--- layout: post title: "GitLab 9.5.4, 9.4.6, and 9.3.11 released" date: 2017-09-07 author: Brian Neel author_twitter: b0bby_tables author_gitlab: briann categories: releases tags: patch releases, releases --- Today we are releasing versions 9.5.4, 9.4.6, and 9.3.11 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain several security fixes, including fixes for several persistent Cross-Site Scripting (XSS) vulnerabilities, a fix for a hard to exploit race condition in project uploads, a fix for a CSRF token leakage vulnerability, a fix for a bug that could allow deleted repositories to be left on disk and copied by a user that knew their full path, some important Mattermost updates, a fix for a critical vulnerability in the Nokogiri library, a fix for a vulnerability that could allow the disclosure of private SSL certificates in Pages sites, and several more. We recommend that all GitLab installations be upgraded to one of these versions. Please read on for more details. ## Cross-Site Scripting (XSS) vulnerability in profile names An external security audit performed by [Madison Gurkha] disclosed a Cross-Site Scripting (XSS) vulnerability in user names that could be exploited in several locations. [#36979], [#37344] [#36979]: https://gitlab.com/gitlab-org/gitlab-ce/issues/36979 [#37344]: https://gitlab.com/gitlab-org/gitlab-ce/issues/37344 [Madison Gurkha]: https://www.madison-gurkha.com/ ## Open Redirect in go-get middleware [Tim Goddard] via [HackerOne] reported that GitLab was vulnerable to an open redirect vulnerability caused when a specific flag is passed to the `go-get` middleware. This vulnerability could also _possibly_ be used to conduct Cross-Site Scripting attacks. [#31508] [#31508]: https://gitlab.com/gitlab-org/gitlab-ce/issues/31508 [HackerOne]: https://www.hackerone.com/ [Tim Goddard]: https://www.insomniasec.com/ ## Race condition in project uploads [Jobert Abma] from [HackerOne] reported that GitLab was vulnerable to a race condition in project uploads. While very difficult to exploit this race condition could _potentially_ allow an attacker to overwrite a victim's uploaded project if the attacker can guess the name of the uploaded file before it is extracted. [#29652] [#29652]: https://gitlab.com/gitlab-org/gitlab-ce/issues/29652 [Jobert Abma]: https://twitter.com/jobertabma ## Cross-Site Request Forgery (CSRF) token leakage [naure] via [HackerOne] reported that GitLab was vulnerable to CSRF token leakage via improper filtering of external URLs in relative URL creation. A specially crafted link configured in a project's environments settings could be used to steal a visiting user's CSRF token. [#31045] [#31045]: https://gitlab.com/gitlab-org/gitlab-ce/issues/31045 [naure]: https://twitter.com/aurelcode ## Potential project disclosure via project deletion bug An internal code review discovered that removed projects were not always being deleted from the file system. This could allow an attacker who knew the full path to a previously deleted project to steal a copy of the repository. These releases prevent the leftover repository from being accessed when creating a new project. The project deletion bug will be fixed in a later release. [#36743] [#36743]: https://gitlab.com/gitlab-org/gitlab-ce/issues/36743 ## Mattermost updates Mattermost has recently released important security fixes for the Mattermost versions included with GitLab CE+EE Omnibus packages. Details will be made available on [Mattermost's website](https://about.mattermost.com/security-updates/) according to their responsible disclosure policy. ## White-listed style attribute for table contents in MD enables UI redressing An external security audit performed by [Recurity-Labs] discovered a UI redressing vulnerability in the GitLab markdown sanitization library. [#36098] [#36098]: https://gitlab.com/gitlab-org/gitlab-ce/issues/36098 [Recurity-Labs]: http://www.recurity-labs.com/ ## DOM clobbering in sanitized MD causes errors An external security audit performed by [Recurity-Labs] discovered a DOM clobbering vulnerability in the GitLab markdown sanitization library that could be used to render project pages unreadable. [#36104] [#36104]: https://gitlab.com/gitlab-org/gitlab-ce/issues/36104 ## Nokogiri vendored libxslt library vulnerable to potential integer overflow (CVE-2017-5029 and CVE-2016-4738) The bundled Nokogiri library has been updated to patch an integer overflow vulnerability. Details are available in the [Nokogiri issue]. [#29992] [#29992]: https://gitlab.com/gitlab-org/gitlab-ce/issues/29992 [Nokogiri issue]: https://github.com/sparklemotion/nokogiri/issues/1634 ## Security risk in recommended Geo configuration could give all users access to all repositories An internal code review discovered that GitLab Geo instances could be vulnerable to an attack that would allow any user on the primary Geo instance to clone any repository on a secondary Geo instance. [#3271] [#3271]: https://gitlab.com/gitlab-org/gitlab-ee/issues/3271 ## GitLab Pages private certificate disclosure via symlinks An external security review conducted by [Recurity-Labs] discovered a vulnerability in GitLab Pages that could be used to disclose the contents of private SSL keys. [#75] [#75]: https://gitlab.com/gitlab-org/gitlab-pages/issues/75 ### Versions affected Cross-Site Scripting (XSS) vulnerability in profile names: - GitLab CE+EE 9.3.0-9.3.10, 9.4.0-9.4.5, 9.5.0-9.5.3 Open Redirect in go-get middleware - GitLab CE+EE 9.0.0-9.3.10, 9.4.0-9.4.5, 9.5.0-9.5.3 Race condition in project uploads - GitLab CE+EE 8.10.0-9.3.10, 9.4.0-9.4.5, 9.5.0-9.5.3 CSRF token leakage - GitLab CE+EE 9.0.0-9.3.10, 9.4.0-9.4.5, 9.5.0-9.5.3 Copying of undeleted repositories - GitLab CE+EE 9.1.0-9.3.10, 9.4.0-9.4.5, 9.5.0-9.5.3 White-listed style attribute for table contents in MD enables UI redressing - GitLab CE+EE 8.3.0-9.3.10, 9.4.0-9.4.5, 9.5.0-9.5.3 DOM clobbering in sanitized MD causes errors - GitLab CE+EE 8.3.0-9.3.10, 9.4.0-9.4.5, 9.5.0-9.5.3 Nokogiri vendored libxslt library vulnerable to potential integer overflow - GitLab CE+EE 1.0.0-9.3.10, 9.4.0-9.4.5, 9.5.0-9.5.3 Security risk in recommended Geo secondary configuration could give all users access to all repositories - GitLab EE 8.6.0-9.3.10, 9.4.0-9.4.5, 9.5.0-9.5.3 GitLab Pages private certificate disclosure via Symlinks - GitLab CE+EE 8.6.0-9.3.10, 9.4.0-9.4.5, 9.5.0-9.5.3 We recommend that all installations running a version mentioned above be upgraded as soon as possible. No workarounds are available for these vulnerabilities. ## Upgrade barometer These versions do not include any migrations and will not require downtime. Please be aware that by default the Omnibus packages will stop, run migrations, and start again, no matter how “big” or “small” the upgrade is. This behavior can be changed by adding a [/etc/gitlab/skip-auto-migrations file](http://doc.gitlab.com/omnibus/update/README.html). ## Updating To update, check out our [update page](/update). ## Enterprise Edition Interested in GitLab Enterprise Edition? Check out the [features exclusive to EE](/features/#enterprise). Access to GitLab Enterprise Edition is included with a [subscription](/pricing/). No time to upgrade GitLab yourself? Subscribers receive upgrade and installation services.