https://about.gitlab.com/2017/05/08/gitlab-9-dot-1-dot-3-security-release/
A lot of security patches, so take time to backup and upgrade! All the codes is up-to-date, of course. 
Mattermost vulnerability:
- GitLab CE+EE Omnibus (with Mattermost enabled) 7.14-8.17.5, 9.0.0-9.0.6, 9.1.0-9.1.2
Update mysql to 5.5.56 for CVE-2017-3305:
- GitLab CE+EE Omnibus (with MySQL enabled) All versions up to and including 8.17.5, 9.0.0-9.0.6, 9.1.0-9.1.2
Cross-Site Scripting (XSS) vulnerability in mirror errors display:
- GitLab EE 9.0.0-9.0.6, 9.1.0-9.1.2
Cross-Site Scripting (XSS) vulnerability in project import via GitLab export (file names):
- GitLab CE+EE 8.3.0-8.17.5, 9.0.0-9.0.6, 9.1.0-9.1.2
Cross-Site Scripting (XSS) vulnerability in repository “new branch” view:
- GitLab CE+EE 8.13.0-8.17.5, 9.0.0-9.0.6, 9.1.0-9.1.2
Persistent XSS in git submodule support:
- GitLab CE+EE 6.6.0-8.17.5, 9.0.0-9.0.6, 9.1.0-9.1.2
Potential XSS vulnerability in DropLab:
- GitLab CE+EE 9.1.0-9.1.2
Subgroup visibility for private subgroups under a public parent group:
- GitLab CE+EE 9.0.0-9.0.6,9.1.0-9.1.2
Tab Nabbing vulnerabilities in mardown link filter, Asciidoc files, and other markup files:
- AsciiDoctor: GitLab CE+EE 7.12.0-8.17.5, 9.0.0-9.0.6, 9.1.0-9.1.2
- Markdown links: GitLab CE+EE 8.14.0-8.17.5, 9.0.0-9.0.6, 9.1.0-9.1.2
Unauthorized disclosure of wiki pages in search:
- GitLab CE+EE 8.14.0-8.17.5, 9.0.0-9.0.6, 9.1.0-9.1.2
External Users can view internal snippets:
- GitLab CE+EE 7.4.0-8.17.5, 9.0.0-9.0.6, 9.1.0-9.1.2
We recommend that all installations running a version mentioned above be upgraded as soon as possible. No workarounds are available for these vulnerabilities.