Jun 1, 2021 - Michael Henriksen

Gitlab安全发布:13.12.2,13.11.5和13.10.5

学到更多about GitLab Security Release: 13.12.2, 13.11.5, and 13.10.5 for GitLab Community Edition (CE) and Enterprise Edition (EE).

今天,我们正在发布版本13.12.2,13.11.5和13.10.5为Gitlab社区版(CE)和企业版(EE)。

这些版本包含重要的安全修复程序,我们强烈建议将所有Gitlab安装立即升级到其中一个版本。

GitLab发布patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our安全常见问题解答。您可以查看我们所有的常规和安全发布博客文章这里。In addition, the issues detailing each vulnerability are made public on our问题跟踪器释放后30天修补。

We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read morebest practices in securing your GitLab instance在我们的博客文章中。

补充笔记

In GitLab 13.10 the CI Lint API started requiring验证对于禁用注册的Gitlab实例。从此版本开始,CI LINT API端点还需要在注册受限时进行身份验证(例如,配置了电子邮件域允许列表)。

This version also includes a data migration to fix some records with incorrect data that causes 2FA to not be enforced for some users even if they are members of groups that require it. The root cause for the issue was already fixed but some records created before the fix need to be corrected. The migration is a background migration that will be scheduled in batches of 10,000 users at two minute intervals.

Table of Fixes

Title Severity
窃取Gitlab OAuth在Safari中使用Xsleaks访问令牌 high
Denial of service through recursive triggered pipelines high
Unauthenticated CI lint API may lead to information disclosure and SSRF medium
服务器端DOS通过渲染制作的标记文档 medium
Issue and merge request length limit is not being enforced medium
过期密码验证不足 medium
XSS in blob viewer of notebooks medium
敏感信息的记录 medium
删除成员时暴露的呼叫旋转信息 low
欺骗提交作者签名提交 low

窃取Gitlab OAuth在Safari中使用Xsleaks访问令牌

A cross-site leak vulnerability in the OAuth flow of all versions of GitLab CE/EE since 7.10 allowed an attacker to leak an OAuth access token by getting the victim to visit a malicious page with Safari. This is a high severity issue (CVSS:3.0 / AV:N / AC:L / Pr:N / UI:R / S:U / C:H / I:H / A:H,8.8)。我们已请求CVE ID,并在分配时更新此博客文章。

谢谢哈布尔伯博布通过我们的Hackerone错误赏金计划报告此漏洞。

修复

Westrongly recommendthat all installations running an affected version above are尽快升级到最新版本

Denial of service through recursive triggered pipelines

A denial of service vulnerability in GitLab CE/EE affecting all versions since 11.8 allows an attacker to create a recursive pipeline relationship and exhaust resources. This is a high severity issue (CVSS:3.0 / AV:N / AC:L / PR:L / UI:N / S:C / C:N / I:N / A:H7.7)。现在最新版本的减轻and is assignedCVE-2021-22181

Gitlab团队在内部发现了此漏洞。

修复

Westrongly recommendthat all installations running an affected version above are尽快升级到最新版本

Unauthenticated CI lint API may lead to information disclosure and SSRF

当启用对内部网络的内部网络的请求时,即使在注册的Gitlab实例中,Gitlab CE / EE中的服务器端请求伪造漏洞可能会影响从10.5开始的所有版本。这是一个中等严重性问题(CVSS:3.0 / AV:N / AC:H / PR:N / UI:N / S:C / C:H / I:H / I:N / A:n, 6.8). We have requested a CVE ID and will update this blog post when it is assigned.

谢谢@myster通过Hackerone错误赏金计划报告此漏洞。

修复

Westrongly recommendthat all installations running an affected version above are尽快升级到最新版本

服务器端DOS通过渲染制作的标记文档

在13.12.2,13.11.5或13.10.5之前的所有版本的Gitlab CE / EE中的拒绝服务漏洞允许攻击者导致不受控制的资源消耗,并通过特制的问题或合并请求。这是一个中等严重性问题(CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H,6.5)。我们已请求CVE ID,并在分配时更新此博客文章。

感谢PHLI通过我们的Hackerone错误赏金计划报告此漏洞。

修复

Westrongly recommendthat all installations running an affected version above are尽快升级到最新版本

Issue and merge request length limit is not being enforced

在13.12.2,13.11.5或13.10.5之前的所有版本的Gitlab CE / EE中拒绝服务漏洞允许攻击者使用很长的问题或合并请求描述引起不受控制的资源消耗。这是一个中等严重性问题(CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H,6.5)。我们已请求CVE ID,并在分配时更新此博客文章。

Gitlab团队在内部发现了此漏洞。

修复

Westrongly recommendthat all installations running an affected version above are尽快升级到最新版本

过期密码验证不足

Gitlab中发现了一个问题,影响了从13.10.5之前的12.9.0开始的所有版本,所有版本从13.11.0开始于13.11.0开始,所有版本从13.12.2开始于13.12.2开始。在各种操作中缺少的过期密码验证不足允许用户在密码过期后维护有限的访问权限。这是一个中等严重性问题(CVSS:3.0 / AV:N / AC:L / PR:N / UI:N / S:U / C:L / I:L / A:n,6.5)。我们已请求CVE ID,并在分配时更新此博客文章。

Gitlab团队在内部发现了此漏洞。

修复

Westrongly recommendthat all installations running an affected version above are尽快升级到最新版本

XSS in blob viewer of notebooks

在Gitlab中发现了一个问题,影响了13.10开始的所有版本。Gitlab很容易受到笔记本电脑的Blob Viewer中的存储XS。这是一个中等严重性问题(CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, 6.1). We have requested a CVE ID and will update this blog post when it is assigned.

谢谢(@yvvdwf)[https://hackerone.com/yvvdwf]通过我们的hackerone错误赏金计划报告此漏洞。

修复

Westrongly recommendthat all installations running an affected version above are尽快升级到最新版本

敏感信息的记录

Gitlab CE / EE由于版本9.5允许高权限用户从日志文件获取敏感信息,因为敏感信息未正确注册日志屏蔽。这是一个中等严重性问题(CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N, 4.4). We have requested a CVE ID and will update this blog post when it is assigned.

Gitlab Team https://gitlab.com/dcuture内部发现了该漏洞。

修复

Westrongly recommendthat all installations running an affected version above are尽快升级到最新版本

删除成员时暴露的呼叫旋转信息

Gitlab EE版本13.11中的信息泄露漏洞,稍后允许项目所有者在其他项目中泄露有关成员随叫随到的呼叫旋转的信息。这是一个低严重性的问题(CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N,2.7)。我们已请求CVE ID,并在分配时更新此博客文章。

Gitlab团队在内部发现了此漏洞。

修复

Westrongly recommendthat all installations running an affected version above are尽快升级到最新版本

欺骗提交作者签名提交

All versions of GitLab CE/EE starting with 12.8 were affected by an issue in the handling of x509 certificates that could be used to spoof author of signed commits. This is a low severity issue (CVSS:3.0 / AV:N / AC:H / PR:L / UI:R / S:U / C:N / I:L / A:n,2.6)。我们已请求CVE ID,并在分配时更新此博客文章。

谢谢次曲线通过我们的Hackerone错误赏金计划报告此漏洞。

修复

Westrongly recommendthat all installations running an affected version above are尽快升级到最新版本

Enable qsh verification for Atlassian Connect

qsh verification has been enabled for Atlassian Connect to address a breaking change in the Atlassian Connect API.

如果您使用JIRA CONNECT,您需要在6月7日之前更新到这些最新的安全版本。如果您在Gitlab.com上,您无需任何事情。有关详细信息,请参阅这个Gitlab问题

Versions affected

Affects all versions of GitLab.

修复

Westrongly recommendthat all installations running an affected version above are尽快升级到最新版本

更新Bindata依赖项

The dependency on bindata has been upgraded to 2.4.10 in order to mitigate security concerns.

Versions affected

影响版本12.0及更高版本。

修复

Westrongly recommendthat all installations running an affected version above are尽快升级到最新版本

Update grafana dependency

对Grafana的依赖已经升级至7.5.4,以减轻安全问题。

Versions affected

影响版本13.11,13.10和13.9。

修复

Westrongly recommendthat all installations running an affected version above are尽快升级到最新版本

更新

要更新Gitlab,请参阅更新页面。更新Gitlab Runner,请参阅更新the Runner page

Receive Security Release Notifications

要接收到收件箱的安全发布博客通知,请访问我们的contact us页。通过RSS接收发布通知,订阅我们的安全release RSS feed或者我们所有版本的RSS源

尝试所有Gitlab功能 - 免费30天

GitLabis more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

1Manbetx
manbetx客户端打不开

Try2019新万博appmanbetⅩ risk-free for 30 days.

不需要信用卡。有问题吗?接触us.

Gitlab x icon svg