Back to releases
Apr 4, 2018 - James Ritchey  

GitLab Security Release: 10.6.3, 10.5.7, and 10.4.7

Learn more about GitLab Security Release: 10.6.3, 10.5.7, and 10.4.7 for GitLab Community Edition (CE) and Enterprise Edition (EE)

Today we are releasing versions 10.6.3, 10.5.7, and 10.4.7 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain a number of important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.

The vulnerability details will be made public on our issue tracker in approximately 30 days.

Please read on for more information regarding this release.

Confidential issue comments in Slack, Mattermost, and webhook integrations

Comments on confidential issues were previously sent to webhooks and integrations when notifications were configured to send notes or comments. This applied to custom webhooks, Slack, and Mattermost notifications.

We've introduced a new option to control the sending of confidential notes as well as an option for specifying a different channel for Slack and Mattermost.

Versions Affected

Affects GitLab CE/EE 8.6 and up.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Persistent XSS in milestones data-milestone-id

The milestone dropdown feature contained a persistent XSS issue that is now resolved in the latest release. This issue has been assigned CVE-2018-9244.

Thanks to fransrosen for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 9.2 and up.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Persistent XSS in filename of merge request

Filenames in the changes tab contained a persistent XSS issue that is now resolved in the latest release. This issue has been assigned CVE-2018-9243.

Thanks to fransrosen for responsibly reporting this vulnerability to us.

Versions Affected

Affects GitLab CE/EE 8.4 and up.

Remediation

We strongly recommend that all installations running an affected version above to be upgraded to the latest version as soon as possible.

Upgrade barometer

This release includes one database migration, which can be run without downtime. This migration adds a column to the services table. Another background migration is launched to populate this value.

Updating

To update, check out our update page.

More Posts Like This:

GitLab Critical Security Release: 16.8.1, 16.7.4, 16.6.6, 16.5.8

Learn more about GitLab Critical Security Release: 16.8.1, 16.7.4, 16.6.6, 16.5.8 for GitLab Community Edition (CE) and Enterprise Edition (EE).

Learn more

GitLab 16.8 released with Google Cloud Secret Manager support and the ability to speed up your builds with the Maven dependency proxy

GitLab 16.8 released with Google Cloud Secret Manager support, the ability to speed up your builds with the Maven dependency proxy, general availability of Workspaces, and much more!

Learn more

GitLab Patch Release: 16.7.3 16.6.5 16.5.7

GitLab releases 16.7.3 16.6.5 16.5.7

Learn more

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.

Share your feedback

Take GitLab for a spin

See what your team could do with The DevSecOps Platform.

Get free trial

Have a question? We're here to help.

Talk to an expert
Edit this page View source