Security Release: 10.4.3, 10.3.7, 10.2.8
Task lists
- 10.2.8: https://gitlab.com/gitlab-org/gitlab-ce/issues/42718
- 10.3.7: https://gitlab.com/gitlab-org/gitlab-ce/issues/42717
- 10.4.3: https://gitlab.com/gitlab-org/gitlab-ce/issues/42716
Patches
-
Makes SnippetFinder ensure feature visibility: https://gitlab.com/gitlab-org/gitlab-ce/issues/25223
-
LDAP API accessible to all users: https://gitlab.com/gitlab-org/gitlab-ce/issues/41827 (
@stanhu
) -
Stored XSS for Mermaid markdown vulnerability: https://gitlab.com/gitlab-org/gitlab-ce/issues/41790 (
@smcgivern
) -
Todo API
mark_as_done
endpoint reveals private todos, merge requests, projects, milestones: https://gitlab.com/gitlab-org/gitlab-ce/issues/42147 (@dbalexandre
) -
GitHub import allows user to create child group under existing namespace: https://gitlab.com/gitlab-org/gitlab-ce/issues/41566 (
@jameslopez
) -
Using wildcards in protected tags to expose protected variables: https://gitlab.com/gitlab-org/gitlab-ce/issues/38984 (
@matteeyah
)
Backlog
- Large GIT push DoS: https://gitlab.com/gitlab-org/gitlab-ce/issues/17808
- Is GitLab susceptible to an exploding git repository? https://gitlab.com/gitlab-org/gitlab-ce/issues/39078
- Cookie bombs: https://gitlab.com/gitlab-org/gitlab-ce/issues/31049
- git bomb fix in git (waiting on a git release that contains the patch)
- Vulnerability of the SMTP server to a DDoS attack
- Password disclosure in repo mirrors: https://gitlab.com/gitlab-org/gitlab-ee/issues/1999
Edited by Robert Speicher