Tuesday, December 6, 2016

Security Release: GitLab 8.14.3 (CVE-2016-9469)

The GitLab project released a new update that contains an important security fix for a critical denial-of-service and data corruption vulnerability, and we strongly recommend that all affected GitLab installations be upgraded to the latest version immediately.

We released new versions of Bitnami Gitlab 8.14.3 installers, virtual machines and cloud images that fix this security issue. Further details regarding the security issue are explained below:

Denial-of-Service and Data Corruption Vulnerability in Issue and Merge Request Trackers

This issue is the result of un-sanitized user input being passed to an internal function that expects only trusted data. This code was introduced in GitLab 8.13.0.

More information about the issue can be found in the official blog post.


If you're unable to upgrade right away, you can secure your GitLab installation against this vulnerability using one of the workarounds outlined below until you have time to upgrade.

Securing via web server configuration

  • Add the following text at the end of the httpd-app.conf file of Gitlab
     RewriteEngine On
     RewriteCond %{QUERY_STRING} ^.*(state=destroy).* [NC,OR]
     RewriteCond %{QUERY_STRING} ^.*(state=delete).* [NC]
     RewriteRule ^(.*)$ - [F,L]

  • Restart Apache
           sudo /opt/bitnami/ctlscript.sh restart apache

Securing via patch

  • Create a patch file at /opt/bitnami/apps/gitlab/htdocs
  • Apply the patch below
     diff --git a/app/finders/issuable_finder.rb                          b/app/finders/issuable_finder.rb
     index e42d5af..2c9412b 100644
     --- a/app/finders/issuable_finder.rb
     +++ b/app/finders/issuable_finder.rb
     @@ -7,7 +7,7 @@
      #   current_user - which user use
      #   params:
      #     scope: 'created-by-me' or 'assigned-to-me' or 'all'
     -#     state: 'open' or 'closed' or 'all'
     +#     state: 'opened' or 'closed' or 'all'
      #     group_id: integer 
      #     project_id: integer
      #     milestone_title: string
     @@ -183,10 +183,13 @@ class IssuableFinder
          def by_state(items)
     -      params[:state] ||= 'all'
     -      if items.respond_to?(params[:state])
     -        items.public_send(params[:state])
     +      case params[:state].to_s
     +      when 'closed'
     +        items.closed
     +      when 'merged'
     +        items.respond_to?(:merged) ? items.merged : items.closed
     +      when 'opened'
     +        items.opened

Verifying the workaround

  • Open your GitLab project
  • Open the project's issue tracker
  • Choose the "closed" tab
  • Adjust the "state" field in your browser's address bar to "deleteme"
  • Verify you receive a 403 Forbidden error
Note: If you only applied the patch you will receive no errors here.

Do you have questions about Bitnami GitLab or the security issue? Please post to our community forum and we will be happy to help you.