Security Release 9.5.4
9.5.4 Build status
9.5 https://dev.gitlab.org/gitlab/gitlabhq/commits/security-9-5
9.4 https://dev.gitlab.org/gitlab/gitlabhq/commits/security-9-4
9.3 https://dev.gitlab.org/gitlab/gitlabhq/commits/security-9-3
Security issues:
- #36979 (closed): Cross-site Scripting (XSS) vulnerability in profile names: Affected versions xxx, fixes:
- #36979 (closed): second fix for XSS in profile names:
- #37344 (closed): third fix for XSS in profile names:
-
#31508 (closed) RXSS in go-get: Affected versions xxx, fixes:
- 9.5: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2128
- 9.4: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2128 (picked into
security-9-4
) - 9.3: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2128 (picked into
security-9-3
)
-
#29652 (closed): Race condition in project uploads: Affected versions xxx, fixes:
- 9.5: (not required)
- 9.4: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2141
- 9.3: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2142
-
#31045 (closed): CSRF token leakage via JS and location.pathname: Affected versions xxx, fixes:
- 9.5: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2147
- 9.4:
- 9.3: Conflict resolution: https://dev.gitlab.org/gitlab/gitlabhq/commit/659119a6d080c5d91bcd155cb4c79c85d993c311
- #36743 (closed): Deleting a user doesn't delete the repo: Affected versions 9.5 -> 8.17, fixes:
-
#XXXX: Mattermost Update: Affected versions xxx, fixes:
- 9.5: [Already merged to 9-5-stable]
- 9.4: [Already merged to 9-4-stable]
- 9.3: [Already merged to 9-3-stable]
- #36098 (closed): White-listed style attribute for table contents in MD enables UI redressing: Affected versions xxx, fixes:
- #36104 (closed): DOM clobbering in sanitized MD causes errors: Affected versions xxx, fixes:
-
#29992 (closed): Nokogiri needs to be updated: Affected versions: , Fixes:
- 9.5: https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/13662 (already merged into master)
- 9.4: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2182
- 9.3: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2181
** EE Specific **
- https://gitlab.com/gitlab-org/gitlab-ee/issues/3271 Security risk in recommended Geo secondary configuration could give all users access to all repositories. Affected versions xxx, fixes:
** Pages **
-
gitlab-pages#75 (closed) Private certificate disclosure via Symlinks: Affected versions xxx, fixes:
- 9.5: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2159
- 9.4: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2158
- 9.3: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2157
- Pages MR 0.5.1: https://dev.gitlab.org/gitlab/gitlab-pages/merge_requests/1
- Pages MR 0.4.4: https://dev.gitlab.org/gitlab/gitlab-pages/merge_requests/2
Releases:
-
9.5.x
: [issue] -
9.4.x
: [issue] -
9.3.x
: [issue]
Release Managers: @jivanvl @psimyn
Security Lead: @briann
- Merge all patches to dev.gitlab.org (owner: dev team)
- Fix build failures (owner: Release Manager)
-
Merge stable branches into security branches (owner: Release Manager)
- 9.5 CE stable to security
- 9.4 CE stable to security
- 9.3 CE stable to security
- 9.5 EE stable to security
- 9.4 EE stable to security
- 9.3 EE stable to security
-
Cherry-pick all patches to releases (owner: Release Manager)
-
Create a
security-9-5
branch off9-5-stable
(if needed) - Verify that each security branch has all the fixes
-
Merge CE security branches to their respective EE security branches
-
security-9-5-ee
-
security-9-4-ee
-
security-9-3-ee
-
-
Create a
- Verify that all six security branches have green builds
- Pick changes from the security branches to the stable branches
- Verify that all six stable branches have passing builds
- Validate security fixes for 9.5.x (owner: dev team)
- Write private blog post (snippet) on dev.gitlab.org about security update: (owner: Security Lead)
- Build 9.5.x test packages for staging, GitLab.com (owner: Release Manager)
- Deploy 9.5.x to staging (owner: Release Manager)
- Deploy 9.5.x to GitLab.com (owners: Release Manager)
- Build packages for all versions (owners: Release Manager)
- Validate security fixes for all releases (owner: dev team)
- Remove confidentiality from disclosure issues. (owner: Security Lead)
- Update GitHost.io (owner: githost / infrastructure)
- Add version.gitlab.com entries (owner: Release Manager)
- Publish blog post (owner: Release Manager)
- Publish latest code to GitLab.com (owner: Release Manager)
- Tweet: TBD (owner: Release Manager)
- Email, etc. (owner: marketing)
- Update vulnerability acknowledgements (owner: Security Lead)
- Follow-up with disclosure reports to inform/thank security researchers (owner: Security Lead)
- Approve request(s) for disclosure on HackerOne (owner: Security Lead)
Note that we should not publish code or the packages to the public until everything is ready.