
GitLab Security Vunerability - novaleaf
I just got this email from GitLab:<p>--------------------<p>We have discovered a critical security issue in all GitLab CE and EE versions from 8.2 to 8.7.<p>On Monday May 2, 2016 at 4:59pm PDT (23:59 GMT), we will publish new GitLab patch releases for all affected versions. We strongly recommend that all installations running a version mentioned above be upgraded as soon as possible after the release. Please forward this alert to the appropriate person at your organization and have them subscribe to Security Notices<p>The following versions are affected:<p>8.7.0
8.6.0 through 8.6.7 
8.5.0 through 8.5.11 
8.4.0 through 8.4.9 
8.3.0 through 8.3.8 
8.2.0 through 8.2.4
======
Someone1234
I like GitLab, I like the UI, and their product. But a lot of companies treat
GitLab like its their own personal GitHub and just shove it onto an internet
accessible instance, and the only thing standing between their internal IP
being stolen and safe is developer account passwords and GitLab's code
quality.

This is why when I set up GitLab CE we set it up behind a VPN. Now an attacker
needs to compromise both the VPN and GitLab itself to get away with any
internal IP. It isn't unbeatable, but if you want developers to be able to
work remotely it is the least you should do.

------
jobvandervoort
GitLab VP here. We have a pre-assigned CVE id. I'm not sure whether I can
share that. I'll update this post with anything I can share.

We'll likely publish some public statement on this on our blog post before
Monday.

Edit: just to be clear. This is not a fake warning and we are releasing new
versions on Monday.

~~~
jobvandervoort
CVE number is: CVE-2016-4340

------
dewey
Here's the full email:
[https://news.ycombinator.com/item?id=11587390](https://news.ycombinator.com/item?id=11587390)

Looks like someone got his hands on a bunch of email addresses.

~~~
sytse
We at GitLab sent this email. This email does not indicate a leak of email
addresses.

------
fortytw2
This feels like a nice attempt to troll HN - no CVEs, no statements from
GitLab since ¯\\_(ツ)_/¯

~~~
sytse
This email is real, we wanted to give our users a heads-up we'll announce a
serious vulnerability.

------
sashk
Do I understand correctly that Gitlab 8.1.x and earlier is not vulnerable to
this issue?

------
joshmn
Me too.

"CEO of GitLab checking in" ... @syste?

~~~
sytse
Thanks, see statement by our VP of Product in
[https://news.ycombinator.com/item?id=11587416](https://news.ycombinator.com/item?id=11587416)

