GitLab 9.0.4, 8.17.5, and 8.16.9 released

Today we are releasing versions 9.0.4, 8.17.5, and 8.16.9 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain several security fixes, including security upgrades for Mattermost, a fix for script injection using class attributes, a fix for a private project name disclosure vulnerability, a fix for a file path disclosure vulnerability, and fixes for two open redirect vulnerabilities. We recommend that all GitLab installations be upgraded to one of these versions.

Please read on for more details.

Security Upgrade for Mattermost versions 3.7 and 3.6

Mattermost has not yet released full details, however an important security release was published and Mattermost has advised all users to upgrade immediately. GitLab versions 8.16 and 8.17 have been upgraded to Mattermost 3.6.5 and GitLab version 9.0 has been upgraded to Mattermost 3.7.3. #2179

Unfiltered class attribute in Markdown code

Chalker via HackerOne reported a script injection vulnerability that allowed an attacker to execute Gitlab Javascript code via unfiltered class definitions. This attack is limited to pre-existing Javascript that can be referenced via class names. #30125

Private project name disclosure in merge requests

Timo Schmid from ERNW reported an information disclosure vulnerability in GitLab merge requests that allowed an attacker to disclose the names of private repositories. #29364

Path disclosure in project import/export

Timo Schmid from ERNW also reported an information disclosure vulnerability in the GitLab project import feature that allowed an attacker to disclose the full path names for GitLab export directories when imports are allowed from GitLab export files. Paths could also be disclosed by repeatedly attempting to create a project export file. #29363

Open redirect vulnerabilities in the GitLab dashboard

Eaden McKee via HackerOne reported three open redirect vulnerabilities in GitLab dashboard pages. The todos, issues, and merge request dashboards were vulnerable. By including a host field in the URL an attacker could redirect a GitLab user to the website of their choosing. #29651

Open redirect vulnerability in project import status

Yasin Soliman via HackerOne reported an open redirect vulnerability in the GitLab project import status page. By including a specially crafted continue[to] field in the URL an attacker could redirect a GitLab user to the website of their choosing. #29651

Versions affected

Mattermost vulnerability:

• GitLab CE+EE Omnibus (with Mattermost enabled) 7.14-8.16.8, 8.17.0-8.17.4, 9.0.0-9.0.3

Unfiltered class attribute in Markdown code:

• GitLab CE+EE 8.0.0-8.16.8, 8.17.0-8.17.4, 9.0.0-9.0.3

Private project name disclosure in merge requests:

• GitLab CE+EE 7.1.0-8.16.8, 8.17.0-8.17.4, 9.0.0-9.0.3

Path disclosure in project import/export:

• GitLab CE+EE 8.8.0-8.16.8, 8.17.0-8.17.4, 9.0.0-9.0.3

Open redirects in dashboards:

• GitLab CE+EE 8.16.0-8.16.8, 8.17.0-8.17.4, 9.0.0-9.0.3

Open redirect in project import status:

• GitLab CE+EE 8.6.0-8.16.8, 8.17.0-8.17.4, 9.0.0-9.0.3

We recommend that all installations running a version mentioned above be upgraded as soon as possible. No workarounds are available for these vulnerabilities.

Upgrade barometer

These versions do not include any migrations and will not require downtime.

Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-migrations file.

Updating

To update, check out our update page.

Enterprise Edition

Interested in GitLab Enterprise Edition? Check out the features exclusive to EE.

Access to GitLab Enterprise Edition is included with a subscription. No time to upgrade GitLab yourself? Subscribers receive upgrade and installation services.