Release 9.5.4
Be sure to follow the Security Releases guide.
-
Picked into respective
stable
branches from thedev/security
branch.Pick into Stable
9.5 merged merge requests:-
REFERENCE_TO_MR_TO_PICK
-
-
Push ce/9-5-stable
todev
only:git push dev 9-5-stable
-
Push ee/9-5-stable-ee
todev
only:git push dev 9-5-stable-ee
-
Merge ce/9-5-stable
intoee/9-5-stable-ee
following the security process -
Push omnibus-gitlab/9-5-stable
todev
only:git push dev 9-5-stable
-
Push omnibus-gitlab/9-5-stable-ee
todev
only:git push dev 9-5-stable-ee
-
While waiting for tests to be green, now is a good time to start on the blog post, in a private snippet: https://dev.gitlab.org/snippets/179 -
Ensure the blog post discloses as much information about the vulnerability as is responsibly possible. We aim for clarity and transparency, and try to avoid secrecy and ambiguity. -
If the vulnerability was responsibly disclosed to us by a security researcher, ensure they're publicly acknowledged and thank them again privately as well.
-
-
Ensure tests are green on CE -
Ensure tests are green on EE -
Check for any problematic migrations in EE (EE migrations include CE ones), and paste the diff in a snippet: git diff v9.5.3-ee..9-5-stable-ee -- db/migrate
=> -
Tag the 9.5.4
version using therelease
task:```sh SECURITY=true bundle exec rake "release[9.5.4]" ```
-
Check that EE packages are built, CE packages are built and appears on packages.gitlab.com
: EE / CE -
In #production
:``` I'm going to deploy `9.5.4` to staging ```
-
Deploy 9.5.4
to staging.gitlab.com -
In #production
:``` I'm going to deploy `9.5.4` to production ```
-
Deploy 9.5.4
to GitLab.com -
Create the 9.5.4
version on https://version.gitlab.com -
Mark any applicable previous releases as vulnerable on https://version.gitlab.com. -
Check any sensitive information from the confidential security issues, and redact them if needed -
Create the blog post merge request -
Deploy the blog post -
Push ce/9-5-stable
to all remotes -
Push ee/9-5-stable-ee
to all remotes -
Push tags to all remotes -
Make the confidential security issues public -
Tweet (prepare the Tweet text below or paste the tweet URL instead): ``` GitLab 9.5.4 is released! BLOG_POST_URL DESCRIPTION OF THE CHANGES ```
-
Coordinate with the Marketing team to send out a security newsletter -
In the 9.5 Regressions issue:
-
Add the following notice: `9.5.4` has been tagged, further fixes will go into `9.5.5` as necessary.
-
Remove notes for the regressions fixed by version 9.5.4
-
-
Cherry-pick the merges from the security
branch intomaster
and push to all remotes. -
Add omnibus-gitlab/9.5.4+ce.0
CHANGELOG.md items toomnibus-gitlab/master
CHANGELOG.md
For references: