GitLab has released new versions of GitLab Community Edition (CE) and Enterprise Edition (EE). Versions 16.8.2, 16.7.5, and 16.6.7 include important security fixes, and it is strongly recommended that all GitLab installations be upgraded to one of these versions immediately. GitLab.com has already been updated to the patched version.
GitLab follows a dedicated security release schedule to address vulnerabilities. There are two types of security releases: a monthly scheduled release, which occurs a week after the feature release on the 3rd Thursday of each month, and ad-hoc releases for critical vulnerabilities. For more information, you can visit GitLab’s security FAQ.
Details about each vulnerability are made public 30 days after the release in which they were patched and can be found on GitLab’s issue tracker.
GitLab is committed to maintaining the highest security standards for all aspects of the platform that interact with customers or host customer data. To ensure good security practice, it is highly recommended that all customers upgrade to the latest security release for their supported version. GitLab has published a blog post with best practices for securing your GitLab instance.
Action Recommended:
It is strongly advised that all installations running a version affected by the described issues upgrade to the latest version as soon as possible. This recommendation applies to all deployment types, including omnibus, source code, helm chart, etc.
Fixes include:
1. Restrict group access token creation for custom roles (Medium Severity)
2. Project maintainers can bypass group’s scan result policy block_branch_modification setting (Medium Severity)
3. ReDoS in CI/CD Pipeline Editor while verifying Pipeline syntax (Medium Severity)
4. Resource exhaustion using GraphQL vulnerabilitiesCountByDay (Medium Severity)
Each fix is described in detail, including the severity level and the vulnerability identifier (CVE) assigned to it. The vulnerabilities were either discovered internally by GitLab team members or reported through the HackerOne bug bounty program.
Additionally, GitLab has updated PostgreSQL to versions 14.10 and 13.13.
For those interested in updating or receiving security release notifications, GitLab provides resources and instructions on its website.
To stay up to date with the latest GitLab security release, you can visit @gitlab on Twitter or click to tweet.
