Repository management cum DevOps platform GitLab is now available in versions 12.5.4, 12.4.6, and 12.3.9 which should fix some critical security flaws. According to the GitLab team, updating “as soon as possible” is strongly recommended.
Amongst the vulnerabilities the releases remediate, there is again a parameter sanitisation issue when working with the Maven package registry. CVE-2019-19628 could lead to privilege escalation in GitLab EE 11.3 and later, allowing attackers to remotely execute code under certain conditions. Just two weeks ago, a similar issue was tackled in versions 12.5.1, 12.4.4, and 12.3.7.
Another issue affects all enterprise users who use a version newer than 10.5. A problem with the Group Search API that the Elasticsearch integration provides could lead to private code being exposed when transferred from a public project to a private group. The same integration was the source of trouble back in November, so these might have come up during further investigations of the vulnerabilities fixed back then.
To make sure flaws in earlier Git versions won’t affect GitLab users, the dependency has been upgraded to 2.22.2. It applies some security fixes that are meant to prevent arbitrary command execution which was possible in Git 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 and affected all versions of GitLab’s installer Omnibus.
Details on the vulnerabilities the new releases are meant to remediate will be made public on the company’s issue tracker in about 30 days time, as per usual.