2017-10-17-gitlab-10-dot-0-dot-4-security-release.html.md 5.28 KB
Newer Older
1 2
---
layout: post
3
title: "GitLab 10.0.4, 9.5.9, and 9.4.7 released"
4 5 6 7
date: 2017-10-17
author: Brian Neel
author_twitter: b0bby_tables
author_gitlab: briann
Rebecca Dodd's avatar
Rebecca Dodd committed
8
categories: releases
Rebecca Dodd's avatar
Rebecca Dodd committed
9
tags: patch releases, releases
10 11
---

12
Today we are releasing versions 10.0.4, 9.5.9, and 9.4.7 for GitLab
13 14
Community Edition (CE) and Enterprise Edition (EE).

15
These versions contain several security fixes, including fixes for two
16
persistent Cross-Site Scripting (XSS) vulnerabilities, an open redirect vulnerability,
17
a bug when changing usernames that could leave behind and leak
18
repositories, an information leakage vulnerability in private issue names, and
19
security updates for Ruby and libxml2. We recommend that all GitLab installations
20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50
be upgraded to one of these versions.

Please read on for more details.

<!-- more -->

## Cross-Site Scripting (XSS) vulnerability in the Markdown sanitization filter

[Yasin Soliman] via [HackerOne] reported a Cross-Site Scripting (XSS) vulnerability in the
GitLab markdown sanitization filter. The sanitization filter was not properly
stripping invalid characters from URL schemes and was therefore vulnerable to
persistent XSS attacks anywhere Markdown was supported. [#38272]

[#38272]: https://gitlab.com/gitlab-org/gitlab-ce/issues/38272
[Yasin Soliman]: https://twitter.com/SecurityYasin

## Cross-Site Scripting (XSS) vulnerability in search bar

[Josh Unger] reported a Cross-Site Scripting (XSS) vulnerability in the
issue search bar. Usernames were not being properly HTML escaped inside the author
filter would could allow arbitrary script execution. [#38267]

[Josh Unger]: https://gitlab.com/joshunger

[#38267]: https://gitlab.com/gitlab-org/gitlab-ce/issues/38267

## Open redirect in repository `git` redirects

[Eric Rafaloff] via [HackerOne] reported that GitLab was vulnerable to an open redirect
vulnerability when redirecting requests for repository names that include the `git`
extension. GitLab was not properly removing dangerous parameters from the params
51
field before redirecting which could allow an attacker to redirect users to
52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80
arbitrary hosts. [#37715]

[#37715]: https://gitlab.com/gitlab-org/gitlab-ce/issues/37715
[HackerOne]: https://www.hackerone.com/
[Eric Rafaloff]: https://ericrafaloff.com

## Username changes could leave repositories behind

An internal code review discovered that a bug in the code that moves repositories
during a username change could potentially leave behind projects, allowing an
attacker who knows the previous username to potentially steal the contents of
repositories on instances that are not configured with hashed namespaces. [#38126]

[#38126]: https://gitlab.com/gitlab-org/gitlab-ce/issues/38126

## Confidential issue names could leak in "related issues" feature

An internal code review discovered that confidential issue titles could leak
when referenced as "related issues". GitLab EE was not properly filtering confidential
issues in the related issues feature for users that did not have access to these
issues. [#3435]

[#3435]: https://gitlab.com/gitlab-org/gitlab-ee/issues/3435

## Ruby update

The version of Ruby included with GitLab Omnibus CE+EE packages has been updated
to 2.3.5 to patch a potential SMTP injection vunerability that could allow attackers
to use a GitLab instance to send arbitrary emails. A patch is also included to
81 82
support the use of carriage returns as email separators in pipeline alert email
recipient lists so that installations improperly using carriage returns as email
83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116
separators do not break. [HackerOne Report]

[HackerOne Report]: https://hackerone.com/reports/137631

## Libxml2 update

The version of libxml2 included with GitLab Omnibus CE+EE packages has been updated
to 2.9.6 to patch several security vulnerabilities. [XMLSoft]

[XMLSoft]: http://xmlsoft.org/news.html

### Versions affected

Cross-Site Scripting (XSS) vulnerability in markdown:
- GitLab CE+EE 2.8.0-9.4.6, 9.5.0-9.5.8, 10.0.0-10.0.3

Cross-Site Scripting (XSS) vulnerability in search bar
- GitLab CE+EE 9.3.0-9.4.6, 9.5.0-9.5.8, 10.0.0-10.0.3

Open redirect in repository git redirects
- GitLab CE+EE 9.2.0-9.4.6, 9.5.0-9.5.8, 10.0.0-10.0.3

Username changes could leave repositories behind
- GitLab CE+EE 9.5.0-9.5.8, 10.0.0-10.0.3

Confidential issue names could leak in "related issues" feature
- GitLab EE 9.4.0-9.4.6, 9.5.0-9.5.8, 10.0.0-10.0.3

Ruby update
- GitLab CE+EE 8.14.0-9.4.6, 9.5.0-9.5.8, 10.0.0-10.0.3

Libxml2 update
- GitLab CE+EE 1.1.1-9.4.6, 9.5.0-9.5.8, 10.0.0-10.0.3

117 118
We recommend that all installations running a version mentioned above be
upgraded as soon as possible. No workarounds are available for these
119 120 121 122 123 124
vulnerabilities.

## Upgrade barometer

These versions do not include any migrations and will not require downtime.

125 126
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
127 128 129 130
can be changed by adding a [/etc/gitlab/skip-auto-migrations file](http://doc.gitlab.com/omnibus/update/README.html).

## Updating

Matija Čupić's avatar
Matija Čupić committed
131
To update, check out our [update page](/update).
132 133 134 135

## Enterprise Edition

Interested in GitLab Enterprise Edition? Check out the [features exclusive to
Matija Čupić's avatar
Matija Čupić committed
136
EE](/features/#enterprise).
137 138

Access to GitLab Enterprise Edition is included with a
Matija Čupić's avatar
Matija Čupić committed
139
[subscription](/pricing/). No time to upgrade GitLab
140
yourself? Subscribers receive upgrade and installation services.