--- layout: post title: "GitLab 9.3.8, 9.2.8, 9.1.8, 9.0.11, and 8.17.7 released" date: 2017-07-19 23:59 author: GitLab author_twitter: gitlab categories: releases tags: patch releases, releases --- Today we are releasing versions 9.3.8, 9.2.8, 9.1.8, 9.0.11, and 8.17.7 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain several security fixes, including an important security fixes for two authorization bypass vulnerabilities (post-authentication), protection against denial-of-service attacks in regular expressions, important security patches for Mattermost, and protections for exporting issues to Microsoft Excel via CSV files. We **strongly recommend** that all affected GitLab installations be upgraded to one of these versions **immediately**. Please read on for more details. ## Projects in subgroups authorization bypass with SQL wildcards (CVE-2017-11438) An internal code review disclosed that by choosing a namespace with underscores an authenticated user could take advantage of a badly written SQL query to add themselves to any project inside a subgroup with permissions of their choice. This vulnerability was caused by a SQL query that automatically adjusts project permissions but does not escape wildcards. This vulnerability was coincidentally patched when the affected code was rewritten for 9.3. Therefore, versions 9.3 and above are not vulnerable. [33323] This issue has been assigned [CVE-2017-11438]. Note: GitLab-CE+EE 8.17 is not vulnerable to this issue, however patches have been included to improve the security of the SQL queries in 8.17.7. [33323]: https://gitlab.com/gitlab-org/gitlab-ce/issues/33323 [CVE-2017-11438]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11438 ### Versions affected - GitLab CE+EE: 9.0.0 through 9.0.10 - GitLab CE+EE: 9.1.0 through 9.1.7 - GitLab CE+EE: 9.2.0 through 9.2.7 ## Unauthorized repository access by using project mirrors and CI (GitLab EE only) (CVE-2017-11437) Peter Lloyd with [Cambridge Consultants] reported that the GitLab mirroring feature could be abused to steal copies of repositories from other users and possibly push docker images to other user's docker registries. To exploit this vulnerability an authenticated user would need to create a project mirror, invite another user, assign them as the mirror user, enable CI for the mirror, and modify the original repository. Because the CI scripts will then be executed as the mirror user the attacker can use the CI Token to fetch repositories belonging to the victim. GitLab now only allows users to assign themselves as the mirror user. [2905] This issue has been assigned [CVE-2017-11437]. [2905]: https://gitlab.com/gitlab-org/gitlab-ee/issues/2905 [CVE-2017-11437]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11437 [Cambridge Consultants]: http://www.cambridgeconsultants.com ### Versions affected - GitLab EE: 8.5.0-8.17.6 - GitLab EE: 9.0.0-9.0.10 - GitLab EE: 9.1.0-9.1.7 - GitLab EE: 9.2.0-9.2.7 - GitLab EE: 9.3.0-9.3.7 We **strongly recommend** that all installations running a version mentioned above be upgraded as soon as possible. ### Workarounds There are no workaround for these vulnerabilities. ## Other fixes in 9.3.8, 9.2.8, 9.1.8, 9.0.11, and 8.17.7 ### Symlink cleanup from a previous security release The [9.2.5 security release] contained a fix for a data corruption vulnerability involving file uploads. This fix utilized symlinks to migrate file uploads to a new directory. Due to a typo in the included migration a symlink was accidentally left behind after the migration finished. This symlink can cause problems with instance backups. A fix is included with these releases to remove the problematic symlink. [34056] Affected versions: GitLab CE+EE 9.0.10, 9.1.7, 9.2.5-9.2.7, 9.3.0-9.3.7 [34056]: https://gitlab.com/gitlab-org/gitlab-ce/issues/34056 [9.2.5 security release]: /2017/06/07/gitlab-9-dot-2-dot-5-security-release/ ### Accidental or malicious use of reserved names in group names could cause deletion of all snippet uploads The [9.2.5 security release] contained a fix for a data corruption vulnerability involving file uploads. After the release of 9.2.5 an internal code review determined that the recently introduced snippet file uploads feature was also vulnerable to file deletion. Snippet uploads have now been moved into the protected `system` namespace. [33359] Affected versions: GitLab CE+EE 9.3.0-9.3.7 [33359]: https://gitlab.com/gitlab-org/gitlab-ce/issues/33359 [9.2.5 security release]: /2017/06/07/gitlab-9-dot-2-dot-5-security-release/ ### Project name leak on todos page An internal code review discovered that forceful browsing could be utilized to disclose the names of private projects. [33303] Affected versions: GitLab CE+EE 8.10.0-8.17.6, 9.0.0-9.0.10, 9.1.0-9.1.7, 9.2.0-9.2.7, 9.3.0-9.3.7 [33303]: https://gitlab.com/gitlab-org/gitlab-ce/issues/33303 ### Denial of Service via regular expressions in CI process [Lukas Svoboda] reported that regular expressions (regex) included with CI scripts could be utilized to perform a denial-of-service attack on GitLab instances. GitLab now uses the [re2 Regex library] to limit regex execution time. [24570] Affected versions: GitLab CE+EE 8.0.0-8.17.6, 9.0.0-9.0.10, 9.1.0-9.1.7, 9.2.0-9.2.7, 9.3.0-9.3.7 [24570]: https://gitlab.com/gitlab-org/gitlab-ce/issues/24570 [re2 Regex library]: https://github.com/google/re2 [Lukas Svoboda]: https://github.com/lksv ### Issue title leakage when external issue tracker is enabled An internal code review determined that when an external issue tracker is configured it was possible to discover the titles of all issues in a given GitLab instance, including issues in private projects and confidential issues. [33679] Affected versions: GitLab CE+EE 8.14.0-8.17.6, 9.0.0-9.0.10, 9.1.0-9.1.7, 9.2.0-9.2.7, 9.3.0-9.3.7 [33679]: https://gitlab.com/gitlab-org/gitlab-ce/issues/33679 ### Mattermost security update GitLab Omnibus packages now include the latest versions of Mattermost, including the most recent security patches. Mattermost has not yet released details on the patched vulnerabilities but is encouraging all users to upgrade. These updates are only available for GitLab CE+EE 9.1, 9.2, and 9.3. [2576] Affected versions: All GitLab versions prior to 9.3.8, 9.2.8, and 9.1.8. [2576]: https://gitlab.com/gitlab-org/omnibus-gitlab/issues/2576 ### Client-side command execution in Microsoft Excel using issue exports (EE only) [Edio] via [HackerOne] reported that the export to CSV feature for project issues in GitLab EE could be abused to execute arbitrary commands on a victim's computer if the resulting CSV file were opened in Microsoft Excel. For this attack to work an attacker must have the ability to create or edit issues in a project and must trick a victim into exporting and opening the CSV file containing the malicious issue text in Microsoft Excel. All issue contents containing dangerous characters are now escaped upon export by prepending a single quote to each column. [30250] Affected versions: GitLab EE 9.0.0-9.0.10, 9.1.0-9.1.7, 9.2.0-9.2.7, 9.3.0-9.3.7 [30250]: https://gitlab.com/gitlab-org/gitlab-ce/issues/30250 [Edio]: https://twitter.com/EdOverflow [HackerOne]: https://hackerone.com/ ## Upgrade barometer These versions includes two small migrations to remove a leftover symlink and and move private snippet uploads to the `system` directory. These migrations should not require any downtime. Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a [`/etc/gitlab/skip-auto-migrations` file](http://doc.gitlab.com/omnibus/update/README.html). ## Updating To update, check out our [update page](/update). ## Enterprise Edition Interested in GitLab Enterprise Edition? Check out the [features exclusive to EE](/features/#enterprise). Access to GitLab Enterprise Edition is included with a [subscription](/pricing/). No time to upgrade GitLab yourself? Subscribers receive upgrade and installation services.