GitLab 10.0.4, 9.5.9, and 9.4.7 released

Today we are releasing versions 10.0.4, 9.5.9, and 9.4.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain several security fixes, including fixes for two persistent Cross-Site Scripting (XSS) vulnerabilities, an open redirect vulnerability, a bug when changing usernames that could leave behind and leak repositories, an information leakage vulnerability in private issue names, and security updates for Ruby and libxml2. We recommend that all GitLab installations be upgraded to one of these versions.

Please read on for more details.

Cross-Site Scripting (XSS) vulnerability in the Markdown sanitization filter

Yasin Soliman via HackerOne reported a Cross-Site Scripting (XSS) vulnerability in the GitLab markdown sanitization filter. The sanitization filter was not properly stripping invalid characters from URL schemes and was therefore vulnerable to persistent XSS attacks anywhere Markdown was supported. #38272

Cross-Site Scripting (XSS) vulnerability in search bar

Josh Unger reported a Cross-Site Scripting (XSS) vulnerability in the issue search bar. Usernames were not being properly HTML escaped inside the author filter would could allow arbitrary script execution. #38267

Open redirect in repository git redirects

Eric Rafaloff via HackerOne reported that GitLab was vulnerable to an open redirect vulnerability when redirecting requests for repository names that include the git extension. GitLab was not properly removing dangerous parameters from the params field before redirecting which could allow an attacker to redirect users to arbitrary hosts. #37715

Username changes could leave repositories behind

An internal code review discovered that a bug in the code that moves repositories during a username change could potentially leave behind projects, allowing an attacker who knows the previous username to potentially steal the contents of repositories on instances that are not configured with hashed namespaces. #38126

Confidential issue names could leak in "related issues" feature

An internal code review discovered that confidential issue titles could leak when referenced as "related issues". GitLab EE was not properly filtering confidential issues in the related issues feature for users that did not have access to these issues. #3435

Ruby update

The version of Ruby included with GitLab Omnibus CE+EE packages has been updated to 2.3.5 to patch a potential SMTP injection vulnerability that could allow attackers to use a GitLab instance to send arbitrary emails. A patch is also included to support the use of carriage returns as email separators in pipeline alert email recipient lists so that installations improperly using carriage returns as email separators do not break. HackerOne Report

Libxml2 update

The version of libxml2 included with GitLab Omnibus CE+EE packages has been updated to 2.9.6 to patch several security vulnerabilities. XMLSoft

Versions affected

Cross-Site Scripting (XSS) vulnerability in markdown:

• GitLab CE+EE 2.8.0-9.4.6, 9.5.0-9.5.8, 10.0.0-10.0.3

Cross-Site Scripting (XSS) vulnerability in search bar

• GitLab CE+EE 9.3.0-9.4.6, 9.5.0-9.5.8, 10.0.0-10.0.3

Open redirect in repository git redirects

• GitLab CE+EE 9.2.0-9.4.6, 9.5.0-9.5.8, 10.0.0-10.0.3

Username changes could leave repositories behind

• GitLab CE+EE 9.5.0-9.5.8, 10.0.0-10.0.3

Confidential issue names could leak in "related issues" feature

• GitLab EE 9.4.0-9.4.6, 9.5.0-9.5.8, 10.0.0-10.0.3

Ruby update

• GitLab CE+EE 8.14.0-9.4.6, 9.5.0-9.5.8, 10.0.0-10.0.3

Libxml2 update

• GitLab CE+EE 1.1.1-9.4.6, 9.5.0-9.5.8, 10.0.0-10.0.3

We recommend that all installations running a version mentioned above be upgraded as soon as possible. No workarounds are available for these vulnerabilities.

Upgrade barometer

These versions do not include any migrations and will not require downtime.

Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-migrations file.

Updating

To update, check out our update page.

Enterprise Edition

Interested in GitLab Enterprise Edition? Check out the features exclusive to EE.

Access to GitLab Enterprise Edition is included with a subscription. No time to upgrade GitLab yourself? Subscribers receive upgrade and installation services.