Wednesday, March 21, 2018

Security Release: GitLab 10.5.6

The GitLab project has released a new update that contains several important security fixes. We recommend that all GitLab installations be upgraded immediately to the new version of GitLab (GitLab 10.5.6). 

Although the new version is publicly available now, the vulnerability details will not be made public on the GitLab’s issue tracker for approximately 30 days. We recommend to stay tuned for any detail the GitLab team publishes during that time. The disclosed information is the following one:

  • SSRF in services and web hooks (CVE-2018-8801): There were multiple server-side request forgery issues in the Services feature. An attacker could make requests to servers within the same network of the GitLab instance. This could lead to information disclosure, authentication bypass, or potentially code execution.
  • Gitlab Auth0 integration issue: There was an issue with the GitLab omniauth-auth0 configuration which resulted in the Auth0 integration signing in the wrong users.

Bitnami has released a new version of Bitnami GitLab 10.5.6 for both virtual machines and cloud images that fix those vulnerabilities. 

More information about these issues can be found in the official blog post. As the vulnerability details were not disclosed at the time of this blog's publishing, there is currently no available workaround for it. Therefore, if you are running a GitLab instance with a version prior to 10.5.6, you will need to upgrade GitLab to the latest version by following this documentation.

Do you have questions about Bitnami GitLab or these security issues? Please post them to our community forum. We will be happy to help you.