The team behind repository management and all around DevOps-y product GitLab has released security patches for GitLab Community Edition (CE) and Enterprise Edition (EE), remediating vulnerabilities affecting versions as old as 5.1.
Since some can be quite severe, an immediate upgrade to version 12.6.2, 12.5.6, or 12.4.7 is strongly recommended to anyone who doesn’t automatically update their systems anyway.
The bug reaching the furthest back (CE/EE 5.1) is one that allows users to view the name of a private project through notifications settings. Another way to get this information was through unsubscribe links, though this loophole has also been closed in the new releases. The team was also able to get rid of a parameter issue which lead to interruptions in an application if certain GraphQL queries were submitted.
A more serious bug could be used to cause an internal server error when sending a special message while adding comments to either the Issue or Commit pages. Additional details on the bug will be released in about 30 days time under its assigned CVE-2019-20142.
GitLab will also publish information around then on the circumstances that allowed unauthenticated users to access a release’s milestones and issues, or modify group runners.
Once users are on one of the new versions, they won’t be able to submit and publish reviews for locked merge requests they had drafted before the lock, which was a possibility since version 11.4.
GitLab asks customers and community members that come across security vulnerabilities to report them via email or HackerOne. The company will then send regular updates about the progress of its remediation development.
Its responsible disclosure policy asks people to refrain from requesting compensation. However, GitLab has a bug bounty program, which promises rewards for the reporting of issues based on customer impact.