Security Release: GitLab 8.14.3 (CVE-2016-9469)

The GitLab project released a new update that contains an important security fix for a critical denial-of-service and data corruption vulnerability, and we strongly recommend that all affected GitLab installations be upgraded to the latest version immediately.

We released new versions of Bitnami Gitlab 8.14.3 installers, virtual machines and cloud images that fix this security issue. Further details regarding the security issue are explained below:

Denial-of-Service and Data Corruption Vulnerability in Issue and Merge Request Trackers

This issue is the result of un-sanitized user input being passed to an internal function that expects only trusted data. This code was introduced in GitLab 8.13.0.

More information about the issue can be found in the official blog post.

Workarounds

If you're unable to upgrade right away, you can secure your GitLab installation against this vulnerability using one of the workarounds outlined below until you have time to upgrade.

Securing via web server configuration

• Add the following text at the end of the httpd-app.conf file of Gitlab

     RewriteEngine On

     RewriteCond %{QUERY_STRING} ^.*(state=destroy).* [NC,OR]

     RewriteCond %{QUERY_STRING} ^.*(state=delete).* [NC]

     RewriteRule ^(.*)$ - [F,L]

• Restart Apache

           sudo /opt/bitnami/ctlscript.sh restart apache

Securing via patch

• Create a patch file at /opt/bitnami/apps/gitlab/htdocs
• Apply the patch below

     diff --git a/app/finders/issuable_finder.rb                          b/app/finders/issuable_finder.rb

     index e42d5af..2c9412b 100644

     --- a/app/finders/issuable_finder.rb

     +++ b/app/finders/issuable_finder.rb

     @@ -7,7 +7,7 @@

      #   current_user - which user use

      #   params:

      #     scope: 'created-by-me' or 'assigned-to-me' or 'all'

     -#     state: 'open' or 'closed' or 'all'

     +#     state: 'opened' or 'closed' or 'all'

      #     group_id: integer 

      #     project_id: integer

      #     milestone_title: string

     @@ -183,10 +183,13 @@ class IssuableFinder

          end

          def by_state(items)

     -      params[:state] ||= 'all'

     -

     -      if items.respond_to?(params[:state])

     -        items.public_send(params[:state])

     +      case params[:state].to_s

     +      when 'closed'

     +        items.closed

     +      when 'merged'

     +        items.respond_to?(:merged) ? items.merged : items.closed

     +      when 'opened'

     +        items.opened

            else

              items

            end

Verifying the workaround

• Open your GitLab project
• Open the project's issue tracker
• Choose the "closed" tab
• Adjust the "state" field in your browser's address bar to "deleteme"
• Verify you receive a 403 Forbidden error

Note: If you only applied the patch you will receive no errors here.

Do you have questions about Bitnami GitLab or the security issue? Please post to our community forum and we will be happy to help you.