2016-12-05-cve-2016-9469.html.md 6.68 KB
Newer Older
1 2 3 4 5 6
---
layout: post
title: "GitLab 8.14.3, 8.13.8, and 8.12.11 Released"
date: 2016-12-05 23:59
author: GitLab
author_twitter: gitlab
Rebecca Dodd's avatar
Rebecca Dodd committed
7
categories: releases
8 9
---

Rebecca Dodd's avatar
Rebecca Dodd committed
10
Today we are releasing versions 8.14.3, 8.13.8, and 8.12.11 for GitLab Community
11 12
Edition (CE) and Enterprise Edition (EE).

Rebecca Dodd's avatar
Rebecca Dodd committed
13 14 15
These versions contain an important security fix for a critical
denial-of-service and data corruption vulnerability, and we **strongly
recommend** that all affected GitLab installations be upgraded to one of these
16 17 18 19 20 21 22 23
versions **immediately**.

Please read on for more details.

<!-- more -->

## Denial-of-Service and Data Corruption Vulnerability in Issue and Merge Request Trackers

Rebecca Dodd's avatar
Rebecca Dodd committed
24
[Jobert Abma][jobert-twitter] of [HackerOne] reported a critical vulnerability
25
in the GitLab Issue and Merge Request trackers that could allow a user with
Rebecca Dodd's avatar
Rebecca Dodd committed
26
access to any project to delete all issues and merge requests from all GitLab
27 28 29 30
projects. For GitLab instances with publicly available projects this vulnerability
could be exploited by an unauthenticated user.

This issue is the result of un-sanitized user input being passed to an internal
Rebecca Dodd's avatar
Rebecca Dodd committed
31
function that expects only trusted data. This code was introduced in GitLab
32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52
8.13.0. Please see [the issue][25064] for more details.

This issue has been assigned [CVE-2016-9469][CVE].

[25064]: https://gitlab.com/gitlab-org/gitlab-ce/issues/25064
[CVE]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9469

### Versions affected

- 8.14.0 through 8.14.2
- 8.13.0 through 8.13.7

We **strongly recommend** that all installations running a version mentioned
above be upgraded as soon as possible.

### Workarounds

If you're unable to upgrade right away, you can secure your GitLab installation
against this vulnerability using one of the workarounds outlined below until you
have time to upgrade.

Rebecca Dodd's avatar
Rebecca Dodd committed
53
You only need to apply _one_ of these workarounds.
54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80

### Securing via Omnibus configuration

For Omnibus installations using the bundled Nginx web server, edit
`/etc/gitlab/gitlab.rb` and add the following line:

```ruby
nginx['custom_gitlab_server_config'] = "if ($args ~* 'state=delete|state=destroy') { return 404; }\n"
```

Then run `sudo gitlab-ctl reconfigure` for the changes to take effect.

### Securing via web server configuration

If you are using an external web server with Omnibus or have installed GitLab
from source, add the following lines to your web server's configuration file.

For Nginx:

```nginx
if ($args ~* 'state=delete|state=destroy') { return 403; }
```

For Apache with mod_rewrite:

```apache
 RewriteEngine On
Chris's avatar
Chris committed
81 82
 RewriteCond %{QUERY_STRING} ^.*(state=destroy).* [NC,OR]
 RewriteCond %{QUERY_STRING} ^.*(state=delete).* [NC]
83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116
 RewriteRule ^(.*)$ - [F,L]
```

Then reload the server for changes to take effect.

### Securing via HAProxy configuration

Add the following lines to your configuration and restart the service:

```
acl bad_filter_uri path_sub,url_dec -i state=destroy state=delete
http-request deny if bad_filter_uri
```

### Securing via patch

To temporarily patch just the critical vulnerability, apply the following diff:

```diff
diff --git a/app/finders/issuable_finder.rb b/app/finders/issuable_finder.rb
index e42d5af..2c9412b 100644
--- a/app/finders/issuable_finder.rb
+++ b/app/finders/issuable_finder.rb
@@ -7,7 +7,7 @@
 #   current_user - which user use
 #   params:
 #     scope: 'created-by-me' or 'assigned-to-me' or 'all'
-#     state: 'open' or 'closed' or 'all'
+#     state: 'opened' or 'closed' or 'all'
 #     group_id: integer
 #     project_id: integer
 #     milestone_title: string
@@ -183,10 +183,13 @@ class IssuableFinder
   end
Rebecca Dodd's avatar
Rebecca Dodd committed
117

118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148
   def by_state(items)
-    params[:state] ||= 'all'
-
-    if items.respond_to?(params[:state])
-      items.public_send(params[:state])
+    case params[:state].to_s
+    when 'closed'
+      items.closed
+    when 'merged'
+      items.respond_to?(:merged) ? items.merged : items.closed
+    when 'opened'
+      items.opened
     else
       items
     end

```

### Verifying the workaround

1. Browse to a project
1. Open the project's issue tracker
1. Choose the "closed" tab
1. Adjust the "state" field in your browser's address bar to "deleteme"
1. Verify you receive a `403 Forbidden` error

Note: If you only applied the patch you will receive no errors here.

## Git Security Patch

Omnibus packages for these versions contain a security patch for git 2.7.4 that
Rebecca Dodd's avatar
Rebecca Dodd committed
149
prevents malicious repositories from using HTTP redirects to steal or corrupt
150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187
data. More information on this patch can be found [here](http://public-inbox.org/git/20161201090336.xjbb47bublfcpglo@sigill.intra.peff.net/).

## Other fixes in 8.14.3

- **CE/EE:** Revert signin tab order fix. ([!7538])
- **CE/EE:** Allow dots in group names to pass validation for Create Group and Edit Group forms ([!7723])
- **CE/EE:** Pass commit data to ProcessCommitWorker ([!7744])
- **CE/EE:** Resolve "Merge request dashboard page takes over a minute to load" ([!7760])
- **CE/EE:** Fix GitHub importer to import PR where source repo/fork was renamed/deleted ([!7865])
- **CE/EE:** Fix URL rewritting in the Help section ([!7875])
- **CE/EE:** Fixes ActionView::Template::Error: undefined method `text?` for nil:NilClass ([!7893])


- **EE:** Save some queries on issuable dashboard. ([!935])
- **EE:** Expose add-ons associated to the license in /license endpoint. ([!907])

[!7538]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7538
[!7723]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7723
[!7744]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7744
[!7760]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7760
[!7865]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7865
[!7875]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7875
[!7893]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7893
[!935]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/935
[!907]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/907

## Upgrade barometer

These versions do include a single migration, and will require brief
downtime of typically less than one minute.

Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a [`/etc/gitlab/skip-auto-migrations`
file](http://doc.gitlab.com/omnibus/update/README.html).

## Updating

Matija Čupić's avatar
Matija Čupić committed
188
To update, check out our [update page](/update).
189 190 191 192

## Enterprise Edition

Interested in GitLab Enterprise Edition? Check out the [features exclusive to
Matija Čupić's avatar
Matija Čupić committed
193
EE](/features/#enterprise).
194 195

Access to GitLab Enterprise Edition is included with a
Matija Čupić's avatar
Matija Čupić committed
196
[subscription](/pricing/). No time to upgrade GitLab
197 198 199 200
yourself? Subscribers receive upgrade and installation services.

[jobert-twitter]: https://twitter.com/jobertabma
[HackerOne]: https://hackerone.com/