Apr 20, 2016 - GitLab  

GitLab 8.6.7, 8.5.11, 8.4.9, and 8.3.8 Released

Learn more about GitLab Release 8.6.7, 8.5.11, 8.4.9, and 8.3.8 for GitLab Community Edition (CE) and Enterprise Edition (EE)

Today we are releasing versions 8.6.7, 8.5.11, 8.4.9, and 8.3.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Versions 8.3.8, 8.4.9, and 8.5.11 contain fixes for one persistent XSS vulnerability and an information leak for private groups. Version 8.6.7 contains both of those fixes as well as a fix for one additional persistent XSS vulnerability that was only present in the 8.6 release.

Please read on for more details.

Persistent XSS vulnerability in commit author emails

The contents of a user-supplied Git commit author or committer email were being inserted into the page without proper escaping. See the issue for more details.

Thanks to Teun Beijers for responsibly disclosing this issue to us.

Persistent XSS vulnerability in label and milestone dropdowns

The contents of milestone and label titles were being inserted into the Milestone and Label dropdowns without proper escaping. See the issue for more details.

This vulnerability was only present in versions 8.6.0 through 8.6.6.

Thanks to RonMurz on HackerOne for responsibly disclosing this issue to us.

Enumeration of private projects belonging to a group

Jobert Abma of HackerOne alerted us to a security vulnerability related to the "share project with group" feature.

An unprivileged user was able to share a project with a group he didn't have access to, and therefore gain partial access to that group, which opened possibilities for further actions like listing private projects in that group.

Upgrade barometer

These versions do not include any new migrations, and should not require any downtime.

Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-migrations file.

Updating

To update, check out our update page.

Enterprise Edition

Interested in GitLab Enterprise Edition? Check out the features exclusive to EE.

Access to GitLab Enterprise Edition is included with a subscription. No time to upgrade GitLab yourself? Subscribers receive upgrade and installation services

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.

Share your feedback

Take GitLab for a spin

See what your team could do with The DevSecOps Platform.

Get free trial

Have a question? We're here to help.

Talk to an expert
Edit this page View source