--- layout: post title: "GitLab 9.2.5, 9.1.7, and 9.0.10 released" date: 2017-06-07 author: Brian Neel author_twitter: b0bby_tables author_gitlab: briann categories: releases tags: patch releases, releases --- Today we are releasing versions 9.2.5, 9.1.7, and 9.0.10 for GitLab Community Edition (CE) and Enterprise Edition (EE). **Note: Please see the warnings in the Upgrade barometer section before upgrading.** **Note: Versions 9.2.3-9.2.4, 9.1.5-9.1.6, and 9.0.8-9.0.9 contain incomplete fixes for the reserved namespaces / group renaming issue** These versions contain several security fixes, including a fix for a difficult to exploit persistent Cross-Site Scripting (XSS) vulnerability, improvements to API protections when using session authentication, fixes for several information disclosure vulnerabilities, and a fix for a flaw that could allow the deletion of project avatars. We recommend that all GitLab installations be upgraded to one of these versions. Please read on for more details. ## Cross-Site Scripting (XSS) vulnerability when editing comments A GitLab.com user reported that recent changes to Markdown rendering designed to improve performance by allowing comments to be rendered client-side opened a persistent Cross-Site Scripting (XSS) vulnerability when comments are edited and then re-saved. This vulnerability is difficult to exploit because a victim must be tricked into editing and then saving another user's comment. [#32908] [#32908]: https://gitlab.com/gitlab-org/gitlab-ce/issues/32908 ## API vulnerable to embedding in iFrames using Session Auth A tip from a Twitter user led to an internal code audit that discovered a malicious website could embed a GitLab API URL inside an iFrame, possibly tricking a user into thinking that the website had access to the user's GitLab user information. This attack would not disclose the user's data to the malicious website, but it could cause confusion and the API has added an `X-Frame-Options` header to prevent content from the API being included in iFrames. [#32557] [#32557]: https://gitlab.com/gitlab-org/gitlab-ce/issues/32557 ## Accidental or malicious use of reserved names in group names could cause deletion of all project avatars A GitLab.com user reported that creating a group named `project` and then renaming the group would cause all project avatars to be deleted. This was due to an improperly constructed path variable when renaming files. To help prevent this from happening again all avatar uploads have been moved from `/public/uploads/(user|group|project)` to `/public/uploads/system/(user|group|project)` and `system` has been made a reserved namespace. A migration included with this release will rename any existing top-level `system` namespace to be `system0` (or `system1`, `system2`, etc.) [#28917] [#28917]: https://gitlab.com/gitlab-org/gitlab-ce/issues/28917 ## Unauthenticated disclosure of usernames in autocomplete controller [HackerOne] reporter [Evelyn Lee] reported that usernames could be enumerated using the `autocomplete/users.json` endpoint without authenticating. This could allow an unauthenticated attacker to gather a list of all valid usernames from a GitLab instance. [#31842] [#31842]: https://gitlab.com/gitlab-org/gitlab-ce/issues/31842 [HackerOne]: https://hackerone.com [Evelyn Lee]: https://hackerone.com/evelynleems ## Information leakage with references to private project snippets GitLab.com user Patrick Fiedler reported that titles of private project snippets could leak when they were referenced in other issues, merge requests, or comments. [#25934] [#25934]: https://gitlab.com/gitlab-org/gitlab-ce/issues/25934 ## Elasticsearch does not implement external user checks correctly An internal code review discovered that on instances with Elasticsearch enabled GitLab allowed external users to view internal project data. This could unintentionally expose sensitive information to external users. This vulnerability only affects EE installations with Elasticsearch enabled. [#2337] [#2337]: https://gitlab.com/gitlab-org/gitlab-ee/issues/2337 ### Versions affected Cross-Site Scripting (XSS) vulnerability when editing comments: - GitLab CE+EE 9.2.0-9.2.2 API vulnerable to embedding in iFrames using Session Auth: - GitLab CE+EE 8.13.0-9.0.7, 9.1.0-9.1.4, 9.2.0-9.2.2 Accidental or malicious use of reserved names in group names could cause deletion of all project avatars: - GitLab CE+EE 4.0.0-9.0.9, 9.1.0-9.1.6, 9.2.0-9.2.4 Unauthenticated disclosure of usernames in autocomplete controller: - GitLab CE+EE 8.7.0-9.0.7, 9.1.0-9.1.4, 9.2.0-9.2.2 Information leakage with references to private project snippets - GitLab CE+EE 8.9.0-9.0.8, 9.1.0-9.1.5, 9.2.0-9.2.3 Elasticsearch does not implement external user checks correctly: - GitLab EE 8.7.0-9.0.7, 9.1.0-9.1.4, 9.2.0-9.2.2 We recommend that all installations running a version mentioned above be upgraded as soon as possible. No workarounds are available for these vulnerabilities. ## Upgrade barometer These versions include two migrations that do not require downtime but **must be run on a node with access to the directories containing repositories and uploads**. The first migration renames any user or top-level group with the name `system` to `system0` (or `system1`, `system2`, etc.). **Before running this update please be sure to backup all repositories and file uploads in `/var/opt/gitlab/git-data` and `/var/opt/gitlab/gitlab-rails/uploads`.** The second migration moves all user, group, and project avatars and older note and appearance uploads from `/public/uploads/(user|note|group|project|appearance)` to `/public/uploads/system/(user|note|group|project|appearance)`. To refresh avatar links the database cache must be cleared. This is normally done automatically with every upgrade. If you have disabled the rake task that clears the cache you will need to re-enable it or manually clear the Rails cache after upgrading due to the change in project avatar locations: `gitlab-rake cache:clear` Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a [/etc/gitlab/skip-auto-migrations file](http://doc.gitlab.com/omnibus/update/README.html). ## Updating To update, check out our [update page](/update). ## Enterprise Edition Interested in GitLab Enterprise Edition? Check out the [features exclusive to EE](/features/#enterprise). Access to GitLab Enterprise Edition is included with a [subscription](/pricing/). No time to upgrade GitLab yourself? Subscribers receive upgrade and installation services.