2016-12-05-cve-2016-9469.html.md 6.76 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80
---
layout: post
title: "GitLab 8.14.3, 8.13.8, and 8.12.11 Released"
date: 2016-12-05 23:59
author: GitLab
author_twitter: gitlab
categories: security
---

Today we are releasing versions 8.14.3, 8.13.8, and 8.12.11 for GitLab Community 
Edition (CE) and Enterprise Edition (EE).

These versions contain an important security fix for a critical 
denial-of-service and data corruption vulnerability, and we **strongly 
recommend** that all affected GitLab installations be upgraded to one of these 
versions **immediately**.

Please read on for more details.

<!-- more -->

## Denial-of-Service and Data Corruption Vulnerability in Issue and Merge Request Trackers

[Jobert Abma][jobert-twitter] of [HackerOne] reported a critical vulnerability 
in the GitLab Issue and Merge Request trackers that could allow a user with
access to any project to delete all issues and merge requests from all GitLab 
projects. For GitLab instances with publicly available projects this vulnerability
could be exploited by an unauthenticated user.

This issue is the result of un-sanitized user input being passed to an internal
function that expects only trusted data. This code was introduced in GitLab 
8.13.0. Please see [the issue][25064] for more details.

This issue has been assigned [CVE-2016-9469][CVE].

[25064]: https://gitlab.com/gitlab-org/gitlab-ce/issues/25064
[CVE]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9469

### Versions affected

- 8.14.0 through 8.14.2
- 8.13.0 through 8.13.7

We **strongly recommend** that all installations running a version mentioned
above be upgraded as soon as possible.

### Workarounds

If you're unable to upgrade right away, you can secure your GitLab installation
against this vulnerability using one of the workarounds outlined below until you
have time to upgrade.

You only need to apply _one_ of these workarounds. 

### Securing via Omnibus configuration

For Omnibus installations using the bundled Nginx web server, edit
`/etc/gitlab/gitlab.rb` and add the following line:

```ruby
nginx['custom_gitlab_server_config'] = "if ($args ~* 'state=delete|state=destroy') { return 404; }\n"
```

Then run `sudo gitlab-ctl reconfigure` for the changes to take effect.

### Securing via web server configuration

If you are using an external web server with Omnibus or have installed GitLab
from source, add the following lines to your web server's configuration file.

For Nginx:

```nginx
if ($args ~* 'state=delete|state=destroy') { return 403; }
```

For Apache with mod_rewrite:

```apache
 RewriteEngine On
Chris's avatar
Chris committed
81 82
 RewriteCond %{QUERY_STRING} ^.*(state=destroy).* [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*(state=delete).* [NC]
83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200
 RewriteRule ^(.*)$ - [F,L]
```

Then reload the server for changes to take effect.

### Securing via HAProxy configuration

Add the following lines to your configuration and restart the service:

```
acl bad_filter_uri path_sub,url_dec -i state=destroy state=delete
http-request deny if bad_filter_uri
```

### Securing via patch

To temporarily patch just the critical vulnerability, apply the following diff:

```diff
diff --git a/app/finders/issuable_finder.rb b/app/finders/issuable_finder.rb
index e42d5af..2c9412b 100644
--- a/app/finders/issuable_finder.rb
+++ b/app/finders/issuable_finder.rb
@@ -7,7 +7,7 @@
 #   current_user - which user use
 #   params:
 #     scope: 'created-by-me' or 'assigned-to-me' or 'all'
-#     state: 'open' or 'closed' or 'all'
+#     state: 'opened' or 'closed' or 'all'
 #     group_id: integer
 #     project_id: integer
 #     milestone_title: string
@@ -183,10 +183,13 @@ class IssuableFinder
   end
 
   def by_state(items)
-    params[:state] ||= 'all'
-
-    if items.respond_to?(params[:state])
-      items.public_send(params[:state])
+    case params[:state].to_s
+    when 'closed'
+      items.closed
+    when 'merged'
+      items.respond_to?(:merged) ? items.merged : items.closed
+    when 'opened'
+      items.opened
     else
       items
     end

```

### Verifying the workaround

1. Browse to a project
1. Open the project's issue tracker
1. Choose the "closed" tab
1. Adjust the "state" field in your browser's address bar to "deleteme"
1. Verify you receive a `403 Forbidden` error

Note: If you only applied the patch you will receive no errors here.

## Git Security Patch

Omnibus packages for these versions contain a security patch for git 2.7.4 that
prevents malicious repositories from using HTTP redirects to steal or corrupt 
data. More information on this patch can be found [here](http://public-inbox.org/git/20161201090336.xjbb47bublfcpglo@sigill.intra.peff.net/).

## Other fixes in 8.14.3

- **CE/EE:** Revert signin tab order fix. ([!7538])
- **CE/EE:** Allow dots in group names to pass validation for Create Group and Edit Group forms ([!7723])
- **CE/EE:** Pass commit data to ProcessCommitWorker ([!7744])
- **CE/EE:** Resolve "Merge request dashboard page takes over a minute to load" ([!7760])
- **CE/EE:** Fix GitHub importer to import PR where source repo/fork was renamed/deleted ([!7865])
- **CE/EE:** Fix URL rewritting in the Help section ([!7875])
- **CE/EE:** Fixes ActionView::Template::Error: undefined method `text?` for nil:NilClass ([!7893])


- **EE:** Save some queries on issuable dashboard. ([!935])
- **EE:** Expose add-ons associated to the license in /license endpoint. ([!907])

[!7538]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7538
[!7723]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7723
[!7744]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7744
[!7760]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7760
[!7865]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7865
[!7875]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7875
[!7893]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7893
[!935]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/935
[!907]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/907

## Upgrade barometer

These versions do include a single migration, and will require brief
downtime of typically less than one minute.

Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a [`/etc/gitlab/skip-auto-migrations`
file](http://doc.gitlab.com/omnibus/update/README.html).

## Updating

To update, check out our [update page](https://about.gitlab.com/update).

## Enterprise Edition

Interested in GitLab Enterprise Edition? Check out the [features exclusive to
EE](https://about.gitlab.com/features/#enterprise).

Access to GitLab Enterprise Edition is included with a
[subscription](https://about.gitlab.com/pricing/). No time to upgrade GitLab
yourself? Subscribers receive upgrade and installation services.

[jobert-twitter]: https://twitter.com/jobertabma
[HackerOne]: https://hackerone.com/