Page MenuHomePhabricator

GitLab Security Release 17.2.1, 17.1.3, 17.0.5
Closed, ResolvedPublicSecurity

Description

Blog post: https://about.gitlab.com/releases/2024/07/24/patch-release-gitlab-17-2-1-released/

Includes the following fixes:

XSS via the Maven Dependency Proxy 	High
Project level analytics settings leaked in DOM 	Medium
Reports can access and download job artifacts despite use of settings to prevent it 	Medium
Direct Transfer - Authorised project/group exports are accessible to other users 	Medium
Bypassing tag check and branch check through imports 	Low
Project Import/Export - Make project/group export files hidden to everyone except user who initiated it 	Low

docs
[version specific upgrade docs]()
[deprecations]()
[changelog]()

Test instance:

  • gitlab-prod-1002.devtools.eqiad1.wikimedia.cloud
  • gitlab-runner-1002.devtools.eqiad1.wikimedia.cloud no update needed
  • gitlab-runner-1003.devtools.eqiad1.wikimedia.cloud no update needed

Replicas:

  • gitlab1003.wikimedia.org (gitlab-replica-b)
  • gitlab1004.wikimedia.org

Production:

  • gitlab2002.wikimedia.org
  • Trusted runners no update needed
  • Shared runners no update needed
  • Cloud runners no update needed

Details

Risk Rating
Medium
Author Affiliation
WMF Technology Dept

Event Timeline

Dzahn updated the task description. (Show Details)
  • updated APT repo
[apt1002:~] $ sudo -i reprepro --component thirdparty/gitlab-bullseye checkupdate bullseye-wikimedia
Calculating packages to get...
Updates needed for 'bullseye-wikimedia|thirdparty/gitlab-bullseye|amd64':
'gitlab-ce': '17.0.4-ce.0' will be upgraded to '17.0.5-ce.0' (from 'thirdparty/gitlab-bullseye'):
 files needed: pool/thirdparty/gitlab-bullseye/g/gitlab-ce/gitlab-ce_17.0.5-ce.0_amd64.deb
[apt1002:~] $ sudo -i reprepro --component thirdparty/gitlab-bullseye update bullseye-wikimedia
Calculating packages to get...
Getting packages...
Installing (and possibly deleting) packages...
Exporting indices...
Deleting files no longer referenced...
Dzahn changed the task status from Open to In Progress.Jul 25 2024, 1:28 AM
  • upgraded test instance
  • first ran out of disk space again, did another apt-get clean, and rm /var/log/syslog.2*.gz and rm /var/log/messages.2*.gz to get space, repeated the apt-get upgrade, still not enough disk, deleted more log files ..until eventually:
Unpacking gitlab-ce (17.0.5-ce.0) over (17.0.4-ce.0) ...
..


Upgrade complete!

https://gitlab.devtools.wmcloud.org/explore is up

LSobanski moved this task from Incoming to Work in Progress on the collaboration-services board.
Jelto updated the task description. (Show Details)
Jelto updated the task description. (Show Details)
Jelto added a subscriber: eoghan.

All instances updated, thanks again @eoghan and @Dzahn for preparing the update on the other instances!

sbassett changed Author Affiliation from N/A to WMF Technology Dept.Aug 7 2024, 6:51 PM
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett changed Risk Rating from N/A to Medium.