set deployment traffic weight via UI</a></li> API support for Deployment Frequency</a></li> </ul> These are just a few highlights out of many new features and performance improvements. If you'd like to preview what's coming in next month’s release, check out our Upcoming Releases</a> page as well as our 13.8 release kick off video</a>.</p> GitLab Patch Release: 13.6.3 2020-12-10T00:00:00+00:00 Today we are releasing version 13.6.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.6 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Fix error 500s creating projects concurrently</a></li> Fix container_registry url for relative urls</a></li> Resolve Members page 500 error after Invitation sent via API</a></li> Resolve ""400 Bad Request" during authentication due to password format (length or special chars)"</a></li> Fix pages object storage bucket</a></li> Fix MR rendering issue when user is tool admin</a></li> Fix Unicorn custom socket not being used by Workhorse</a></li> Fix image used for SLES 12.5 tag builds</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 13.6.2, 13.5.5, and 13.4.7 2020-12-07T00:00:00+00:00 Today we are releasing versions 13.6.2, 13.5.5, and 13.4.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> XSS in Zoom Meeting URL</h2> A XSS vulnerability exists in Gitlab CE/EE starting with 12.4 that allows an attacker to perform cross-site scripting to other users via importing a malicious project. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L</code>, 5.5). It is now mitigated in the latest release and is assigned CVE-2020-26407</a>.</p> Thanks @vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Limited Information Disclosure in Private Profile</h2> A limited information disclosure vulnerability exists in Gitlab CE/EE starting with 12.2 that allows an attacker to view limited information in user's private profile. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). It is now mitigated in the latest release and is assigned CVE-2020-26408</a>.</p> Thanks @maruthi12</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> User email exposed via GraphQL endpoint</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.4 before 13.6.2. Information disclosure via GraphQL starting in GitLab 13.4 results in user email being unexpectedly visible. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). This issue is now mitigated in the latest release and is assigned CVE-2021-22413</a>.</p> Thanks vaib25vicky</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Group and project membership potentially exposed via GraphQL</h2> Information disclosure via GraphQL in GitLab CE/EE 13.1 and later exposes private group and project membership. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</code>, 5.3). This issue is now mitigated in the latest release and is assigned CVE-2021-22417</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Search terms logged in search</code> parameter in rails logs</h2> Information disclosure in Advanced Search component of GitLab EE starting in 8.4 results in exposure of search terms via Rails logs. This is a medium severity issue (CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N</code>, 5.0). This issue is now mitigated in the latest release and is assigned CVE-2021-22416</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Un-authorised access to feature flag user list</h2> An issue was discovered in Gitlab CE/EE versions starting from 13.1 to 13.5 which allowed an un-authorised user to access the user list corresponding to a feature flag in a project. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2020-13357</a>.</p> Thanks @ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> A specific query on the explore page causes statement timeouts</h2> A potential DOS vulnerability was discovered in all versions of GitLab. Using a specific query name for a project search can cause statement timeouts that can lead to a potential DOS if abused. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2020-26411</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Exposure of starred projects on private user profiles</h2> An issue has been discovered in GitLab affecting all versions starting from 12.2 before 13.6.2, all versions starting from 12.2 before 13.5.5, all versions starting from 12.2 before 13.4.7. Information about the starred projects for private user profiles was exposed via the GraphQL API starting in 13.4 and via the REST API starting in 12.2. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 4.3). This issue is now mitigated in the latest release and is assigned CVE-2021-22415</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Uncontrolled Resource Consumption in any Markdown field using Mermaid</h2> A DOS vulnerability exists in Gitlab CE/EE starting with 10.3 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</code>, 4.3). It is now mitigated in the latest release and is assigned CVE-2020-26409</a>.</p> Thanks misha98857</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Former group members able to view updates to confidential epics</h2> Removed group members were able to use the To-Do functionality to retrieve updated information on confidential epics starting in GitLab EE 13.2. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N</code>, 3.1). This issue is now mitigated in the latest release and is assigned CVE-2021-22412</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Update GraphicsMagick dependency</h2> The GraphicsMagick dependency has been upgraded to 1.3.35 in order to mitigate security concerns.</p> Versions Affected</h3> Affects GitLab Omnibus 11.0 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Update GnuPG dependency</h2> The GnuPG dependency has been upgraded to 2.2.23 in order to mitigate security concerns.</p> Versions Affected</h3> Affects GitLab Omnibus 13.4 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Update libxml dependency</h2> The libxml dependency has been upgraded to 2.9.10 in order to mitigate security concerns.</p> Versions Affected</h3> Affects GitLab Omnibus 10.8 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Updating</h2> To update GitLab, see the update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive security release blog notifications via RSS, subscribe to our RSS feed</a>.</p> GitLab Patch Release: 13.6.1 2020-11-23T00:00:00+00:00 Today we are releasing version 13.6.1 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.6 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Add documentation for SSE image upload config</a></li> Fixes this bug on the group cluster page</a></li> Fix project</code> attribute of StoreScanService</code> class</a></li> Fixes issue with broken runner installation instructions</a></li> Fix project transfer corrupting shared runners state</a></li> Fix gap on project select dropdown</a></li> Resolve "Mentioning users is now very slow"</a></li> Enable alert management for configured http integrations</a></li> Update docs to remove an issue board list and filter issues</a></li> Does not track package events on a read-only instance</a></li> Fix link to correct epic</a></li> Re-name Instance Statistics as Usage Trends</a></li> Fix tags pages erroring for projects with private pipelines</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 13.6 released with Auto Deploy to EC2 and Usage Trends Dashboard 2020-11-22T00:00:00+00:00 At GitLab, we are focused on improving developer productivity and satisfaction. And GitLab 13.6 has all the right ingredients to help you achieve all that and more! We hope that you find these top features, and the 60+ new features and improvements</strong> packed in this release, useful.</p> Improved ease of use and automation for efficiency</h2> To make it easy for you to get started with GitLab CI/CD with Amazon Web Services (AWS), Auto DevOps has now been extended to support AWS, so you can now Auto-Deploy to Amazon EC2</a> using Auto DevOps without using Kubernetes (as previously required by Auto DevOps).</p> Docker Hub has enforced rate limits on docker pull</code> requests. We have mitigated the impact</a> for our SaaS and self-managed users and have shared ways to monitor the limits with Prometheus</a> in your environments. We want all our users to stay safe with their CI/CD pipelines and Kubernetes clusters. We are moving the Dependency Proxy</a> to Core available for everyone.</p> Listening to the community’s feedback to have a more descriptive default branch, Group owners now have more flexibility in configuring a custom default initial branch name for new repositories</a> as opposed to the master</code> branch. Speaking of defaults, the Static Site Editor can use a default merge request template</a> across a project, reducing the need to navigate to the merge request after submission to update the description.</p> Improved visibility for faster decision making</h2> You cannot fix what you cannot find. With 13.6, we’ve made improvements to several dashboards and reports to aid you with faster decision making.</p> With the code quality severity</a> included within the merge request and the Full Code Quality Report</a>, you can now quickly determine which code quality violations are critical to resolve before merging. Thanks for the community contribution with Code Quality Report, Vicken Simonian</a>!</p> We’ve made updates to the Project Security Dashboard</a> to include the results of the latest run pipeline security scan</a> and also a dynamic vulnerability trend chart</a> to help you stay on top of the real time and historical vulnerability trends. We've also added the fuzz testing results in the merge request</a> along with the other security results and improved the readability of this report by adding the source file name and line number to help you quickly find the exact crash location and fix it.</p> GitLab Self Managed Administrators can now see their organization's usage trends</a> for popular features such as users, projects, groups, issues, and pipelines over the last 12 months.</p> Improved extensibility for a seamless workflow</h2> We aim to play well with other popular tools</a> you may be using in your environment so that you have a seamless experience, even when you use only a few parts of GitLab. With 13.6, to enable easy access and collaboration from within VS Code, we’ve improved our extension with VS Code</a> to insert Snippets</a>, view and comment on merge requests and issues directly from VS Code rather than switching to the GitLab interface.</p> GitLab integrations</a> can now be configured at a group level in addition to instance and project level - helping group owners manage integrations with ease.</p> And more</h2> To enable you to grow beyond the 10GB per project storage limit</a>, we recently introduced an add-on to purchase additional storage</a> for your group or personal name space. In addition to Dependency Proxy</a>, we've also moved Tracing</a> to Core as part of this release.</p> These are just a few highlights from the many new features and performance improvements described below. If you'd like to preview what's coming in next month’s release, check out our Upcoming Releases</a> page as well as our 13.7 release kick off</a> video series where the Product Managers highlight key features coming in the next release.</p> GitLab Patch Release: 13.5.4 2020-11-13T00:00:00+00:00 Today we are releasing version 13.5.4 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.5 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Fixes keyboard navigation of labels list</a></li> Hashed Storage: make migration and rollback resilient to exceptions</a></li> Fix compliance framework migration on CE</a></li> Resolve "undefined method error after upgrading to 13.5.1"</a></li> Enforce instance-level MR approval settings</a></li> </ul> Important notes on upgrading</h2> This version upgrade does not require any downtime.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 13.5.3 and 13.4.6 2020-11-03T00:00:00+00:00 Today we are releasing version 13.5.3 and 13.4.6 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in last month's 13.5 release</a> and the previous month's 13.4 release</a>.</p> GitLab Community Edition and Enterprise Edition</h2> 13.4.6</h3> Use our mirror of Helm stable repo</a></li> Implementation of PITR recovery before promotion</a></li> Fix PG password error when enabling extensions during DB init</a></li> </ul> 13.5.3</h3> Add environment variables to override backup/restore DB settings</a></li> Fix incorrect S3 KMS key id ARN in object storage</a></li> Fix cloud native job logs not finalizing with Azure</a></li> Downgrade vue-router to fix IDE issue with special characters</a></li> Ensure that copy to clipboard button is visible</a></li> Add ci_new_artifact_file_reader FF again</a></li> Enable ci_trace_new_fog_store feature flag by default</a></li> Implementation of PITR recovery before promotion</a></li> Set net.core.somaxconn kernel parameter for Puma</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 13.5.2, 13.4.5, and 13.3.9 2020-11-02T00:00:00+00:00 Today we are releasing versions 13.5.2, 13.4.5, and 13.3.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Path Traversal in LFS Upload</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14. A path traversal is found in LFS Upload that allows attacker to overwrite certain specific paths on the server. This issue is now mitigated in the latest release and is assigned CVE-2020-13355</a>.</p> Thanks saltyyolk</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Path traversal allows saving packages in arbitrary location</h2> Path traversal vulnerability in package upload functionality in GitLab CE/EE starting from 12.8 allows an attacker to save packages in arbitrary locations. This issue is now mitigated in the latest release and is assigned CVE-2020-26405</a>.</p> Thanks @vakzz</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Kubernetes agent API leaks private repos</h2> A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.3 and above allows unauthorised access to private projects. This issue is now mitigated in the latest release and is assigned CVE-2020-13358</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Terraform state deletion API exposes object storage URL</h2> The Terraform API in GitLab CE/EE 12.10 and above exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and other business controls. This issue is now mitigated in the latest release and is assigned CVE-2020-13359</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Stored-XSS in error message of build-dependencies</h2> A stored XSS in CI Job Log has been discovered in GitLab CE/EE 12.4 and above. This issue is now mitigated in the latest release and is assigned CVE-2020-13340</a>.</p> Thanks yvvdwf</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Git credentials persisted on disk</h2> When importing repos via URL, one time use git credentials were persisted beyond the expected time windows in Gitaly 1.79.0 or above. This issue is now mitigated in the latest release and is assigned CVE-2020-13353</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Potential Denial of service via container registry</h2> A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 12.6 and above. The container registry name check could cause exponential number of backtracks for certain user supplied values resulting in high CPU usage. This issue is now mitigated in the latest release and is assigned CVE-2020-13354</a>.</p> Thanks @anyday</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Info leak when group is transferred from private to public group.</h2> Private group info is leaked leaked in GitLab CE/EE version 10.2 and above, when the project is moved from private to public group. This issue is now mitigated in the latest release and is assigned CVE-2020-13352</a>.</p> Thanks @ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Limited File Disclosure Via Multipart Bypass</h2> An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.8.9. A specially crafted request could bypass Multipart protection and read files in certain specific paths on the server. This issue is now mitigated in the latest release and is assigned CVE-2020-13356</a>.</p> Thanks ledz1996</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Unauthorized user is able to access scheduled pipeline variables and values</h2> Insufficient permission checks in scheduled pipeline API in GitLab CE/EE 13.0+ allows an attacker to read variable names and values for scheduled pipelines on projects visible to the attacker. This issue is now mitigated in the latest release and is assigned CVE-2020-13351</a>.</p> Thanks @vaib25vicky</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> CSRF in runner administration page allows an attacker to pause/resume runners</h2> CSRF in runner administration page in all versions of GitLab CE/EE allows an attacker who's able to target GitLab instance administrators to pause/resume runners. This issue is now mitigated in the latest release and is assigned CVE-2020-13350</a>.</p> Thanks @ngalog</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Regex backtracking attack in path parsing of Advanced Search result</h2> An issue has been discovered in GitLab EE affecting all versions starting from 9.2. A regular expression related to a file path resulted in the Advanced Search feature susceptible to catastrophic backtracking. This issue is now mitigated in the latest release and is assigned CVE-2020-13349</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Bypass of required CODEOWNERS approval</h2> An issue has been discovered in GitLab EE affecting all versions starting from 11.9. Required CODEOWNERS approval could be bypassed by targeting a branch without the CODEOWNERS file. This issue is now mitigated in the latest release and is assigned CVE-2020-13348</a>.</p> This vulnerability has been discovered internally by the GitLab team.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> SAST CiConfiguration information visible without permissions</h2> Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. This issue is now mitigated in the latest release and is assigned CVE-2020-26406</a>.</p> Thanks ashish_r_padelkar</a> for reporting this vulnerability through our HackerOne bug bounty program.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Updating</h2> To update GitLab, see the update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive security release blog notifications via RSS, subscribe to our RSS feed</a>.</p> GitLab Patch Release: 13.3.8 2020-10-23T00:00:00+00:00 Today we are releasing version 13.3.8 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in August's 13.3 release</a>.</p> GitLab Community Edition and Enterprise Edition</h2> Update object_storage.md to fix the object store connection using iam</a></li> Make SSH keys publicly accessible</a></li> Add missing fa- icons for file_type_icon_class</a></li> Handle 500 error for GraphQL "configureSast" mutation</a></li> Use our mirror of Helm stable repo</a></li> Geo: Fix documentation typo</a></li> Geo: Fix "Project/wiki/design repo not able to resync after storage move"</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 13.5.1 2020-10-22T00:00:00+00:00 Today we are releasing version 13.5.1 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.5 release</a>.</p> GitLab Community Edition and Enterprise Edition</h2> Add docs on the inclusion of LFS files in archives</a></li> Update GitLab Shell to v13.11.0</a></li> Revert clickable links on logs</a></li> Resolve "QA tests failing after group was explicitly set for repositories_storages"</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 13.5 released with Mobile App Sec, Group Wikis, and more! 2020-10-22T00:00:00+00:00 One of GitLab’s core values is collaboration</a> and it's a key part of DevOps. This month we have several features aimed at collaboration among your team, across your tools, and with your peers as part of the 60 improvements</strong> packed into this release.</p> Mobile application security scanning</h2> Community contributions are one of the best kinds of collaboration! One of our customers embraced our security scanning capabilities to shift left</a> and empower developers to find and fix security flaws, yet they also wanted the same abilities for iOS and Android mobile applications. Using our integration guidance</a>, they brought MobSF into the merge request pipeline and the security dashboards</a> alongside SAST and all the other GitLab security scan</a> results.</p> For their contribution, Brian Williams and the H-E-B Digital team are this month’s MVP</a>. This new Mobile SAST language coverage, combined with our existing fuzz testing</a> for Swift and Java projects, now offers a valuable security testing solution for mobile apps.</p> Giving works both ways. Therefore, we have officially finished moving Feature flags to core</a>, open-sourcing it for greater community engagement. This completes one more step of our plan to move 18 features to Core</a>.</p> Group wikis and more!</h2> Groups collaborate in many ways and we now offer a few more ways to do so. A feature long sought after is Group Wikis</a>, with the most upvotes ever! Now you can have a central point of collaboration for your team at the group level. Accompanying this, you’ll find deep-level wiki navigation</a> in the side bar for easier navigation.</p> Thanks to another community contribution, you can now easily launch your Gitpod Workspace</a> directly from the GitLab interface.</p> A picture is worth a thousand words! During an incident, it can be hard to understand the sequence of events from threaded discussions. With the new Timeline view for discussions in incidents</a>, you can toggle a timeline view of the discussion.</p> Snippets and templates aid sharing</h2> Snippets facilitate code sharing among group members. Snippets with multiple files</a> is now supported inside a single Snippet, so you can create and share complex Snippets composed of multiple parts. The sky’s the limit!</p> Templates promote best practices and consistency across teams. This month you'll find more templates such as a template for deploying to AWS EC2</a>, a new GitLab CI/CD template for Terraform</a>, and the new SAST configuration UI</a> that enables the GitLab CI/CD SAST template for users without CI/CD experience.</p> Collaborating across tools</h2> At GitLab, we want to play well with others</a>. Whether it’s pulling in third-party security scanner results</a>, or integrating with other DevOps tools, we want to meet you where you need us. Now with Generic Package Registry</a>, you can store other binary types in GitLab that are not yet supported via raw package feeds and attach binary assets to releases</a>, enabling release and build teams to effectively work in GitLab no matter what type of binary they are building in CI/CD.</p> Of course there's more!</h3> These are just a few highlights from the many new features and performance improvements described below.</p> If you'd like to preview what's coming in next month’s release, be sure to check out the 13.6 release kick off video series</a> where the Product Managers highlight key features coming soon. Our Upcoming Releases</a> page is where you can find all of the juicy details of our roadmap. Here, you can comment and upvote existing issues and contribute new ideas!</p> GitLab Patch Release: 13.4.4 2020-10-15T00:00:00+00:00 Today we are releasing version 13.4.4 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.4 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Geo: Fix "Project/wiki/design repo not able to resync after storage move"</a></li> Fix rollback of migration that adds temporary index for container scanning findings</a></li> Improve merge error when pre-receive hooks fail in fast-forward merge</a></li> Resolve "gitlab-ctl patroni members results in error with prettytable"</a></li> Fix resolution of Gitlab::AppLogger in EE kerberos_spnego_helper</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 13.4.3 2020-10-05T00:00:00+00:00 Today we are releasing version 13.4.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.4 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Ensure nonexistent routes do not redirect to the 2FA page</a></li> Ensure wikis can be re-enabled after disabling them without an error</a></li> Limit spam checks to title, description, or confidentiality changes on bot-created issues</a></li> Use the correct chart for helm command</a></li> Docs: Fix example manifest.yaml for Kubernetes Agent</a></li> Fixes store initialization for Productivity Analytics</a></li> Do not try to copy weight events when promoting an issue</a></li> Fix large backups not working with Azure Blob storage</a></li> Geo: Fix scenario where there is a wikis/designs with no repository on the primary</a></li> Geo: Permanently enable package_file_registries field</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and for multi-node deployments, should not require any downtime</a>.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 13.4.2, 13.3.7 and 13.2.10 2020-10-01T00:00:00+00:00 Today we are releasing versions 13.4.2, 13.3.7 and 13.2.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Potential Denial Of Service Via Update Release Links API</h2> A potential DoS vulnerability was discovered in release api, certain user supplied values could rise the CPU usage. This issue is now mitigated in the latest release and is assigned CVE-2020-13333</a>.</p> Thanks @anyday</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 13.1 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Insecure Storage of Session Key In Redis</h2> Under certain condition an unauthorised user could read the Redis keys and use to obtain a valid session. This issue is now mitigated in the latest release and is assigned CVE-2020-13344</a>.</p> Thanks @rabbitfang</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 10.8 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Improper Access Expiration Date Validation</h2> It was possible for users to access projects with an expired access date. This issue is now mitigated in the latest release and is assigned CVE-2020-13332</a>.</p> Thanks @henonoah</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 8.11.0-rc6+ and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Cross-Site Scripting in Multiple Pages</h2> A reflected cross-site scripting was discovred in different pages. This issue is now mitigated in the latest release and is assigned CVE-2020-13345</a>.</p> Thanks @vakzz</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 10.8 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Unauthorized Users Can View Custom Project Template</h2> An unauthorised user was able to view private custom project template. This issue is now mitigated in the latest release and is assigned CVE-2020-13343</a>.</p> Thanks @jobert</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 11.2 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Cross-Site Scripting in SVG Image Preview</h2> A stored cross-site scripting was found in SVG image preview. This issue is now mitigated in the latest release and is assigned CVE-2020-13339</a>.</p> Thanks @aryan2808</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 12.10 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Incomplete Handling in Account Deletion</h2> It was discovered that there was insufficient check before account deletion which allowed an account to be deleted while being the owner of a group. This issue is now mitigated in the latest release and is assigned CVE-2020-13335</a>.</p> Thanks @brdoors3</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 7.12 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Insufficient Rate Limiting at Re-Sending Confirmation Email</h2> It was discovered that there was insufficient rate-limiting at re-sending confirmatil email. This issue is now mitigated in the latest release and is assigned CVE-2020-13341</a>.</p> Thanks @yuanchenlu</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 10.1.0 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Improper Type Check in GraphQL</h2> It was discovered that due to an improper type check in GraphQL users with developer role were able to perform unauthorised actions. This issue is now mitigated in the latest release and is assigned CVE-2020-13341</a>.</p> Thanks @ledz1996</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 13.1 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> To-dos Are Not Redacted When Membership Changes</h2> It was discovered that after membership changes were applied, the to-do list was not redacted properly. This issue is now mitigated in the latest release and is assigned CVE-2020-13346</a>.</p> Thanks @vaib25vicky</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 11.2 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Guest users can modify confidentiality attribute</h2> It was discovered that improper authorization checks allows a non-member of a project/group to change the confidentiality attribute of issue via mutation GraphQL query. This issue is now mitigated in the latest release and is assigned CVE-2020-13334</a>.</p> Thanks @0xwintermute</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 8.6 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Command injection on runner host</h2> It was discovered that improper validation of authorization configuration allowed arbitary command execution on windows runner host. This issue is now mitigated in the latest release and is assigned CVE-2020-13347</a>.</p> Thanks @ajxchapman</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab Runner 12.0.0 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Insecure Runner Configuration in Kubernetes Environments</h2> An internal investigation revealed a security issue in GitLab Runner configuration used with Kubernetes environments that could be used to perform a MitM(Man in the Middle) attack. This issue is now mitigated in the latest release and is assigned CVE-2020-13327</a>.</p> Versions Affected</h3> Affects GitLab Runner 13.2, 13.3, 13.4 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Updating</h2> To update GitLab, see the update page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive security release blog notifications via RSS, subscribe to our RSS feed</a>.</p> GitLab Patch Release: 13.4.1 2020-09-24T00:00:00+00:00 Today we are releasing version 13.4.1 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.4 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Revert required encryption on CI runner tokens</a></li> Fix missing VSA request parameters</a></li> Notification icons: Render empty string for "custom" setting</a></li> Add missing fa- icons for file_type_icon_class</a></li> Allow Unleash Clients to Request Feature Flags for Private Repositories</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and should not require any downtime.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 13.4 released with Vault for CI variables and Kubernetes Agent 2020-09-22T00:00:00+00:00 GitLab 13.4 released with Vault for CI variables, Kubernetes Agent, and Security Center… and we’re bringing feature flags to Starter!</h2> At GitLab, we are always focusing on how to help your team reduce risk, increase their efficiency, and accelerate their delivery speed with a platform you love. This month, we’re bringing all sorts of goodness that expands visibility into security, lowers vulnerabilities, improves efficiency, makes the user experience better, and helps your team deploy even faster. We hope that you find these top features, and the 53 other new features</strong> packed in this release, useful.</p> Expanded security capabilities</h2> True to form, this month’s release adds several capabilities to your GitLab DevSecOps kit. First, secrets stored in HashiCorp Vault can now be injected into CI/CD jobs</a> as part of the build and deploy process. Next, organizations who want to maintain a separation of code deployment duties can promote specific users with Reporter access to the role of Deployer</a>. The Deployer role follows the principle of least privilege access, allowing them to approve merge requests and deploy code to protected environments without requiring access to modify the code itself. Another way you can reduce risk is by using the new GitLab Agent for Kubernetes</a>. Operators can deploy to their Kubernetes clusters from GitLab without the need to open their cluster to the entire Internet. We are also introducing automatic versioning support for new Terraform state files with GitLab Managed Terraform state</a> to support compliance and debugging needs. Last but not least, the Instance Security Dashboard has evolved into the GitLab Security Center</a> featuring Vulnerability Reporting and Settings.</p> Better UX & efficiency</h2> We’ve improved our global search capabilities with quick navigation from the search bar</a> to quickly jump to recent issues, groups, projects, settings, and Help topics. We're excited about GitLab Pages Redirects</a> for redirecting individual pages and directories within a site, which makes users more efficient at deploying pages sites. And for those who have been wishing for enhanced deployment information, this release enables you to manage hundreds of supported project deployments from the Environments dashboard</a>. Tada! 🎉</p> Open source contribution highlights</h2> We’re introducing inline code coverage remarks inside MR diffs</a>, (contributed by this month's MVP, Fabio Huser</a>!), providing developers a visual representation of code coverage in the Merge Request diff when doing a review. Knowing whether modified code is covered by a unit test helps speed up code reviews and time to merge and deploy a feature. We have moved feature flags to Starter</a> and plan to move feature flags to Core in 13.5</a>.</p> But wait, wait… there’s more!</h3> As usual, we have way too little space, but still lots and lots of new things we packed into 13.4 to tell you about. Here are a few more of them:</p> List and revoke Personal Access Tokens via API</a></li> Revoke PATs for self-managed credential inventory</a></li> Child pipelines can now trigger their own child pipelines</a></li> Mark a to-do as Done in the Design View</a></li> GitLab Runner 13.4 released</a></li> GitLab chart improvements</a></li> Smartcard authentication support for GitLab Helm chart</a></li> </ul> If you'd like to preview what's coming in next month’s release, be sure to check out our 13.5 kickoff video</a>!</p> GitLab Patch Release: 13.3.6 2020-09-14T00:00:00+00:00 Today we are releasing version 13.3.6 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.3 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> More verbose error message when creating extension</a></li> Fixes Auto DevOps multiple hosts with comma and space split</a></li> Enable secret detection in MR Widget</a></li> Atomically create table and its partitions</a></li> Use 'read' method to get request body in Conan</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and should not require any downtime.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 13.3.5, 13.2.9 and 13.1.11 2020-09-04T00:00:00+00:00 Today we are releasing versions 13.3.5, 13.2.9 and 13.1.11 for GitLab Community Edition and Enterprise Edition.</p> These versions are resolving a high severity functionality bug from earlier security release</a>, as well as a number of other earlier regressions.</p> GitLab Community Edition and Enterprise Edition</h2> GitLab 13.3.5</h3> Update the 2FA user check to use timestamps</a></li> Coerce string object storage options to booleans</a></li> Fix Jira importer user mapping limit</a></li> Fix auto-deploy-image external chart dependencies</a></li> Fix ActiveRecord::IrreversibleOrderError during restore from backup</a></li> Fix wrong caching logic in ProcessRefChangesService</a></li> Do not set default values for deprecated fdw settings</a></li> Add path helper method for vulnerability todo</a></li> </ul> GitLab 13.2.9</h3> Update the 2FA user check to use timestamps</a></li> Fix ActiveRecord::IrreversibleOrderError during restore from backup</a></li> Update deprecated os messages</a></li> Add rhel 8 to helper and selinux files</a></li> Geo - Create repository updated events when mirrors are updated</a></li> Fix hanging info/refs cache when error occurs</a></li> </ul> GitLab 13.1.11</h3> Update the 2FA user check to use timestamps</a></li> Fix ActiveRecord::IrreversibleOrderError during restore from backup</a></li> Geo - Create repository updated events when mirrors are updated</a></li> Fix hanging info/refs cache when error occurs</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and should not require any downtime.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 13.3.4, 13.2.8, and 13.1.10 2020-09-02T00:00:00+00:00 Attention</h2> Versions 13.3.3, 13.2.7, and 13.1.9 were improperly packaged and did not contain the security fixes outlined below. We've released 13.3.4, 13.2.8, and 13.1.10 to correct the packaging error. See #1176</a> for details and corrective actions on the packaging error.</p> Today we are releasing versions 13.3.4, 13.2.8 and 13.1.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Vendor Cross-Account Assume-Role Attack</h2> GitLab EKS integration was vulnerable to a cross-account assume role attack which could allow privileged access and possibly AWS account takeover. This issue is now mitigated in the latest release and is assigned CVE-2020-13318</a>.</p> Versions Affected</h3> Affects GitLab 8.9 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Stored XSS on the Vulnerability Page</h2> GitLab was vulnerable to a stored XSS on the standalone vulnerability page. This issue is now mitigated in the latest release and is assigned CVE-2020-13301</a>.</p> Thanks xanbanx</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 13.0 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Outdated Job Token Can Be Reused to Access Unauthorized Resources</h2> GitLab was not validating that job tokens were associated with running jobs. This issue is now mitigated in the latest release and is assigned CVE-2020-13284</a>.</p> Versions Affected</h3> Affects GitLab 11.3 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> File Disclosure Via Workhorse File Upload Bypass</h2> Conan package upload functionality was not properly validating the supplied parameters, which resulted the limited files disclosure. This issue is now mitigated in the latest release and is assigned CVE-2020-13298</a>.</p> Thanks ledz1996</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 13.0 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Unauthorized Maintainer Can Edit Group Badge</h2> An unauthorized project maintainer could edit the subgroup badges due to the lack of authorization control. This issue is now mitigated in the latest release and is assigned CVE-2020-13313</a>.</p> Thanks ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects all previous GitLab versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Denial of Service Within Wiki Functionality</h2> An internal investigation revealed that GitLab's Wiki was vulnerable to a parser attack that prohibits anyone from accessing the Wiki functionality through the user interface. This issue is now mitigated in the latest release and is assigned CVE-2020-13311</a>.</p> Versions Affected</h3> Affects all GitLab versions prior 13.0.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Sign-in Vulnerable to Brute-force Attacks</h2> GitLab was vulnerable to brute-force attacks due to an improper handling of sign-in parameters. This issue is now mitigated in the latest release and is assigned CVE-2020-13289</a>.</p> Versions Affected</h3> Affects GitLab 8.7 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Invalidated Session Allows Account Access With an Old Password</h2> Under certain conditions GitLab was not properly revoking user sessions and allowed a malicious user to access a user account with an old password. This issue is now mitigated in the latest release and is assigned CVE-2020-13302</a>.</p> Thanks rogov</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 7.11 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> GitLab Omniauth Endpoint Renders User Controlled Messages</h2> GitLab Omniauth endpoint allowed a malicious user to submit content to be displayed back to the user within error messages. This issue is now mitigated in the latest release and is assigned CVE-2020-13314</a>.</p> Thanks h33t</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 7.1 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Blind SSRF Through Repository Mirroring</h2> GitLab was vulnerable to a blind SSRF attack through the repository mirroring feature. This issue is now mitigated in the latest release and is assigned CVE-2020-13309</a>.</p> Thanks sky003</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects all previous GitLab versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Information Disclosure Through Incorrect Group Permission Verifications</h2> GitLab was vulnerable to information disclosure by not performing proper verification on permissions for confidential epics. This issue is now mitigated in the latest release and is assigned CVE-2020-13287</a>.</p> Thanks ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 13.0 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> No Rate Limit on GitLab Webhook Feature</h2> GitLab Webhook feature could be abused to perform denial of service attacks due to the lack of rate limitation. This issue is now mitigated in the latest release and is assigned CVE-2020-13306</a>.</p> Thanks noddyn12</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects all previous GitLab versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> GitLab Session Revocation Feature Does Not Invalidate All Sessions</h2> The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session. This issue is now mitigated in the latest release and is assigned CVE-2020-13299</a>.</p> Thanks vaib25vicky</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects all previous GitLab versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> OAuth Authorization Scope for an External Application Can Be Changed Without User Consent</h2> GitLab was vulnerable to an OAuth authorization scope change without user consent in the middle of the authorization flow. This issue is now mitigated in the latest release and is assigned CVE-2020-13300</a>.</p> Thanks fushbey for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 13.3 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Unauthorized Maintainer Can Delete Repository</h2> A project Maintainer was able to delete a repository through GraphQL due to insufficient verification of permissions. This issue is now mitigated in the latest release and is assigned CVE-2020-13317</a>.</p> Thanks ledz1996</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 12.6 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Improper Verification of Deploy-Key Leads to Access Restricted Repository</h2> Due to improper verification of permissions, an unauthorized user can access a private repository within a public project. This issue is now mitigated in the latest release and is assigned CVE-2020-13303</a>.</p> Thanks ledz1996</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects all previous GitLab versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Disabled Repository Still Accessible With a Deploy-Token</h2> GitLab was not validating a Deploy-Token and allowed a disabled repository be accessible via a git command line. This issue is now mitigated in the latest release and is assigned CVE-2020-13316</a>.</p> Thanks vaib25vicky</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects all previous GitLab versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Duplicated Secret Code Generated by 2 Factor Authentication Mechanism</h2> Same 2 factor Authentication secret code was generated which resulted an attacker to maintain access under certain conditions. This issue is now mitigated in the latest release and is assigned CVE-2020-13304</a>.</p> Thanks rgupt</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects all previous GitLab versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Lack of Validation Within Project Invitation Flow</h2> GitLab was not invalidating project invitation link upon removing a user from a project. This issue is now mitigated in the latest release and is assigned CVE-2020-13305</a>.</p> Thanks rgupt</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects all previous GitLab versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Current Sessions Not Invalidated Upon Enabling 2 Factor Authentication</h2> GitLab was not revoking current user sessions when 2 factor authentication was activated allowing a malicious user to maintain their access. This issue is now mitigated in the latest release and is assigned CVE-2020-13307</a>.</p> Thanks xanbanx</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects all previous GitLab versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Users Without 2 Factor Authentication Can Be Blocked Accessing GitLab</h2> A user without 2 factor authentication enabled could be prohibited from accessing GitLab by being invited into a project that had 2 factor authentication inheritance. This issue is now mitigated in the latest release and is assigned CVE-2020-13308</a>.</p> Thanks marshall0705 for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects all previous GitLab versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Lack of Upper Bound Check Leading to Possible Denial of Service</h2> The profile activity page was not restricting the amount of results one could request, potentially resulting in a denial of service. This issue is now mitigated in the latest release and is assigned CVE-2020-13315</a>.</p> Thanks brandonnnn</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 11.4 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> 2 Factor Authentication for Groups Was Not Enforced Within API Endpoint</h2> When 2 factor authentication was enabled for groups, a malicious user could bypass that restriction by sending a specific query to the API endpoint. This issue is now mitigated in the latest release and is assigned CVE-2020-13297</a>.</p> Thanks xanbanx</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects all previous GitLab versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> GitLab Runner Denial of Service via CI Jobs</h2> It was possible to make the gitlab-runner process crash by sending malformed queries, resulting in a denial of service. This issue is now mitigated in the latest release and is assigned CVE-2020-13310</a>.</p> Versions Affected</h3> Affects all previous versions of GitLab Runner.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Update websocket-extensions Gem</h2> The websocket-extensions gem has been upgraded to 0.1.5. This upgrade includes a security fix for CVE-2020-7663</a>.</p> Update jQuery Dependency</h2> The jQuery dependency has been upgraded to 3.5 . This upgrade includes a security fix for CVE-2020-11022</a></p> Updating</h2> To update GitLab, see the update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive security release blog notifications via RSS, subscribe to our RSS feed</a>.</p> GitLab Patch Release: 13.3.2 2020-08-28T00:00:00+00:00 Today we are releasing version 13.3.2 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.3 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Prevent accidental group deletion if path rename fails</a></li> Fix create snippet disabled on empty file path</a></li> Fix race condition in concurrent backups</a></li> Fix exception handling when a concurrent backup fails</a></li> Fix hanging info refs cache when error occurs</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and should not require any downtime.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 13.3.1 2020-08-25T00:00:00+00:00 Today we are releasing version 13.3.1 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.3 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Fix a bug with promoting Issues with attachments to Epics</a></li> Geo: Apply selective sync to container repo updates</a></li> Geo: Apply selective sync to design repo updates</a></li> Avoid creating diff position when line-code is nil</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and should not require any downtime.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 13.3 released with coverage-guided fuzz testing and a build matrix for CI/CD 2020-08-22T00:00:00+00:00 DevSecOps helps teams detect and resolve faults and vulnerabilities early in the software development process. In GitLab 13.3, building secure software is easier with fuzz testing in your development workflow. With coverage-guided fuzz testing</strong> and on-demand DAST (Dynamic Application Security Testing)</strong>, discovering real-world software vulnerabilities is faster and more efficient. At the same time, releasing code more frequently is made simpler with the new build matrix for CI/CD</strong>. Finally, the Pod health dashboard</strong> increases Ops' efficiency by reducing their context switching: all Kubernetes pods health primitives are in the dashboard. We hope that you find these top features, and the 69 new features</strong> packed in this release, useful.</p> Faster remediation: Find and prevent defects and vulnerabilities earlier</h2> With coverage-guided fuzz testing</a>, it's now easier to efficiently surface and solve vulnerabilities in C, C++, and Go. In GitLab 13.3 all our SAST (Static Application Security Testing) analyzers are available to everyone</a> and it has never been easier to set them up</a>. Finally, running DAST from the GUI</a> is now more convenient. More importantly, security staff can tackle vulnerabilities faster by leveraging the new vulnerability evidence</a> included in the DAST output.</p> Reduce cycle time, release more frequently</h2> Building powerful workflows is now easy with the new build matrix</a>: define keys and values once, release and deploy multiple times. Teams can increase velocity by measuring Merge Request throughput now available in the MR Analytics Dashboard</a>. Also, MR authors can now integrate code faster by acknowledging their code review requests have been answered at a glance</a>. This acknowledgment of fulfilled duties by different roles in MRs are now traceable in the Compliance Dashboard</a>. Maintainers can also suggest to their contributors a Squash Commit policy</a>. Lastly, rollouts can be more targeted and controlled using the newly named feature flags strategy called Percentage of Users</a>.</p> Enable your delivery teams to be more productive and efficient</h2> Software development is mostly about building and distributing packages. To make that easier and with usability in mind, we overhauled the whole Package registry</a> GUI and made it available for everyone in Core</a>. Plus, it has never been easier to publish NuGet packages</a> in an automated way. Once deployed, your teams won't need to worry about the health of their systems. All relevant action can be now taken based on information from the Pod health dashboard</a>.</p> It doesn’t stop here: there is more!</h3> GitLab is used by companies with thousands of users in teams working synchronously and asynchronously across continents. To do so, we are focused on improving its fault tolerance</a> and read/write operation synchronicity</a> on every release. Overall, we are making GitLab lightning fast</a> across the globe.</p> Here are several other cool features that you should check out:</p> Change the sort order of designs</strong></a></li> JUnit reports are now much easier to read and understand</strong></a></li> Feature flag strategy will now show in your feature flag view</strong></a></li> Manage IT Incidents</strong></a></li> </ul> If you'd like to preview what's coming in the next</em> release, be sure to check out our 13.4 kickoff video</a>!</p> GitLab Critical Security Release: 13.2.6, 13.1.8, 13.0.14 2020-08-18T00:00:00+00:00 Note: due to a packaging problem, our previous release (published and communicated earlier today/Aug 18</a>) did not include the security fixes mentioned in the accompanying blog post for the GitLab Community Edition package. The new, just released versions of GitLab Enterprise Edition and GitLab Community Edition now contain all the necessary fixes for all versions. Please update all packages immediately. ***</p> Today we are releasing versions 13.2.6, 13.1.8, 13.0.14 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Deploy Token Access Control</h3> An authorization issue discovered in the deploy token handling allowed read access to public projects with restricted repositories. This issue is now mitigated in the latest release and is assigned CVE-2020-13296</a>.</p> Thanks @ledz1996</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 10.7 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Updating</h2> To update GitLab, see the update page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive security release blog notifications via RSS, subscribe to our RSS feed</a>.</p> GitLab Critical Security Release: 13.2.5, 13.1.7, 13.0.13 2020-08-18T00:00:00+00:00 Update: As of 17:00 UTC, August 18, 2020 both our GitLab Enterprise Edition and GitLab Community Edition versions contain all of the fixes listed below. The related blog post with new version numbers is here</a>.</h3> Due to a packaging problem, the GitLab Community Edition packages do not include the security fixes mentioned in this blog post. We are currently working on releasing new versions of both our GitLab Enterprise Edition and GitLab Community Edition, to ensure both contain all the necessary fixes. We will publish a separate blog post when these packages have been published.</strong></del></p> Today we are releasing versions 13.2.5, 13.1.7, 13.0.13 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Deploy Token Access Control</h3> An authorization issue discovered in the deploy token handling allowed read access to public projects with restricted repositories. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned.</p> Thanks @ledz1996</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 10.7 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Updating</h2> To update GitLab, see the update page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive security release blog notifications via RSS, subscribe to our RSS feed</a>.</p> GitLab Patch Release: 13.2.4 2020-08-11T00:00:00+00:00 Today we are releasing version 13.2.4 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.2 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Create issue automatically from Prometheus alert</a></li> docs: Fix a typo in realtime feedback CI YAML</a></li> Preload all associations in Vulnerability GraphQL API</a></li> Add decompressed archive size validation</a></li> </ul> Omnibus GitLab</h2> Fix Geo replication resuming PG query</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and should not require any downtime.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 13.2.3, 13.1.6 and 13.0.12 2020-08-05T00:00:00+00:00 Today we are releasing versions 13.2.3, 13.1.6 and 13.0.12 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Previously fixed (in 12.9.1): Arbitrary File Read when Moving an Issue</h2> Recently, a GitLab user posted a blog about the exploitation of a known vulnerability which has been previously disclosed and assigned CVE-2020-10977</a>. GitLab EE/CE 8.5 to 12.9 is vulnerable to a path traversal when moving an issue between projects.</p> This issue was remediated and patched in the 12.9.1 release</a> in March 2020.</p> We strongly recommend that all users confirm they are running the latest version of GitLab to ensure they are up-to-date with current security releases. Users should update immediately if possible. If upgrading immediately is not possible for some reason, public registration should be disabled.</p> Memory Exhaustion via Excessive Logging of Invite Email Error</h2> Excessive error logging related to an invitation email being sent to members of a deleted group could potentially cause memory exhaustion on lower resource machines. This issue is now mitigated in the latest release and is assigned CVE-2020-13280</a>.</p> Versions Affected</h3> Affects all previous GitLab versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Denial of Service Through Project Import Feature</h2> The project import feature did not perform size checks before decompressing data, potentially resulting in a denial of service. This issue is now mitigated in the latest release and is assigned CVE-2020-13281</a>.</p> Thanks @u3mur4</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 8.9 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> User Controlled Git Configuration Settings Resulting in SSRF</h2> When importing a repository via URL, the git http.<url>.proxy</code> setting could be changed and lead to server-side request forgery. This issue is now mitigated in the latest release and is assigned CVE-2020-13286</a>.</p> Thanks @vakzz</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 12.7 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Stored XSS in Issue Reference Number Tooltip</h2> For some browsers, the tooltip for issue reference numbers could result in stored XSS on mouseover. This issue is now mitigated in the latest release and is assigned CVE-2020-13285</a>.</p> Thanks @yvvdwf</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 12.9 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Stored XSS in Issues List via Milestone Title</h2> The milestone title field can lead to stored XSS when viewed under certain conditions on the issue list. This issue is now mitigated in the latest release and is assigned CVE-2020-13283</a>.</p> Thanks @mike12</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 10.8 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Improper Access Control After Group Transfer</h2> Members of a parent group silently and unexpectedly maintained their access levels when a subgroup is transferred. This issue is now mitigated in the latest release and is assigned CVE-2020-13282</a>.</p> Thanks @kryword</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects all previous GitLab versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Bypass Email Verification Required for OAuth Flow</h2> The required email verification for the OAuth authorization code flow could be bypassed, which potentially could affect third party applications that use GitLab as an identity provider. This issue is now mitigated in the latest release and is assigned CVE-2020-13292</a>.</p> Thanks @cache-money</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects all previous GitLab versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Confusion When Using Hexadecimal Branch Names</h2> Using a branch with a hexadecimal name could override an existing hash. This issue is now mitigated in the latest release and is assigned CVE-2020-13293</a>.</p> Thanks @retroplasma</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects all previous GitLab versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Insufficient OAuth Revocation</h2> Access grants were not revoked when a user revoked access to an application. This issue is now mitigated in the latest release and is assigned CVE-2020-13294</a>.</p> Thanks @benaubin</a>, @whitehattushu</a>, and @lauritz</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 7.7 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Improper Access Control for Project Sharing</h2> Project sharing could temporarily allow too permissive access. This issue is now mitigated in the latest release and is assigned CVE-2020-13291</a>.</p> Versions Affected</h3> Affects GitLab 13.2 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Stored XSS in Jobs Page</h2> A stored XSS was identified in the CI/CD Jobs page. This issue is now mitigated in the latest release and is assigned CVE-2020-13288</a>.</p> Thanks @mike12</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 13.0 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Improper Access Control of Applications Page</h2> Users without two-factor authentication set up can still access the /profile/applications</code> page even when two-factor authentication is required. This issue is now mitigated in the latest release and is assigned CVE-2020-13290</a>.</p> Thanks @brdoors3</a> for responsibly reporting this vulnerability to us and @melar_dev</a> for providing additional important details.</p> Versions Affected</h3> Affects GitLab 8.4 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> SSRF into Shared Runner</h2> By replacing dockerd with a malicious server, a SSRF was possible into the Shared Runner. This issue is now mitigated in the latest release and is assigned CVE-2020-13295</a>.</p> Thanks @lucash-dev</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects all versions of GitLab Runner.</p> Remediation</h3> We strongly recommend</strong> that all installations of GitLab Runner</strong> are upgraded</a> to the latest version as soon as possible.</p> Update Kramdown Gem</h2> The kramdown gem has been upgraded to 2.3.0. This upgrade include a security fix for CVE-2020-14001</a>.</p> Versions Affected</h3> Affects GitLab 13.2 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Updating</h2> To update GitLab, see the update page</a>. To update Gitlab Runner, see the Updating the Runner page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive security release blog notifications via RSS, subscribe to our RSS feed</a>.</p> GitLab Patch Release: 13.2.2 2020-07-30T00:00:00+00:00 Today we are releasing version 13.2.2 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.2 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Coerce repository_storages_weighted, removes repository_storages</a></li> Add issue to iteration docs</a></li> Fix jira import users startAt parameter</a></li> Better error message for unconfirmed users when using git</a></li> Handle special cases when mass unconfirming users</a></li> </ul> Omnibus GitLab</h2> Disable crond if LetsEncrypt disabled</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and should not require any downtime.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 13.2.1 2020-07-24T00:00:00+00:00 Today we are releasing version 13.2.1 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.2 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Geo: Fix package file backfill with sync object storage disabled</a></li> Limit database deprecation notice window</a></li> Enables diff file-by-file navigation by default</a></li> Fix merge request approvals for EE without license</a></li> Disable security scanner alerts</a></li> DAG visualization FF: Update default to true in HAML</a></li> Fix local tiller default enabled inconsistency</a></li> Fix JS error when discussion has no diff_file</a></li> Resolve "Fix missing path for avatars of bots"</a></li> Resolve "Pasting an image into a comment also uploads design"</a></li> Shorten "enable LFS" message for design management</a></li> Add "more information" to Design Management LFS message</a></li> </ul> Omnibus GitLab</h2> Make actioncable recipe and control files match new runit requirement</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and should not require any downtime.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 13.1.5 2020-07-24T00:00:00+00:00 Today we are releasing version 13.1.5 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in last month's 13.1 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Fix: Geo file downloads can block Sidekiq threads</a></li> Geo: Fix inaccurate "Synchronization disabled" progress bars</a></li> Fix location of k3d install script in QA dockerfile</a></li> </ul> Omnibus GitLab</h2> Fix: Sidekiq will now fail to configure if sidekiq_cluster config is used</a></li> Fix: Implement a version check for docker</a></li> Use gitlab-depscan script from specific commit</a></li> Make actioncable recipe and control files match new runit requirement</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and should not require any downtime.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 13.2 released with Planning Iterations and Load Performance Testing 2020-07-22T00:00:00+00:00 GitLab 13.2 now helps teams streamline project planning</strong> with milestone iterations, collaborate better for faster feedback</strong> with diff changes for wiki pages, and improve overall performance/efficiency</strong> with load performance testing.</p> Streamline agile project planning and management</h2> Managing workflows and planning tasks for different teams can add a significant amount of development disruption to your day. In releasing our Minimal Viable Change (MVC)</a> of iterations</strong></a> to break down work into smaller, more manageable, chunks, we're lessening this disruption and making project planning easier – with many enhancements to come. If your team leverages Jira for project management, it's now easier for you to view Jira issues in GitLab</strong></a> because we believe that GitLab should play well with others</a> and balance integrations with native capabilities. If you're using epics to plan and manage large projects, then you can now protect sensitive content with confidential epics</strong></a>. When you need to update several related epics, you can now bulk edit epics</strong></a> to reduce your "tab overload" and the number of clicks it takes to update.</p> Better collaboration for faster feedback</h2> Clear communication is key to effective collaboration because it enables development teams to get faster feedback on changes before pushing them to production. The ability to diff changes for wiki pages</strong></a> now makes edit history comparisons between page versions quicker and simpler, similar to viewing files in a repository. Realtime feedback for</strong> .gitlab-ci.yml</code> in the Web IDE</strong></a> makes updating your CI pipeline more efficient by enabling realtime linting and autocompletion. Now you don't have to remember all of the parameters when configuring your CI pipeline or switch contexts to get the information you need.</p> Designers are incredibly important members of the team and 13.2 includes great improvements to design management. It's now easier to find designs in an issue</strong></a> so it takes less time, and the official GitLab Figma plugin</strong></a> simplifies the process of uploading from Figma to issues on GitLab.com.</p> Improved performance and efficiency</h2> 13.2 delivers new updates to improve your team's efficiency and performance. You can now take advantage of advanced global search on GitLab.com</strong></a>, a capability that improves search relevancy, performance, and allows for group-wide searches across all projects directly in the UI. Application performance is a challenge every development team faces and now load performance testing</strong></a> in GitLab makes it easy to run custom load tests as part of your CI/CD pipelines to better understand how your application will perform under stress.</p> Nowadays, it seems like everyone is working from home and are "distributed" more than ever. GitLab Geo helps remote teams work more efficiently by using a local GitLab node, and now offers improved replication performance for projects</strong></a> to ensure local content is fresh. Last but not least, GitLab includes CI test results within Release Evidence</strong></a> for easy access in the event you need to provide compliance data or a more efficient way to show relevant changes to production during audit.</p> And much much more!</h3> There’s never enough space to highlight all the great features in our releases. An important development for package management that's worth noting: GitLab now supports the PHP dependency manager, Composer, so you can discover, share, and install PHP dependencies using GitLab's Composer Repository with ease</strong></a>.</p> Here are several other cool features that you should check out:</p> Associate Feature Flags with related issues</strong></a></li> Container Host Monitoring and Blocking</strong></a></li> IBM z/OS Mainframe support for GitLab Runner</strong></a>.</li> Code Quality Merge Request widget moved to Core</strong></a></li> </ul> If you'd like to preview what's coming in the next</em> release, be sure to check out our 13.3 kickoff video</a>!</p> GitLab Patch Release: 13.0.10 2020-07-09T00:00:00+00:00 Today we are releasing version 13.0.10 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in May's 13.0 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Fix gitlab::check Rake tasks</a></li> Run vacuumdb with 2 commands simultaneously</a></li> Geo - Does not sync LFS objects from fork networks</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and should not require any downtime.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 13.1.4 2020-07-09T00:00:00+00:00 Today we are releasing version 13.1.4 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in last month's 13.1 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Resolve "Merge request approval button style inadvertently changed"</a></li> Enable code_navigation for feature specs</a></li> Document the doctor:secrets rake task</a></li> Fix conflict on the migration that adds routes for orphaned projects</a></li> Fix existing repository_storages_weighted migrations</a></li> Fix error 500s creating new projects due to empty weights</a></li> Fix gitlab::check Rake tasks</a></li> Geo - Does not sync LFS objects from fork networks</a></li> </ul> Omnibus GitLab</h2> Ensure we are properly restarting the unicorn service</a></li> Absolute SSL path should work for postgres recipe</a></li> Run vacuumdb with 2 commands simultaneously</a></li> </ul> Gitaly</h2> Add GL_PROJECT_PATH for custom hooks </a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and should not require any downtime.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Critical Security Release: 13.1.3, 13.0.9 and 12.10.14 2020-07-06T00:00:00+00:00 Today we are releasing versions 13.1.3, 13.0.9 and 12.10.14 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Workhorse bypass allows files in /tmp to be read via Maven Repository APIs</h2> The Maven package upload endpoint could be used to override restrictions and result in the GitLab Workhorse disclosing the existence and contents of files in the /tmp</code> directory. This issue is now mitigated in the latest release and is assigned CVE-2020-15525</a>.</p> Thanks @ledz1996</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 11.3 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Maven package upload broken in 12.10.14</h3> The fix for this security issue caused a regression in the 12.10 code base. Uploading Maven packages no longer works, generating the error 400 Bad Request</code>.</p> For more information, see the issue</a>.</p> The GitLab Maven Repository is a Premium feature in GitLab 12.10. Premium and Ultimate customers running GitLab 12.10 who use the Maven Repository feature should upgrade to 13.0.9 or higher.</p> Our documented upgrade path from 12.10 to 13.x specifies that the last 12.10 patch release should be one of the steps. This is to ensure that any code updates required for upgrading are installed. Customers using the Maven Repository would be advised to use 12.10.13 as the last 12.10 patch release, and upgrade to a 13.0.9 or higher as soon as possible.</p> Updating</h2> To update GitLab, see the update page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive security release blog notifications via RSS, subscribe to our RSS feed</a>.</p> GitLab Security Release: 13.1.2, 13.0.8 and 12.10.13 2020-07-01T00:00:00+00:00 Today we are releasing versions 13.1.2, 13.0.8 and 12.10.13 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> Missing Permission Check on Time Tracking</h2> It was possible to add time spent on a issue without being a project member. This issue is now mitigated in the latest release and is assigned CVE-2020-13319</a>.</p> Thanks @ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 12.8 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Cross-Site Scripting in PyPi Files API</h2> Under certain conditions, requests involving the PyPi files API could result in an XSS vulnerability. This issue is now mitigated in the latest release and is assigned CVE-2020-13328</a>.</p> Thanks @vakzz</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 13.1 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Insecure Authorization Check on Private Project Security Dashboard</h2> Under certain conditions, a project member with Guest permissions was allowed to view the project security dashboard.This issue is now mitigated in the latest release and is assigned CVE-2020-13320</a>.</p> Thanks @vaib25vicky</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 12.8 to 13.1.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Cross-Site Scripting in References</h2> A stored cross-site scripting vulnerability was discovered when editing references. This issue is now mitigated in the latest release and is assigned CVE-2020-13338</a>.</p> Thanks @vakzz</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 8.10.0 to 13.1.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Cross-Site Scripting in Group Names</h2> An internal investigation revealed that Group Names could be used to store XSS payloads. TThis issue is now mitigated in the latest release and is assigned CVE-2020-13327</a>.</p> Versions Affected</h3> Affects GitLab EE 12.10 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Cross-Site Scripting in Blob Viewer</h2> A stored XSS vulnerability was discovered in the blob viewer feature. This issue is now mitigated in the latest release and is assigned CVE-2020-13329</a>.</p> Thanks @yvvdwf</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 12.6 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Cross-Site Scripting in Error Tracking</h2> A stored cross-site scripting payload could be injected in the Error Tracking page. This issue is now mitigated in the latest release and is assigned CVE-2020-13336</a>.</p> Thanks @mike12</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 12.10 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Insecure Authorisation Check on Creation and Deletion of Deploy Tokens</h2> An insecure authorization check allowed project members with Maintainer role to create and delete deploy tokens. This issue is now mitigated in the latest release and is assigned CVE-2020-13322</a>.</p> Thanks @ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 12.9 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> User Name Format Restiction Bypass</h2> Username format restrictions could be bypassed allowing for html tags to be added. TThis issue is now mitigated in the latest release and is assigned CVE-2020-13321</a>.</p> Thanks @zseano</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects all versions of GitLab.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Denial of Service in Issue Comments</h2> A denial of service vulnerability involving the comments on an issue was discovered. This issue is now mitigated in the latest release and is assigned CVE-2020-13325</a>.</p> Thanks @tiradorngpilipinas for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 12.9 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Cross-Site Scripting in Wiki Pages</h2> A stored cross-site scripting vulnerability was discovered in the Wiki upload feature. This issue is now mitigated in the latest release and is assigned CVE-2020-13331</a>.</p> Thanks @semsem123</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 12.10 and older.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Private Merge Request Updates Leaked via Todos</h2> An internal investigation revealed that updates to private merge requests could be disclosed to removed project members. This issue is now mitigated in the latest release and is assigned CVE-2020-13323</a>.</p> Versions Affected</h3> Affects all versions of GitLab.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Private User Activity Leaked via API</h2> Under certain conditions the private activty of an user could be exposed via the API. TThis issue is now mitigated in the latest release and is assigned CVE-2020-13324</a>.</p> Thanks @ngalog</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 9.4 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Cross-Site Scripting in Bitbucket Import Feature</h2> A stored XSS vulnerability could be exploited using the Bitbucket project import feature. This issue is now mitigated in the latest release and is assigned CVE-2020-13330</a>.</p> Thanks @saltyyolk of Chaitin Tech</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 11.2 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Github Project Restriction Bypass</h2> It was possible to bypass the restriction of importing projects from Github via the API. This issue is now mitigated in the latest release and is assigned CVE-2020-13326</a>.</p> Thanks @xanbanx</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab 11.8 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Update PCRE Dependency</h2> The lippcre in PCRE has been upgraded from 8.42 to 8.44. This upgrade includes a security fix for CVE-2020-14155.</p> Versions Affected</h3> Affects all previous versions of GitLab Omnibus.</p> Update Kaminari Gem</h2> Using Kaminari before 1.2.1, an attacker could inject arbitrary code into pages with pagination links. This upgrade includes a security fix for CVE-2020-11082.</p> Versions Affected</h3> Affects all previous versions of GitLab Omnibus.</p> Update Xterm.js</h2> A remote code execution exists in xterm.js before 3.9.2. This upgrade includes a security fix for CVE-2019-0542.</p> Versions Affected</h3> Affects all previous versions of GitLab Omnibus.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Updating</h2> To update GitLab, see the update page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive security release blog notifications via RSS, subscribe to our RSS feed</a>.</p> GitLab Patch Release: 13.0.7 2020-06-25T00:00:00+00:00 Today we are releasing version 13.0.7 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in last month's 13.0 release</a> and prior versions.</p> Group authorization refresh to consider shared groups</a></li> Pass int when getting I18n VSA stage summary title</a></li> Use ProxyVariableSubstitutionService for variable substitution in alerts</a></li> Fix relative URL root in wiki_base_path</a></li> Adjust wrong column reference for ResetMergeStatus (background job)</a></li> Fix geo timeout issue with pg-upgrade</a></li> Manually disable copy_file_range() on RedHat kernels</a></li> Fix Auto DevOps Postgresql PVC deletion</a></li> Periodically recompute project authorizations</a></li> Load user before logging git http-requests</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and should not require any downtime.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 12.10.12 2020-06-25T00:00:00+00:00 Today we are releasing version 12.10.12 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 12.10 release</a> and prior versions.</p> Manually disable copy_file_range() on RedHat kernels</a></li> Fix geo timeout issue with pg-upgrade</a></li> Correctly count wiki pages in sidebar</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and should not require any downtime.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 13.1.1 2020-06-24T00:00:00+00:00 Today we are releasing version 13.1.1 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.1 release</a> and prior versions.</p> Bump gitlab-mail_room to 0.0.6</a></li> Load user before logging git http-requests</a></li> Do not mask key comments for DeployKeys</a></li> Fix templating vars set from URL in Metrics Dashboards</a></li> Periodically recompute project authorizations</a></li> Fixes status dropdown</a></li> Update to Grafana 7</a></li> Manually disable copy_file_range() on RedHat kernels</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and should not require any downtime.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 13.1 released with Alert Management and Code Quality Enhancements 2020-06-22T00:00:00+00:00 GitLab 13.1 is now available, bringing you expanded alert management</strong>, new tools to help you track and improve code quality</strong>, and more ways to keep your code secure and compliant</strong>.</p> Automate and expand Alert Management</h2> Alerts are essential to application maintenance, but understanding and triaging the range of alerts thrown can dramatically reduce productivity and response time. GitLab’s Alert Management</a> aggregates and ranks IT alerts from all of your services to simplify assessment and remediation, increasing productivity and helping you research and address critical issues right away. Key features in 13.1 include alert assignments</a>, Slack integration</a>, and creating GitLab To-Dos when assigning alerts</a>.</p> Improve code quality</h2> Deployment velocity only matters if you’re deploying high quality code. By prioritizing tests on recently modified code</a>, developers can address errors immediately, without running an entire test suite. Code coverage tracking over time</a> surfaces quality trends to developers and managers alike, and native code intelligence</a> boosts the speed and accuracy of code reviews by integrating reference material directly into GitLab.</p> Enhance and extend security and compliance</h2> Security matters to everyone, and we're committed to lowering the barriers to a fully secure, compliant SDLC. That's why we're happy to announce that we've migrated Brakeman SAST scanning to Core</a>, allowing every Rails developer—at every product tier—to scan their source code for known vulnerabilities. For compliance-focused organizations, we've released a policy management UI</a> for network container policies, and we've enabled group-level vulnerability exports</a> to a CSV file for audits or further internal review. In addition, we've made helpful UX improvements to the Security Dashboard, adding persistent filters</a> and issue status icons</a> to help maintain context as you work within the tool.</p> And much more!</h2> These are just a few of the highlights in 13.1. For this release, we also achieved a new milestone in terms of community contribution. For the first time, more than 300 MRs from the wider community</a> were merged during the release period, and we appreciate everyone's contributions! Read on to learn more about other fantastic productivity improvements, such as Accessibility Testing MR Widgets</a>, Design Thread Resolutions</a>, Pipeline Success Notifications</a>, and more!</p> If you'd like to preview what's coming in the next</em> release, be sure to check out our 13.2 kickoff video</a>!</p> GitLab Critical Security Release: 13.0.6, 12.10.11, 12.9.10 2020-06-10T00:00:00+00:00 Today we are releasing versions 13.0.6, 12.10.11, 12.9.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> CI Token Access Control</h2> An authorization issue discovered in the mirroring logic allowed read access to private repositories. This issue is now mitigated in the latest release and is assigned CVE-2020-13277</a>.</p> Thanks to @u3mur4</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 10.6 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Updating</h2> To update GitLab, see the update page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive security release blog notifications via RSS, subscribe to our RSS feed</a>.</p> GitLab Patch Release: 12.10.10 2020-06-04T00:00:00+00:00 Today we are releasing version 12.10.10 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in last month's 12.10 release</a> and prior versions.</p> Fix close issue when user created the issue</a></li> Disable compression for open archive</a></li> Fix Content-Length set prior to SendUrl injection</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and should not require any downtime.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 13.0.5 2020-06-04T00:00:00+00:00 Today we are releasing version 13.0.5 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.0 release</a> and prior versions.</p> Fix NoMethodError when reporting exceptions to Sentry</a></li> Fix ambiguous string concatenation on CleanupProjectsWithMissingNamespace</a></li> Fix multiple issue creation for Generic Alerts</a></li> Fix bug in snippets updating only file_name or content</a></li> Disable compression for open archive</a></li> Fix Content-Length set prior to SendUrl injection</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and should not require any downtime.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Critical Security Release: 13.0.4, 12.10.9, 12.9.9 2020-06-03T00:00:00+00:00 Today we are releasing versions 13.0.4, 12.10.9, 12.9.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> CI Token Access Control</h2> An authorization issue discovered in the CI jobs token handling allowed read access to public projects with restricted repositories. This issue is now mitigated in the latest release and is waiting for a CVE ID to be assigned.</p> Thanks to @u3mur4</a> and @enumzero for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 10.6+ and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Updating</h2> To update GitLab, see the update page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive security release blog notifications via RSS, subscribe to our RSS feed</a>.</p> GitLab Patch Release: 12.10.8 2020-05-29T00:00:00+00:00 Today we are releasing version 12.10.8 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in last month's 12.10 release</a> and prior versions.</p> Resolve "Geo: Design thumbnails are not replicated"</a></li> Fix 404s downloading latest build artifacts</a></li> Fix dbvacuum on pgupgrade</a></li> Geo: Fix empty synchronisation status when nothing is synchronised</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and should not require any downtime.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 13.0.3 2020-05-29T00:00:00+00:00 Today we are releasing version 13.0.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 13.0 release</a> and prior versions.</p> Suggestion to add more details to DAST_EXCLUDE_RULES variable.</a></li> Add support for including user/groups from parent/ancestors</a></li> Fixed redirection to project snippets</a></li> Resolve "Geo: Design thumbnails are not replicated"</a></li> Fix 404s downloading latest build artifacts</a></li> Update deprecated routes in irker integration</a></li> Fix Auto DevOps manual rollout jobs not being allowed to fail</a></li> Change format of variables parameter in Prometheus proxy API for metrics dashboard</a></li> Update Ruby to 2.6.6</a></li> Update Praefect Grafana dashboards</a></li> Fix warning message in nginx</a></li> Do not run Grafana reset during docker startup</a></li> Fix API performance regression in issues API</a></li> Fix "Close Issue" button by changing target selector</a></li> Confirm protected branch before running checks</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and should not require any downtime.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 13.0.1, 12.10.7, 12.9.8 2020-05-27T00:00:00+00:00 Today we are releasing versions 13.0.1, 12.10.7, 12.9.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases</a>: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. You can see all of our regular and security release blog posts here</a>. In addition, the issues detailing each vulnerability are made public on our issue tracker</a> 30 days after the release in which they were patched.</p> We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to at least the latest security release for their supported version. You can read more best practices in securing your GitLab instance</a> in our blog post.</p> User Email Verification Bypass</h2> A security issue allowed users to bypass the email verification process. This issue is now mitigated in the latest release and is assigned CVE-2020-13265</a>.</p> Thanks to @zapprising</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab CE/EE 12.5 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> OAuth Flow Missing Email Verification Checks</h2> A vulnerability allowed unverified users to use OAuth authorization code flow, which could potentially affect third party applications that use GitLab as an identity provider. This issue is now mitigated in the latest release and is assigned CVE-2020-13272</a>.</p> Thanks to @peet86</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab CE/EE 12.3+ and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Notification Email Verification Bypass</h2> A vulnerability was identified that allowed users to set an unverified email address as notification email. This issue is now mitigated in the latest release and is assigned CVE-2020-13276</a>.</p> Thanks to @rgupt</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects all previous GitLab CE/EE versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Server-Side Request Forgery in Grafana</h2> A vulnerability in Grafana allowed unauthenticated users to send HTTP requests to internal network resources and read their responses. Further details are available on the Grafana blog</a>. This issue is now mitigated in the latest release and is assigned CVE-2020-13379</a>.</p> Thanks to @rhynorater</a> and @nnwakelam</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE/CE 11.9 and later</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Group Sign-Up Restriction Bypass</h2> A user with an unverified address within the restricted domain could request access to domain restricted groups. This issue is now mitigated in the latest release and is assigned CVE-2020-13275</a>.</p> Thanks to @izzsec</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE/CE 12.2 and later</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Mirror Project Owner Impersonation</h2> A security issue related to mirror project deletions could lead to the impersonation of its owner. This issue is now mitigated in the latest release and is assigned CVE-2020-13263</a>.</p> Please note that the edit project API endpoint has been restricted and only admin users have the ability to set the mirror_user_id</code></p> Thanks to @sky003</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 9.5 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Missing Permission Check on Fork Relation Creation</h2> A missing security check allowed guest users to create a fork relation on restricted public projects. This issue is now mitigated in the latest release and is assigned CVE-2020-13270</a>.</p> Thanks @ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab CE/EE 11.3 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Cross-Site Scripting in Repository Files API</h2> Under certain conditions, requests involving the repository files API could result in an XSS vulnerability. This issue is now mitigated in the latest release and is assigned CVE-2020-13271</a>.</p> Thanks @rpadovani</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects all previous GitLab EE versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Kubernetes Cluster Token Disclosure</h2> A security issue made the Kubernetes cluster token visible to other group maintainers. This issue is now mitigated in the latest release and is assigned CVE-2020-13264</a>.</p> Thanks @xanbanx</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab CE/EE between 10.3 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Object Storage File Enumeration</h2> A specially crafted request could be used to confirm the existence of files hosted on object storage services, without disclosing their contents. This issue is now mitigated in the latest release and is assigned CVE-2020-13268</a>.</p> Thanks @ledz1996</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab CE/EE 12.10 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Insecure Authorization Check on Project Deploy Keys</h2> An insecure authorization check allowed updating permissions of other users' deploy keys under certain conditions. This issue is now mitigated in the latest release and is assigned CVE-2020-13266</a>.</p> This vulnerability has been discovered internally by the GitLab Security Team.</p> Versions Affected</h3> Affects GitLab CE/EE 12.8 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Cross-Site Scripting on Metrics Dashboard</h2> A Stored Cross-Site Scripting vulnerability allowed the execution on Javascript payloads on the Metrics Dashboard. This issue is now mitigated in the latest release and is assigned CVE-2020-13267</a>.</p> Thanks @xanbanx</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab CE/EE 12.8 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Denial of Service on Custom Dashboards</h2> A security issue enabled denial of service attacks via memory exhaustion. This issue is now mitigated in the latest release and is assigned CVE-2020-13273</a>.</p> This vulnerability was discovered internally by the GitLab team.</p> Versions Affected</h3> Affects GitLab CE/EE 12.0 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Client-Side Code Injection through Mermaid Markup</h2> A specially crafted Mermaid payload allowed performing PUT requests on behalf of other users when clicking on a link. This issue is now mitigated in the latest release and is assigned CVE-2020-13262</a>.</p> Thanks @yvvdwf</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab CE/EE 12.9 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Cross-Site Scripting on Static Site Editor</h2> A Reflected Cross-Site Scripting has been discovered on the Static Site Editor. This issue is now mitigated in the latest release and is assigned CVE-2020-13269</a>.</p> Thanks @bull</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab CE/EE 12.10 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Disclosure of Amazon EKS Credentials</h2> Amazon EKS Credentials were disclosed to other administrators of an instance through HTML source code. This issue is now mitigated in the latest release and is assigned CVE-2020-13261</a>.</p> Thanks @xanbanx</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab CE/EE 12.6 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Denial of Service on Workhorse</h2> A security issue allowed achieving Denial of Service attacks through memory exhaustion by uploading malicious artifacts. This issue is now mitigated in the latest release and is assigned CVE-2020-13274</a>.</p> This vulnerability has been discovered internally by the GitLab Team.</p> Versions Affected</h3> Affects all previous GitLab CE/EE versions.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Update Ruby</h2> Ruby upgrades to version 2.6.6 have been backported to previous versions of GitLab. This upgrade includes security fixes for CVE-2020-8130</a>.</p> Versions Affected</h3> Affects GitLab CE/EE 12.0 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Updating</h2> To update GitLab, see the update page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive security release blog notifications via RSS, subscribe to our RSS feed</a>.</p> GitLab 13.0 released with Gitaly Clusters, Epic Hierarchy on Roadmaps, and Auto Deploy to ECS 2020-05-22T00:00:00+00:00 Progress since GitLab 12.0</h2> At this milestone release of 13.0, we’d like to take a moment to reflect. We’ve accomplished so much since our 12.0 release! We've put together a blog to recap GitLab 12.0 to 12.10</a>. Three favorites from version 12 releases include: Requirements Management</a>, Container Network Security</a>, and Parent-child pipelines</a>. In addition to product enhancements, we've embraced partnerships/integrations</a>, adding integration guidelines</a> for third-party security scanners, and have grown our professional services</a> to help you with things like Jira and Jenkins migrations. Our new channel, Learn@GitLab</a> makes it easy to find many new how-to videos such as Getting started with CI</a>.</p> Iteration is the key to resilience</h2> GitLab is enabling IT and business teams to adapt, respond, and thrive. Iteration</a> is the key. To do so you must collaborate rapidly, optimize for efficiency, and automate processes to handle security and compliance while you focus on delivering business value. GitLab 13.0 can help you iterate quickly and with greater insight. At the same time, access to Git repositories is critical, and we have enhanced our Gitaly cluster for high availability Git storage</a> to ensure there are always multiple warm replicas ready to take over if an outage occurs.</p> Rapidly collaborate and respond across the entire team</h3> GitLab builds upon capabilities that help with collaborative development</a>, reporting, organizing, and managing work. Version control is foundational to collaboration and, with 13.0, we have added version control for snippets</a>. To manage more complex projects, 13.0 allows you to view the epic hierarchy on your roadmap</a>, view how your epics line up with your various milestones</a>, and add a single or multiple milestones to your releases</a> while alerts upon closing an issue with open blockers</a> help you focus on critical path items.</p> Designers are an important part of the development team. While working on one of the most popular new features, the dark themed web IDE</a>, we learned how</a> to pull designers in to collaborate more closely. At the same time, we moved Design Management to core</a> recognizing users who are designing products as individual contributors.</p> Optimize for efficiency</h3> As many businesses strive to be more responsive and efficient, GitLab helps streamline existing software development processes. New features aimed at efficiency include things like simplified deployment to Amazon ECS</a> and a new consolidated list of alerts</a> that provides a single interface aggregating IT alerts originating from multiple sources. In addition, Terraform users will rejoice. GitLab 13.0 lets you review the summary of terraform plan</code> in Merge Requests</a> and use GitLab as an HTTP Terraform state backend</a>.</p> Trust your processes and don’t sacrifice security or compliance</h3> GitLab helps businesses embrace security and compliance controls end-to-end in the software development lifecycle, reducing risk and freeing up resources to focus on business critical needs. Our Application Security Testing capabilities help you find and fix security vulnerabilities earlier</a> and for these, GitLab was just named as a Niche Player</a> in the 2020 Gartner Magic Quadrant for Application Security Testing. Since Gartner's evaluation of 12.4, we have added many new features. In 13.0 alone we've added the ability to scan REST APIs via DAST</a> and a full commit history scan for secrets</a> for even greater detection. More importantly, we have rearchitected the way we handle vulnerability objects</a>. This enabled the ability to export vulnerabilities from the security dashboard</a> and will unlock many more robust Vulnerability Management</a> capabilities in the future.</p> In addition to security scanning, GitLab automates policies and, with 13.0, provides more granular control with new features such as setting a deployment freeze with the Freeze Period API</a> to easily prevent an unintended production release during a specified period of time. To simplify audits, you can now filter search for instance-level audit events</a> as part of a the larger epic</a>.</p> Looking ahead</h2> We are excited about our upcoming releases</a>, particularly features that will help you:</p> Establish a compliance framework</a> and automatically adopt associated controls and reporting</li> Iterate with better insight with A/B testing</a> and control via several Feature Flag enhancements (filter feature flags by status</a>, A/B testing based on feature flags</a>, and the ability to create feature flag from merge request</a>)</li> Identify bottlenecks and waste by visually depicting Value Stream Analytics stages as a flow</a></li> Manage policies</a> and let GitLab automate their use, including things like an out-of-the-box Container Network Policy set</a></li> Work within an ecosystem to fuzz test</a> application APIs, and read Vault CI variables</a></li> </ul> Want to see the complete list of what’s coming out NEXT month? Our roadmap</a> is transparent and always available for you to contribute!</p> Now, without further ado, check out more fabulous updates in 13.0 below!</p> GitLab Patch Release: 12.10.6 2020-05-15T00:00:00+00:00 Today we are releasing version 12.10.6 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 12.10 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Remove index by name on ci_pipelines</a></li> Extract pages_domain_presenter into a helper fixing related bugs</a></li> GraphQL: ExternallyPaginatedArrayConnection can return incorrect number of items</a></li> Update Epics badge in Issues doc</a></li> Fix incorrect regex used in FileUploader#extract_dynamic_path</a></li> Fix tracking db revert from pg-upgrade</a></li> Ignore the PG_VERSION value if database is not enabled</a></li> Do not set a default value for client side database statement timeout</a></li> Raise using the proper error format</a></li> Ensure we only print the postgres upgrade message when pg is enabled</a></li> Add instance column to services table if it's missing</a></li> </ul> Important notes on upgrading</h2> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 12.10.5 and 12.9.7 2020-05-13T00:00:00+00:00 Today we are releasing version 12.10.5 and 12.9.7 for GitLab Community Edition and Enterprise Edition.</p> With the release of GitLab 12.10.2 and 12.9.5</a> we fixed a security issue that allowed code owner validations to be bypassed if a change was pushed through the Web IDE</a> and File Editor</a> web interfaces. However, we were notified by customers that fixing that bug broke a legitimate workflow that was unintentionally made possible by the bug.</p> To accommodate customers that depended on code owners not explicitly being a member of the project, such as being in the project's parent group or added as a shared group to the project (see this issue</a> for the ongoing development), we are adding the skip_web_ui_code_owner_validations</code> feature flag:</p> Disable the flag</em> to fix the security issue and apply code owner validations for changes done through the web interface. This is the default behavior.</p> Note:</strong> this could break your approval workflow if it relies on code owners being in the parent group of a project without being in the project itself, even for changes that are pushed through the git</code> command-line interface.</p> </li> Enable the flag</em> to allow code owners to be in a parent group without being in the project explicitly. In this state however, changes pushed through the Web IDE or File Editor web interfaces will not require code owner validation.</p> Note:</strong> while the code owner approval requirements can be bypassed, the author of the merge request does not gain the ability to merge the request if they weren’t already a maintainer. This does not also grant the ability for the author of code changes to push their changes using the Web IDE or File Editor if they did not already have permissions to do so. You may want to review your project member permissions and protected branch settings to mitigate any security or compliance issues that may result from enabling this feature flag.</p> </li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and should not require any downtime.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Patch Release: 12.10.3 2020-05-04T00:00:00+00:00 Today we are releasing version 12.10.3 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 12.10 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Available in GitLab Core, Starter, Premium, and Ultimate:</p> Disable schema dumping after migrations in production</a></li> Fix a CI failure where no jobs can be requested by and assigned to runners based on certain instance settings</a></li> Escape branch name on backend</a></li> Add LFS badge feature flag to RefsController#logs_tree</a></li> Fix second 500 error with NULL restricted visibility levels</a></li> Fix incorrect commits number in commits list</a></li> Fix errors creating project with active Prometheus service template</a></li> Enable expiring license banner</a></li> Fix CaptureDiffNotePositionService when position is nil</a></li> Fix terraform state init failure</a></li> Move deploy keys section back to repository settings</a></li> Update pagination and limits documentation for projects API</a></li> </ul> Available in GitLab Premium</a> and Ultimate</a>:</p> Fixes the file row not showing commits for certain projects</a></li> </ul> Important notes on upgrading</h2> This version does not include any new migrations, and should not require any downtime.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab Security Release: 12.10.2, 12.9.5, 12.8.10 2020-04-30T00:00:00+00:00 Today we are releasing versions 12.10.2, 12.9.5, 12.8.10 for GitLab Community Edition (CE) and Enterprise Edition (EE).</p> These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.</p> The vulnerability details will be made public on our issue tracker</a> in approximately 30 days.</p> Please read on for more information regarding this release.</p> Path Traversal in NuGet Package Registry</h2> It was possible to use a malicious NuGet package to read any *.nupkg</code> file on the system. This issue is now mitigated in the latest release and is assigned CVE-2020-12448</a>.</p> Thanks @saltyyolk of Chaitin Tech</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 12.8 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Workhorse Bypass Leads to File Disclosure</h2> A specially crafted request could bypass the GitLab Workhorse and read files in certain specific paths on the server. This issue is now mitigated in the latest release and is assigned CVE-2020-12448</a>.</p> Thanks @vakzz</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE/CE 11.5 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> OAuth Application Client Secrets Revealed</h2> A vulnerability allowed any user to retrieve OAuth application client secrets after authorizing. This issue is now mitigated in the latest release and is assigned CVE-2020-10187</a>.</p> Thanks @stefansundin</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE/CE 12.8 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible. Additionally, the OAuth client secrets should be rotated if your HTTP logs show that the /oauth/authorized_applications.json</code> path has been accessed.</p> Code Owners Approval Rules Are Not Updated for Existing Merge Requests When Source Branch Changes</h2> It was possible to bypass code owners approval by committing changes in a specific order. This issue is now mitigated in the latest release and is assigned CVE-2020-12449</a>.</p> Thanks @nathanielwyliet</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 12.6 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Code Owners Protection Not Enforced from Web UI</h2> It was possible to bypass code owners approval by committing changes through the web interface. This issue is now mitigated in the latest release and is assigned CVE-2020-12451</a>.</p> Thanks @zane.wright</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 12.9 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Repository Mirror Passwords Exposed To Maintainers</h2> When a maintainer deleted a repository mirror, the HTTP response contained the passwords set for the other mirrors on the same repository. This issue is now mitigated in the latest release and is assigned CVE-2020-12450</a>.</p> Versions Affected</h3> Affects GitLab EE/CE 11.6 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Admin Audit Log Page Denial of Service</h2> A specific API call could make the admin audit log page inaccessible. This issue is now mitigated in the latest release and is assigned CVE-2020-12452</a>.</p> Thanks @xanbanx</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 12.7 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Private Project ID Revealed Through Group API</h2> If a public group contained a private project that was used as a template, its ID was revealed in the group API. This issue is now mitigated in the latest release and is assigned CVE-2020-12453</a>.</p> Thanks @ashish_r_padelkar</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 11.5 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Elasticsearch Credentials Logged to ELK</h2> The data logged in ELK after modifying the Elasticsearch integration through the admin setting page contained credentials. This issue is now mitigated in the latest release and is assigned CVE-2020-12454</a>.</p> Versions Affected</h3> Affects GitLab EE 8.4 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> GitHub Personal Access Token Exposed on Integrations Page</h2> The GitHub Personal Access Token field was not masked on the integration settings page. This issue is now mitigated in the latest release and is assigned CVE-2020-12455</a>.</p> Thanks @kylifornication</a> for responsibly reporting this vulnerability to us.</p> Versions Affected</h3> Affects GitLab EE 10.6 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Update Nokogiri dependency in Gitaly</h2> The Nokogiri dependency has been upgraded to 1.10.9 in Gitaly. This upgrade includes a security fix for CVE-2020-7595</a>.</p> Versions Affected</h3> Affects all previous versions of GitLab CE/EE.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Update OpenSSL Dependency</h2> The OpenSSL dependency has been upgraded from 1.1.1f to 1.1.1g. This upgrade includes a security fix for CVE-2020-1967</a>.</p> Versions Affected</h3> Affects GitLab Omnibus 12.4 and later.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Update git</h2> git has been updated to version 2.24.3. This upgrade includes a security fix for CVE-2020-11008</a>.</p> Versions Affected</h3> Affects all previous versions of GitLab Omnibus.</p> Remediation</h3> We strongly recommend</strong> that all installations running an affected version above are upgraded to the latest version as soon as possible.</p> Updating</h2> To update GitLab, see the update page</a>.</p> Receive Security Release Notifications</h2> To receive security release blog notifications delivered to your inbox, visit our contact us</a> page. To receive security release blog notifications via RSS, subscribe to our RSS feed</a>.</p> GitLab Patch Release: 12.10.1 2020-04-24T00:00:00+00:00 Today we are releasing version 12.10.1 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 12.10 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Move Group Deploy Tokens to new Group-scoped Repository settings</a></li> Move project deploy tokens section back to repository settings</a></li> Migrate dismissals to vulnerabilities</a></li> Fix requirements permission documentation</a></li> Add feature flag for merge_ref_head</a></li> Fix bug creating project from git push through ssh</a></li> Fix Web IDE deleting newly added files</a></li> Fix Service Templates missing Active toggle</a></li> Fix merge requests stuck in checking state</a></li> Fix null dereference in project_import_status</a></li> Fix 500 error accessing restricted visibility levels</a></li> Ensure the pg bin files fallback for geo-postgresql</a></li> Prevent gitlab upgrades from GitLab 11.x</a></li> Fixes Omnibus package HA pg-upgrade scenario</a></li> Print a deprecation notice for postgres upgrades if <11</a></li> </ul> Upgrade barometer</h2> This version includes one post-deploy migration, but should not require any downtime.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p> GitLab 12.10 released with Requirements Management and Autoscaling CI on AWS Fargate 2020-04-22T00:00:00+00:00 GitLab 12.10 now helps teams streamline and improve compliance</strong> with requirements management, reduce cycle time and accelerate software delivery</strong> with CI with auto-scaling on AWS Fargate, and more efficiently manage a portfolio</strong> of projects with issue and epic health status.</p> Compliance is easier</h2> Compliance is a common challenge in most large organizations, where teams and projects need to demonstrate they followed the organization’s processes and procedures, and delivered what was actually "required". Did the project actually address the business requirements</em> is a common question, and with 12.10, we’re starting to deliver requirements management</strong></a> as a distinct category in GitLab to help teams define, track, and manage business requirements. Also, demonstrating project and release compliance just got a little easier in GitLab 12.10, as there's no longer a need to use scripts to compare release evidence over time</strong></a>, helping teams document and prove that the project is in "compliance". The new project compliance framework label</strong></a> makes it easy for organizations to indicate that a specific project is required to comply with specific compliance frameworks. Speaking of compliance frameworks, to help projects that are subject to HIPAA audits and compliance, the new HIPAA audit protocol project template</strong></a> gives them a head start. It's also easier to protect your secrets with improved HashiCorp Vault Integration</strong></a>, which helps keep your projects compliant with your security policies.</p> Reduce Cycle Time and Accelerate Delivery on AWS</h2> The last thing you need is another bottleneck that potentially slows down delivery and that’s why we’ve supported autoscaling GitLab CI runners for a very, very long time. In GitLab 12.10, we’re extending our autoscaling ability on AWS Fargate to auto-scale runners</strong></a> so pipelines can efficiently scale to meet demand. Speaking of AWS, it's now faster and easier to configure your application to deploy to AWS with predefined AWS deployment variables</strong></a>, where GitLab has added AWS deployment variables and also helps with format validation.</p> Efficiently manage projects</h2> Managing multiple projects and associated issues can be hard to juggle. With all the information there is to track, it's hard to know where there might be problems. Now in GitLab 12.10, it’s easy for teams to track and share the health status</strong></a> of issues so that it’s simple to visualize the overall health of the epic. Additionally, we’re making it easier to import issues from Jira</strong></a> into GitLab so that teams can spend less time switching between tools and more time focused on building great software.</p> And much much more!</h3> There’s never enough space to highlight all the great features in our releases. Here’s a few other cool features that you should check out: Python PyPI repository</a> and View Issue and MR activity- newest first</a>.</p> GitLab Patch Release: 12.9.4 2020-04-20T00:00:00+00:00 Today we are releasing version 12.9.4 for GitLab Community Edition and Enterprise Edition.</p> This version resolves a number of regressions and bugs in this month's 12.9 release</a> and prior versions.</p> GitLab Community Edition and Enterprise Edition</h2> Fix project show file upload not working</a></li> Fix regression on storage rollback causing repositories to report as 404</a></li> Fix incorrect regex used in FileUploader#extract_dynamic_path</a></li> Fix Slack notifications when upgrading from old GitLab versions</a></li> Update index_options to fix advanced search queries</a></li> Fully qualify id columns for keyset pagination</a></li> Geo: Fix repository verification on the primary</a></li> Upgrade to Git 2.24.2</a></li> </ul> Upgrade barometer</h2> This version does not include any new migrations, and should not require any downtime.</p> Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-reconfigure</code></a> file, which is only used for updates</a>.</p> Updating</h2> To update, check out our update page</a>.</p> GitLab subscriptions</h2> Access to GitLab Starter, Premium, and Ultimate features is granted by a paid subscription</a>.</p> Alternatively, sign up for GitLab.com</a> to use GitLab's own infrastructure.</p>

GitLab All Releases

GitLab Patch Release: 17.6.2, 17.5.4, 17.4.6

GitLab Patch Release: 17.6.1, 17.5.3, 17.4.5

GitLab 17.6 released with self-hosted Duo Chat in beta

GitLab Patch Release: 17.5.2, 17.4.4, 17.3.7

Bug fixes</h2>

GitLab Patch Release: 17.5.1, 17.4.3, 17.3.6

Bug fixes</h2>

GitLab 17.5 released with Duo Quick Chat AI code assistance.

GitLab Critical Patch Release: 17.4.2, 17.3.5, 17.2.9

GitLab Patch Release: 17.4.1, 17.3.4, 17.2.8

Bug fixes</h2>

GitLab Critical Patch Release: 16.10.10, 16.9.11, 16.8.10, 16.7.10, 16.6.10, 16.5.10, 16.4.7, 16.3.9, 16.2.11, 16.1.8, 16.0.10

SAML authentication bypass</h3> Updates dependencies omniauth-saml</code> to version 2.2.1 and ruby-saml</code> to 1.17.0 to mitigate CVE-2024-45409</a>. This security vulnerability applies only to instances which have configured SAML based authentication.</p>

GitLab 17.4 released with improved context in GitLab Duo

GitLab Critical Patch Release: 17.3.3, 17.2.7, 17.1.8, 17.0.8, 16.11.10

SAML authentication bypass</h3> Updates dependencies omniauth-saml</code> to version 2.2.1 and ruby-saml</code> to 1.17.0 to mitigate CVE-2024-45409</a>. This security vulnerability applies only to instances which have configured SAML based authentication.</p>

Bug fixes</h2>

GitLab Critical Patch Release: 17.3.2, 17.2.5, 17.1.7

SAML authentication bypass</h3>
Updates dependencies `omniauth-saml</code> to version 2.2.1 and ruby-saml</code> to 1.17.0 to mitigate CVE-2024-45409</a>. This security vulnerability applies only to instances which have configured SAML based authentication.</p>`

SAML authentication bypass</h3>
Updates dependencies `omniauth-saml</code> to version 2.2.1 and ruby-saml</code> to 1.17.0 to mitigate CVE-2024-45409</a>. This security vulnerability applies only to instances which have configured SAML based authentication.</p>`