GitLab 9.1.3, 9.0.7, and 8.17.6 Released

A lot of security patches, so take time to backup and upgrade! All the codes is up-to-date, of course. :slight_smile:

Mattermost vulnerability:

  • GitLab CE+EE Omnibus (with Mattermost enabled) 7.14-8.17.5, 9.0.0-9.0.6, 9.1.0-9.1.2

Update mysql to 5.5.56 for CVE-2017-3305:

  • GitLab CE+EE Omnibus (with MySQL enabled) All versions up to and including 8.17.5, 9.0.0-9.0.6, 9.1.0-9.1.2

Cross-Site Scripting (XSS) vulnerability in mirror errors display:

  • GitLab EE 9.0.0-9.0.6, 9.1.0-9.1.2

Cross-Site Scripting (XSS) vulnerability in project import via GitLab export (file names):

  • GitLab CE+EE 8.3.0-8.17.5, 9.0.0-9.0.6, 9.1.0-9.1.2

Cross-Site Scripting (XSS) vulnerability in repository “new branch” view:

  • GitLab CE+EE 8.13.0-8.17.5, 9.0.0-9.0.6, 9.1.0-9.1.2

Persistent XSS in git submodule support:

  • GitLab CE+EE 6.6.0-8.17.5, 9.0.0-9.0.6, 9.1.0-9.1.2

Potential XSS vulnerability in DropLab:

  • GitLab CE+EE 9.1.0-9.1.2

Subgroup visibility for private subgroups under a public parent group:

  • GitLab CE+EE 9.0.0-9.0.6,9.1.0-9.1.2

Tab Nabbing vulnerabilities in mardown link filter, Asciidoc files, and other markup files:

  • AsciiDoctor: GitLab CE+EE 7.12.0-8.17.5, 9.0.0-9.0.6, 9.1.0-9.1.2
  • Markdown links: GitLab CE+EE 8.14.0-8.17.5, 9.0.0-9.0.6, 9.1.0-9.1.2

Unauthorized disclosure of wiki pages in search:

  • GitLab CE+EE 8.14.0-8.17.5, 9.0.0-9.0.6, 9.1.0-9.1.2

External Users can view internal snippets:

  • GitLab CE+EE 7.4.0-8.17.5, 9.0.0-9.0.6, 9.1.0-9.1.2

We recommend that all installations running a version mentioned above be upgraded as soon as possible. No workarounds are available for these vulnerabilities.

CE/EE: Fixed search terms highlight. (!11198)
CE/EE: Fixed bug where merge request JSON would be displayed. (!11096)
CE/EE: Handle incoming emails from aliases correctly. (!11079)
CE/EE: Sort the network graph both by commit date and topographically. (!11057)
CE/EE: Handle failures for incoming emails. (!11014/!1810)
CE/EE: Fix error on CI/CD Settings page related to invalid pipeline trigger. (!10948)
CE/EE: Fix cross referencing for private and internal projects. (!11243)
CE/EE: Add missing project attributes to Import/Export. (!10880)