Missing security fix(es?) in EE master
At least https://gitlab.com/gitlab-org/gitlab-ee/issues/3271 -> https://dev.gitlab.org/gitlab/gitlab-ee/merge_requests/536/diffs is not present in EE master. We patched 9.5, 9.4 and 9.3, and the fix appears in 10.0, but EE master, and 10.1 look vulnerable.
Compare:
- https://gitlab.com/gitlab-org/gitlab-ee/blob/v9.5.3-ee/app/models/geo_node_key.rb (vulnerable - released before the fix was made)
- https://gitlab.com/gitlab-org/gitlab-ee/blob/v9.5.4-ee/app/models/geo_node_key.rb (fixed)
- https://gitlab.com/gitlab-org/gitlab-ee/blob/v10.0.0-ee/app/models/geo_node_key.rb (fixed)
- https://gitlab.com/gitlab-org/gitlab-ee/blob/v10.1.0-ee/app/models/geo_node_key.rb (vulnerable)
- https://gitlab.com/gitlab-org/gitlab-ee/blob/master/app/models/geo_node_key.rb (vulnerable)
Are there other patches missing? Presumably we're missing some sort of process, or it's not being followed, for security patches in EE?
Edited by Nick Thomas