Security Release: 10.5.3, 10.4.5, 10.3.8
Current due date is a rough estimate more than a deadline.
Task Lists
10.2.9: https://gitlab.com/gitlab-org/gitlab-ce/issues/43398- 10.3.8: https://gitlab.com/gitlab-org/gitlab-ce/issues/43399
- 10.4.5: https://gitlab.com/gitlab-org/gitlab-ce/issues/43262
- 10.5.0-rc10: https://gitlab.com/gitlab-org/release/tasks/issues/101
- 10.5.3: https://gitlab.com/gitlab-org/gitlab-ce/issues/43663
Patches
-
https://gitlab.com/gitlab-org/gitlab-ce/issues/42775 - 2FA Recovery Codes can be used more than once
-
CE master: -
CE 10.5: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2324 - Picked ✅ -
CE 10.4: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2327 - Picked ✅ -
CE 10.3: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2328 - Picked ✅ -
CE 10.2: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2329
-
-
omnibus-gitlab#3154 (closed) - Geo: Failover can be done by any user
-
Omnibus EE master: https://dev.gitlab.org/gitlab/omnibus-gitlab/merge_requests/55 -
Omnibus EE master: https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/586 (documentation fix for source install) -
Omnibus EE 10.5: https://dev.gitlab.org/gitlab/omnibus-gitlab/merge_requests/56 - Picked ✅ -
Omnibus EE 10.4: https://dev.gitlab.org/gitlab/omnibus-gitlab/merge_requests/57 - Picked ✅ - Omnibus EE 10.3: N/A (feature was introduced in 10.4)
-
-
gitlab-pages#97 (closed) - Fix open redirect and possible symlink traversal issues in GitLab Pages
-
Pages: https://dev.gitlab.org/gitlab/gitlab-pages/merge_requests/3 -
CE master: -
CE 10.5: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2330 - Picked ✅ -
CE 10.4: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2318 - Picked ✅ -
CE 10.3: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2319 - Picked ✅ -
CE 10.2: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2320
The only unusual part of a pages security release is that we have to merge to master and tag v0.6.1 on dev, and once we've done that it blocks new ordinary releases until the security release is complete.
Once the security release is complete, we merge dev gitlab-pages master to gitlab.com gitlab-pages master and sync the v0.6.1 tag over as well.
-
-
https://gitlab.com/gitlab-org/gitlab-ee/issues/4471 - Enabling member lock and group lock allows the project to be shared with a group
-
CE master: -
CE 10.5: https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/597 - Picked ✅ -
CE 10.4: https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/596 - Picked ✅ -
CE 10.3: https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/578 - Picked ✅ -
CE 10.2: https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/579 -
CE 10.1: https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/581
-
-
https://gitlab.com/gitlab-org/gitlab-ee/issues/4993 - LDAP API security change caused regression in LDAP group sync
-
EE master: -
EE 10.5: https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/594 - Picked ✅ -
EE 10.4: https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/591 - Picked ✅ -
EE 10.3: https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/592 - Picked ✅ -
EE 10.2: https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/593
-
-
https://gitlab.com/gitlab-org/gitlab-ee/issues/3101 - Prevent new push rules from using non-RE2 regexes
-
EE master: -
EE 10.5: https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/598 - Picked ✅ -
EE 10.4: https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/562 - Picked ✅ -
EE 10.3: https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/599 - Picked ✅
-
Backlog
-
https://gitlab.com/gitlab-org/gitlab-ce/issues/32503 - Prevent notes on confidential issues from being sent to chat
-
GitLab CE 10.5: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2339 -
GitLab CE 10.4: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2248 -
GitLab CE 10.3: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2338
-
-
https://gitlab.com/gitlab-org/gitlab-ce/issues/15329 - Server Side Request Forgery in Services and Web Hooks
-
CE master: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2337 -
GitLab CE 10.5: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2348 -
GitLab CE 10.4: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2347 -
GitLab CE 10.3: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2346 -
EE master: https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/603/ -
GitLab EE 10.5: https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/604 -
GitLab EE 10.4: https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/605 -
GitLab EE 10.3: https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/606
-
Removed
See https://gitlab.com/gitlab-org/gitlab-ce/issues/43260#note_60046222
-
https://gitlab.com/gitlab-org/gitlab-ce/issues/29497 Add DNS verification to Pages custom domains
-
CE 10.5: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2322 -
CE 10.4: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2331rspeicher: Canceled 10.4 port -
Omnibus dev/master: https://dev.gitlab.org/gitlab/omnibus-gitlab/merge_requests/58
-
Blogpost
https://dev.gitlab.org/gitlab/www-gitlab-com/merge_requests/31
gitlab-com/www-gitlab-com!10377 (merged)