Commit ff07319d authored by Brian Neel's avatar Brian Neel

Release of 8.14.3 containing critical security fix

parent 9e0931e3
Pipeline #5268326 passed with stages
in 10 minutes and 20 seconds
---
layout: post
title: "GitLab 8.14.3, 8.13.8, and 8.12.11 Released"
date: 2016-12-05 23:59
author: GitLab
author_twitter: gitlab
categories: security
---
Today we are releasing versions 8.14.3, 8.13.8, and 8.12.11 for GitLab Community
Edition (CE) and Enterprise Edition (EE).
These versions contain an important security fix for a critical
denial-of-service and data corruption vulnerability, and we **strongly
recommend** that all affected GitLab installations be upgraded to one of these
versions **immediately**.
Please read on for more details.
<!-- more -->
## Denial-of-Service and Data Corruption Vulnerability in Issue and Merge Request Trackers
[Jobert Abma][jobert-twitter] of [HackerOne] reported a critical vulnerability
in the GitLab Issue and Merge Request trackers that could allow a user with
access to any project to delete all issues and merge requests from all GitLab
projects. For GitLab instances with publicly available projects this vulnerability
could be exploited by an unauthenticated user.
This issue is the result of un-sanitized user input being passed to an internal
function that expects only trusted data. This code was introduced in GitLab
8.13.0. Please see [the issue][25064] for more details.
This issue has been assigned [CVE-2016-9469][CVE].
[25064]: https://gitlab.com/gitlab-org/gitlab-ce/issues/25064
[CVE]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9469
### Versions affected
- 8.14.0 through 8.14.2
- 8.13.0 through 8.13.7
We **strongly recommend** that all installations running a version mentioned
above be upgraded as soon as possible.
### Workarounds
If you're unable to upgrade right away, you can secure your GitLab installation
against this vulnerability using one of the workarounds outlined below until you
have time to upgrade.
You only need to apply _one_ of these workarounds.
### Securing via Omnibus configuration
For Omnibus installations using the bundled Nginx web server, edit
`/etc/gitlab/gitlab.rb` and add the following line:
```ruby
nginx['custom_gitlab_server_config'] = "if ($args ~* 'state=delete|state=destroy') { return 404; }\n"
```
Then run `sudo gitlab-ctl reconfigure` for the changes to take effect.
### Securing via web server configuration
If you are using an external web server with Omnibus or have installed GitLab
from source, add the following lines to your web server's configuration file.
For Nginx:
```nginx
if ($args ~* 'state=delete|state=destroy') { return 403; }
```
For Apache with mod_rewrite:
```apache
RewriteEngine On
RewriteCond %{REQUEST_URI} ^.*(state=destroy).* [NC,OR]
RewriteCond %{REQUEST_URI} ^.*(state=delete).* [NC]
RewriteRule ^(.*)$ - [F,L]
```
Then reload the server for changes to take effect.
### Securing via HAProxy configuration
Add the following lines to your configuration and restart the service:
```
acl bad_filter_uri path_sub,url_dec -i state=destroy state=delete
http-request deny if bad_filter_uri
```
### Securing via patch
To temporarily patch just the critical vulnerability, apply the following diff:
```diff
diff --git a/app/finders/issuable_finder.rb b/app/finders/issuable_finder.rb
index e42d5af..2c9412b 100644
--- a/app/finders/issuable_finder.rb
+++ b/app/finders/issuable_finder.rb
@@ -7,7 +7,7 @@
# current_user - which user use
# params:
# scope: 'created-by-me' or 'assigned-to-me' or 'all'
-# state: 'open' or 'closed' or 'all'
+# state: 'opened' or 'closed' or 'all'
# group_id: integer
# project_id: integer
# milestone_title: string
@@ -183,10 +183,13 @@ class IssuableFinder
end
def by_state(items)
- params[:state] ||= 'all'
-
- if items.respond_to?(params[:state])
- items.public_send(params[:state])
+ case params[:state].to_s
+ when 'closed'
+ items.closed
+ when 'merged'
+ items.respond_to?(:merged) ? items.merged : items.closed
+ when 'opened'
+ items.opened
else
items
end
```
### Verifying the workaround
1. Browse to a project
1. Open the project's issue tracker
1. Choose the "closed" tab
1. Adjust the "state" field in your browser's address bar to "deleteme"
1. Verify you receive a `403 Forbidden` error
Note: If you only applied the patch you will receive no errors here.
## Git Security Patch
Omnibus packages for these versions contain a security patch for git 2.7.4 that
prevents malicious repositories from using HTTP redirects to steal or corrupt
data. More information on this patch can be found [here](http://public-inbox.org/git/20161201090336.xjbb47bublfcpglo@sigill.intra.peff.net/).
## Other fixes in 8.14.3
- **CE/EE:** Revert signin tab order fix. ([!7538])
- **CE/EE:** Allow dots in group names to pass validation for Create Group and Edit Group forms ([!7723])
- **CE/EE:** Pass commit data to ProcessCommitWorker ([!7744])
- **CE/EE:** Resolve "Merge request dashboard page takes over a minute to load" ([!7760])
- **CE/EE:** Fix GitHub importer to import PR where source repo/fork was renamed/deleted ([!7865])
- **CE/EE:** Fix URL rewritting in the Help section ([!7875])
- **CE/EE:** Fixes ActionView::Template::Error: undefined method `text?` for nil:NilClass ([!7893])
- **EE:** Save some queries on issuable dashboard. ([!935])
- **EE:** Expose add-ons associated to the license in /license endpoint. ([!907])
[!7538]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7538
[!7723]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7723
[!7744]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7744
[!7760]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7760
[!7865]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7865
[!7875]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7875
[!7893]: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/7893
[!935]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/935
[!907]: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/907
## Upgrade barometer
These versions do include a single migration, and will require brief
downtime of typically less than one minute.
Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a [`/etc/gitlab/skip-auto-migrations`
file](http://doc.gitlab.com/omnibus/update/README.html).
## Updating
To update, check out our [update page](https://about.gitlab.com/update).
## Enterprise Edition
Interested in GitLab Enterprise Edition? Check out the [features exclusive to
EE](https://about.gitlab.com/features/#enterprise).
Access to GitLab Enterprise Edition is included with a
[subscription](https://about.gitlab.com/pricing/). No time to upgrade GitLab
yourself? Subscribers receive upgrade and installation services.
[jobert-twitter]: https://twitter.com/jobertabma
[HackerOne]: https://hackerone.com/
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment