With its head in the clouds, GitLab goes for another security critical bug squashing session

With its head in the clouds, GitLab goes for another security critical bug squashing session
Gitlab Logo

Repository management provider GitLab has released v11.9.4, 11.8.6 and 11.7.10 of its platform to get rid of some serious security issues – an update is strongly recommended.

The biggest issue tackled in the new version is one concerning input validation for regular expressions, which potentially allowed kicking off a denial of service attack for GitLab CE/EE 8.0 and later.

After earlier authorization issues, another one letting project guests see related branches has been discovered and mitigated in the new release, as has been one that let attackers create projects under “any namespace on any GitLab instance on which they already hold credentials” and one which have guests access to private release details.

GitLab also dealt with bugs resulting in persistent cross-site scripting at the “resolve conflicts” page for merge requests, and a denial of service attack vector on the project languages endpoint. Details on the mitigated vulnerabilities will be made public in about 30 days, as it is usually the case at GitLab.

For those looking into serverless deployments, GitLab can now be used in concert with Zeit Now. This means that after an initial setup, Now can take care of building and deploying commits pushed to GitLab to its content delivery network.

Deployments made within a merge request can be tracked on the latter’s page, with every deployment getting its own URL. Once a request has been merged, it is automatically deployed to production and gets an alias to the production domain name.

Before Now can be used with a project, build and deployment information has to be provided via a now.json configuration file and Zeit has to be authorised to use the GitLab account in question (a similar offer for GitHub is available as well).

Zeit Now is a commercial offering, where users have to pay for invocation of deployments, but a free tier for small-scale apps is available as well.