Today we are releasing versions 8.14.3, 8.13.8, and 8.12.11 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain an important security fix for a critical denial-of-service and data corruption vulnerability, and we strongly recommend that all affected GitLab installations be upgraded to one of these versions immediately.

Please read on for more details.

Denial-of-Service and Data Corruption Vulnerability in Issue and Merge Request Trackers

Jobert Abma of HackerOne reported a critical vulnerability in the GitLab Issue and Merge Request trackers that could allow a user with access to any project to delete all issues and merge requests from all GitLab projects. For GitLab instances with publicly available projects this vulnerability could be exploited by an unauthenticated user.

This issue is the result of un-sanitized user input being passed to an internal function that expects only trusted data. This code was introduced in GitLab 8.13.0. Please see the issue for more details.

This issue has been assigned CVE-2016-9469.

Versions affected

8.14.0 through 8.14.2

8.13.0 through 8.13.7

We strongly recommend that all installations running a version mentioned above be upgraded as soon as possible.

Workarounds

If you're unable to upgrade right away, you can secure your GitLab installation against this vulnerability using one of the workarounds outlined below until you have time to upgrade.

You only need to apply one of these workarounds.

Securing via Omnibus configuration

For Omnibus installations using the bundled Nginx web server, edit /etc/gitlab/gitlab.rb and add the following line:

nginx [ 'custom_gitlab_server_config' ] = "if ($args ~* 'state=delete|state=destroy') { return 404; }

"

Then run sudo gitlab-ctl reconfigure for the changes to take effect.

Securing via web server configuration

If you are using an external web server with Omnibus or have installed GitLab from source, add the following lines to your web server's configuration file.

For Nginx:

if ( $args ~ * 'state=delete|state=destroy') { return 403 ; }

For Apache with mod_rewrite:

RewriteEngine On RewriteCond %{QUERY_STRING} ^.*(state=destroy).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(state=delete).* [NC] RewriteRule ^(.*)$ - [F,L]

Then reload the server for changes to take effect.

Securing via HAProxy configuration

Add the following lines to your configuration and restart the service:

acl bad_filter_uri path_sub,url_dec -i state=destroy state=delete http-request deny if bad_filter_uri

Securing via patch

To temporarily patch just the critical vulnerability, apply the following diff:

diff --git a/app/finders/issuable_finder.rb b/app/finders/issuable_finder.rb index e42d5af..2c9412b 100644 --- a/app/finders/issuable_finder.rb +++ b/app/finders/issuable_finder.rb @@ -7,7 +7,7 @@ # current_user - which user use # params: # scope: 'created-by-me' or 'assigned-to-me' or 'all' -# state: 'open' or 'closed' or 'all' +# state: 'opened' or 'closed' or 'all' # group_id: integer # project_id: integer # milestone_title: string @@ -183,10 +183,13 @@ class IssuableFinder end def by_state(items) - params[:state] ||= 'all' - - if items.respond_to?(params[:state]) - items.public_send(params[:state]) + case params[:state].to_s + when 'closed' + items.closed + when 'merged' + items.respond_to?(:merged) ? items.merged : items.closed + when 'opened' + items.opened else items end

Verifying the workaround

Browse to a project Open the project's issue tracker Choose the "closed" tab Adjust the "state" field in your browser's address bar to "deleteme" Verify you receive a 403 Forbidden error

Note: If you only applied the patch you will receive no errors here.

Git Security Patch

Omnibus packages for these versions contain a security patch for git 2.7.4 that prevents malicious repositories from using HTTP redirects to steal or corrupt data. More information on this patch can be found here.

Other fixes in 8.14.3

CE/EE: Revert signin tab order fix. (!7538)

Revert signin tab order fix. (!7538) CE/EE: Allow dots in group names to pass validation for Create Group and Edit Group forms (!7723)

Allow dots in group names to pass validation for Create Group and Edit Group forms (!7723) CE/EE: Pass commit data to ProcessCommitWorker (!7744)

Pass commit data to ProcessCommitWorker (!7744) CE/EE: Resolve "Merge request dashboard page takes over a minute to load" (!7760)

Resolve "Merge request dashboard page takes over a minute to load" (!7760) CE/EE: Fix GitHub importer to import PR where source repo/fork was renamed/deleted (!7865)

Fix GitHub importer to import PR where source repo/fork was renamed/deleted (!7865) CE/EE: Fix URL rewritting in the Help section (!7875)

Fix URL rewritting in the Help section (!7875) CE/EE: Fixes ActionView::Template::Error: undefined method text? for nil:NilClass (!7893)

EE: Save some queries on issuable dashboard. (!935)

Save some queries on issuable dashboard. (!935) EE: Expose add-ons associated to the license in /license endpoint. (!907)

Upgrade barometer

These versions do include a single migration, and will require brief downtime of typically less than one minute.

Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a /etc/gitlab/skip-auto-migrations file.

Updating

To update, check out our update page.

Enterprise Edition

Interested in GitLab Enterprise Edition? Check out the features exclusive to EE.

Access to GitLab Enterprise Edition is included with a subscription. No time to upgrade GitLab yourself? Subscribers receive upgrade and installation services.