Today we are releasing versions 10.0.4, 9.5.9, and 9.4.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).
These versions contain several security fixes, including fixes for two persistent Cross-Site Scripting (XSS) vulnerabilities, an open redirect vulnerability, a bug when changing usernames that could leave behind and leak repositories, an information leakage vulnerability in private issue names, and security updates for Ruby and libxml2. We recommend that all GitLab installations be upgraded to one of these versions.
Please read on for more details.
Cross-Site Scripting (XSS) vulnerability in the Markdown sanitization filter
Yasin Soliman via HackerOne reported a Cross-Site Scripting (XSS) vulnerability in the GitLab markdown sanitization filter. The sanitization filter was not properly stripping invalid characters from URL schemes and was therefore vulnerable to persistent XSS attacks anywhere Markdown was supported. #38272
Cross-Site Scripting (XSS) vulnerability in search bar
Josh Unger reported a Cross-Site Scripting (XSS) vulnerability in the issue search bar. Usernames were not being properly HTML escaped inside the author filter would could allow arbitrary script execution. #38267
Open redirect in repository git
redirects
Eric Rafaloff via HackerOne reported that GitLab was vulnerable to an open redirect
vulnerability when redirecting requests for repository names that include the git
extension. GitLab was not properly removing dangerous parameters from the params
field before redirecting which could allow an attacker to redirect users to
arbitrary hosts. #37715
Username changes could leave repositories behind
An internal code review discovered that a bug in the code that moves repositories during a username change could potentially leave behind projects, allowing an attacker who knows the previous username to potentially steal the contents of repositories on instances that are not configured with hashed namespaces. #38126
Confidential issue names could leak in "related issues" feature
An internal code review discovered that confidential issue titles could leak when referenced as "related issues". GitLab EE was not properly filtering confidential issues in the related issues feature for users that did not have access to these issues. #3435
Ruby update
The version of Ruby included with GitLab Omnibus CE+EE packages has been updated to 2.3.5 to patch a potential SMTP injection vulnerability that could allow attackers to use a GitLab instance to send arbitrary emails. A patch is also included to support the use of carriage returns as email separators in pipeline alert email recipient lists so that installations improperly using carriage returns as email separators do not break. HackerOne Report
Libxml2 update
The version of libxml2 included with GitLab Omnibus CE+EE packages has been updated to 2.9.6 to patch several security vulnerabilities. XMLSoft
Versions affected
Cross-Site Scripting (XSS) vulnerability in markdown:
- GitLab CE+EE 2.8.0-9.4.6, 9.5.0-9.5.8, 10.0.0-10.0.3
Cross-Site Scripting (XSS) vulnerability in search bar
- GitLab CE+EE 9.3.0-9.4.6, 9.5.0-9.5.8, 10.0.0-10.0.3
Open redirect in repository git redirects
- GitLab CE+EE 9.2.0-9.4.6, 9.5.0-9.5.8, 10.0.0-10.0.3
Username changes could leave repositories behind
- GitLab CE+EE 9.5.0-9.5.8, 10.0.0-10.0.3
Confidential issue names could leak in "related issues" feature
- GitLab EE 9.4.0-9.4.6, 9.5.0-9.5.8, 10.0.0-10.0.3
Ruby update
- GitLab CE+EE 8.14.0-9.4.6, 9.5.0-9.5.8, 10.0.0-10.0.3
Libxml2 update
- GitLab CE+EE 1.1.1-9.4.6, 9.5.0-9.5.8, 10.0.0-10.0.3
We recommend that all installations running a version mentioned above be upgraded as soon as possible. No workarounds are available for these vulnerabilities.
Upgrade barometer
These versions do not include any migrations and will not require downtime.
Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-migrations file.
Updating
To update, check out our update page.
Enterprise Edition
Interested in GitLab Enterprise Edition? Check out the features exclusive to EE.
Access to GitLab Enterprise Edition is included with a subscription. No time to upgrade GitLab yourself? Subscribers receive upgrade and installation services.
We want to hear from you
Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.
Share your feedback