Hacker News new | past | comments | ask | show | jobs | submit login
GitLab Security Vunerability
12 points by novaleaf on Apr 27, 2016 | hide | past | web | favorite | 10 comments
I just got this email from GitLab:


We have discovered a critical security issue in all GitLab CE and EE versions from 8.2 to 8.7.

On Monday May 2, 2016 at 4:59pm PDT (23:59 GMT), we will publish new GitLab patch releases for all affected versions. We strongly recommend that all installations running a version mentioned above be upgraded as soon as possible after the release. Please forward this alert to the appropriate person at your organization and have them subscribe to Security Notices

The following versions are affected:

8.7.0 8.6.0 through 8.6.7 8.5.0 through 8.5.11 8.4.0 through 8.4.9 8.3.0 through 8.3.8 8.2.0 through 8.2.4

I like GitLab, I like the UI, and their product. But a lot of companies treat GitLab like its their own personal GitHub and just shove it onto an internet accessible instance, and the only thing standing between their internal IP being stolen and safe is developer account passwords and GitLab's code quality.

This is why when I set up GitLab CE we set it up behind a VPN. Now an attacker needs to compromise both the VPN and GitLab itself to get away with any internal IP. It isn't unbeatable, but if you want developers to be able to work remotely it is the least you should do.

GitLab VP here. We have a pre-assigned CVE id. I'm not sure whether I can share that. I'll update this post with anything I can share.

We'll likely publish some public statement on this on our blog post before Monday.

Edit: just to be clear. This is not a fake warning and we are releasing new versions on Monday.

CVE number is: CVE-2016-4340

Here's the full email: https://news.ycombinator.com/item?id=11587390

Looks like someone got his hands on a bunch of email addresses.

We at GitLab sent this email. This email does not indicate a leak of email addresses.

This feels like a nice attempt to troll HN - no CVEs, no statements from GitLab since ¯\_(ツ)_/¯

This email is real, we wanted to give our users a heads-up we'll announce a serious vulnerability.

Do I understand correctly that Gitlab 8.1.x and earlier is not vulnerable to this issue?

Me too.

"CEO of GitLab checking in" ... @syste?

Thanks, see statement by our VP of Product in https://news.ycombinator.com/item?id=11587416

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact