---
title: "GitLab 8.13.3, 8.12.8, 8.11.10, and 8.10.13 Released"
date: 2016-11-02 23:50
author: GitLab
author_twitter: gitlab
categories: releases
tags: security, releases
---

Today we are releasing versions 8.13.3, 8.12.8, 8.11.10, and 8.10.13 for GitLab
Community Edition (CE) and Enterprise Edition (EE).

These versions contain an important security fix for a critical directory
traversal vulnerability, and we **strongly recommend** that all GitLab
installations be upgraded to one of these versions **immediately**.

Please read on for more details.

<!-- more -->

## Directory traversal via "import/export" feature: `CVE-2016-9086`

[Jobert Abma] from [HackerOne] disclosed a critical security flaw in the "import/export
project" feature of GitLab. Added in GitLab 8.9, this feature allows a user to
export and then re-import their projects as tape archive files (tar). All
GitLab versions prior to 8.13.0 restricted this feature to administrators only.
Starting with version 8.13.0 this feature was made available to all users.

This feature did not properly check for symbolic links in user-provided archives
and therefore it was possible for an authenticated user to retrieve the contents
of any file accessible to the GitLab service account. This included sensitive
files such as those that contain secret tokens used by the GitLab service to
authenticate users. Please see [the issue](https://gitlab.com/gitlab-org/gitlab-ce/issues/23822) for more details.

This issue has been assigned [CVE-2016-9086][CVE].

[15548]: https://gitlab.com/gitlab-org/gitlab-ce/issues/23822
[CVE]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9086

### Versions affected

- 8.13.0 through 8.13.2
- 8.12.0 through 8.12.7
- 8.11.0 through 8.11.9
- 8.10.0 through 8.10.12
- 8.9.0 through 8.9.11

We **strongly recommend** that all installations running a version mentioned
above be upgraded as soon as possible. Please note that no patch is being
provided for GitLab versions 8.9.x. Those running versions 8.9.0 through
8.9.11 who cannot upgrade to a newer version should use the workaround listed
below.

### Workarounds

If you're unable to upgrade right away, you can secure your GitLab installation
against this vulnerability using the workaround outlined below until you have
time to upgrade.

#### Disable Project Import/Export via Tape Archive
Login using an administrator account to your GitLab installation and perform the
following:

1. Choose "Admin Area"
1. Click "Settings"
1. Under "Import Sources" disable the "GitLab export" option.
1. Click Save

### Verifying the workaround

1. In a Browser Window, login as any user
1. Click "Projects"
1. Click "New Project"
1. Enter a project name
1. Verify that "GitLab export" does not appear as an import option

## Upgrade barometer

These versions do not include any new migrations, and should not require any
downtime.

Please be aware that by default the Omnibus packages will stop, run migrations,
and start again, no matter how “big” or “small” the upgrade is. This behavior
can be changed by adding a [`/etc/gitlab/skip-auto-migrations`
file](http://doc.gitlab.com/omnibus/update/README.html).

## Updating

To update, check out our [update page](/update).

## Enterprise Edition

Interested in GitLab Enterprise Edition? Check out the [features exclusive to
EE](/features/#enterprise).

Access to GitLab Enterprise Edition is included with a
[subscription](/pricing/). No time to upgrade GitLab
yourself? Subscribers receive upgrade and installation services.

[Jobert Abma]: https://twitter.com/jobertabma
[HackerOne]: https://hackerone.com/jobert