2017-06-07-gitlab-9-dot-2-dot-5-security-release.html.md 6.56 KB
Newer Older
1 2
---
layout: post
3
title: "GitLab 9.2.5, 9.1.7, and 9.0.10 released"
4 5 6 7
date: 2017-06-07
author: Brian Neel
author_twitter: b0bby_tables
author_gitlab: briann
Rebecca Dodd's avatar
Rebecca Dodd committed
8
categories: releases
Rebecca Dodd's avatar
Rebecca Dodd committed
9
tags: patch releases, releases
10 11
---

12
Today we are releasing versions 9.2.5, 9.1.7, and 9.0.10 for GitLab
13 14 15 16 17 18 19 20
Community Edition (CE) and Enterprise Edition (EE).

**Note: Please see the warnings in the Upgrade barometer section before upgrading.**

**Note: Versions 9.2.3-9.2.4, 9.1.5-9.1.6, and 9.0.8-9.0.9 contain incomplete fixes for the reserved namespaces / group renaming issue**

These versions contain several security fixes, including a fix for a difficult
to exploit persistent Cross-Site Scripting (XSS) vulnerability, improvements to
21
API protections when using session authentication, fixes for several
22
information disclosure vulnerabilities, and a fix for a flaw that could allow
23
the deletion of project avatars. We recommend that all GitLab installations be
24 25 26 27 28 29 30 31
upgraded to one of these versions.

Please read on for more details.

<!-- more -->

## Cross-Site Scripting (XSS) vulnerability when editing comments

32
A GitLab.com user reported that recent changes to Markdown rendering designed to
33 34 35 36 37 38 39 40 41 42 43 44 45
improve performance by allowing comments to be rendered client-side opened a
persistent Cross-Site Scripting (XSS) vulnerability when comments are edited
and then re-saved. This vulnerability is difficult to exploit because a victim
must be tricked into editing and then saving another user's comment. [#32908]

[#32908]: https://gitlab.com/gitlab-org/gitlab-ce/issues/32908

## API vulnerable to embedding in iFrames using Session Auth

A tip from a Twitter user led to an internal code audit that discovered a malicious
website could embed a GitLab API URL inside an iFrame, possibly tricking a user
into thinking that the website had access to the user's GitLab user information. This
attack would not disclose the user's data to the malicious website, but it could
46
cause confusion and the API has added an `X-Frame-Options` header to prevent
47 48 49 50 51 52
content from the API being included in iFrames. [#32557]

[#32557]: https://gitlab.com/gitlab-org/gitlab-ce/issues/32557

## Accidental or malicious use of reserved names in group names could cause deletion of all project avatars

53
A GitLab.com user reported that creating a group named `project` and then renaming
54 55
the group would cause all project avatars to be deleted. This was due to an improperly
constructed path variable when renaming files. To help prevent this from happening
56 57
again all avatar uploads have been moved from `/public/uploads/(user|group|project)` to
`/public/uploads/system/(user|group|project)` and `system` has been made a
58 59 60 61 62 63 64
reserved namespace. A migration included with this release will rename
any existing top-level `system` namespace to be `system0` (or `system1`, `system2`, etc.) [#28917]

[#28917]: https://gitlab.com/gitlab-org/gitlab-ce/issues/28917

## Unauthenticated disclosure of usernames in autocomplete controller

65 66
[HackerOne] reporter [Evelyn Lee] reported that usernames could be enumerated
using the `autocomplete/users.json` endpoint without authenticating. This
67 68 69 70 71 72 73 74 75
could allow an unauthenticated attacker to gather a list of all valid usernames from a GitLab
instance. [#31842]

[#31842]: https://gitlab.com/gitlab-org/gitlab-ce/issues/31842
[HackerOne]: https://hackerone.com
[Evelyn Lee]: https://hackerone.com/evelynleems

## Information leakage with references to private project snippets

76
GitLab.com user Patrick Fiedler reported that titles of private project
77 78 79 80 81 82 83 84 85
snippets could leak when they were referenced in other issues, merge requests,
or comments. [#25934]

[#25934]: https://gitlab.com/gitlab-org/gitlab-ce/issues/25934

## Elasticsearch does not implement external user checks correctly

An internal code review discovered that on instances with Elasticsearch enabled
GitLab allowed external users to view internal project data. This could unintentionally
86
expose sensitive information to external users. This vulnerability only affects
87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110
EE installations with Elasticsearch enabled. [#2337]

[#2337]: https://gitlab.com/gitlab-org/gitlab-ee/issues/2337

### Versions affected

Cross-Site Scripting (XSS) vulnerability when editing comments:
- GitLab CE+EE 9.2.0-9.2.2

API vulnerable to embedding in iFrames using Session Auth:
- GitLab CE+EE 8.13.0-9.0.7, 9.1.0-9.1.4, 9.2.0-9.2.2

Accidental or malicious use of reserved names in group names could cause deletion of all project avatars:
- GitLab CE+EE 4.0.0-9.0.9, 9.1.0-9.1.6, 9.2.0-9.2.4

Unauthenticated disclosure of usernames in autocomplete controller:
- GitLab CE+EE 8.7.0-9.0.7, 9.1.0-9.1.4, 9.2.0-9.2.2

Information leakage with references to private project snippets
- GitLab CE+EE 8.9.0-9.0.8, 9.1.0-9.1.5, 9.2.0-9.2.3

Elasticsearch does not implement external user checks correctly:
- GitLab EE 8.7.0-9.0.7, 9.1.0-9.1.4, 9.2.0-9.2.2

111 112
We recommend that all installations running a version mentioned above be
upgraded as soon as possible. No workarounds are available for these
113 114 115 116
vulnerabilities.

## Upgrade barometer

117
These versions include two migrations that do not require downtime but **must be run on a node with access to the directories containing repositories and uploads**.
118

119 120
The first migration renames any user or top-level group with the name `system`
to `system0` (or `system1`, `system2`, etc.). **Before running this update please
121 122 123
be sure to backup all repositories and file uploads in `/var/opt/gitlab/git-data`
and `/var/opt/gitlab/gitlab-rails/uploads`.**

124 125
The second migration moves all user, group, and project avatars and older note
and appearance uploads from `/public/uploads/(user|note|group|project|appearance)`
126 127 128
to `/public/uploads/system/(user|note|group|project|appearance)`.

To refresh avatar links the database cache must be cleared. This is normally done
129 130
automatically with every upgrade. If you have disabled the rake task that clears
the cache you will need to re-enable it or manually clear the Rails cache
131 132 133 134
after upgrading due to the change in project avatar locations:

`gitlab-rake cache:clear`

135 136
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
137 138 139 140
can be changed by adding a [/etc/gitlab/skip-auto-migrations file](http://doc.gitlab.com/omnibus/update/README.html).

## Updating

Matija Čupić's avatar
Matija Čupić committed
141
To update, check out our [update page](/update).
142 143 144 145

## Enterprise Edition

Interested in GitLab Enterprise Edition? Check out the [features exclusive to
Matija Čupić's avatar
Matija Čupić committed
146
EE](/features/#enterprise).
147 148

Access to GitLab Enterprise Edition is included with a
Matija Čupić's avatar
Matija Čupić committed
149
[subscription](/pricing/). No time to upgrade GitLab
150
yourself? Subscribers receive upgrade and installation services.