go to about.gitlab.com
 

Today we are releasing versions 16.5.1, 16.4.2, 16.3.6 for GitLab Community Edition (CE) and Enterprise Edition (EE).

These versions contain important security fixes and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. You can see details in this security release blog post.

On October 20, we discovered an issue with the GitLab sidebar feature in self-managed GitLab versions 16.0.0 to 16.5.0. Due to a recent product update, every time a user accesses a page on their self-managed GitLab instance, it sends a version-check to version.gitlab.com. This may have transmitted the hostname and current version of these self-managed GitLab instances to GitLab in situations where the GitLab administrator has disabled version check. More details about the data stored as part of GitLab version-checks is available here. While self-managed GitLab instance version data may have been transmitted to GitLab, this data can only be accessed by some GitLab team members and is being purged from our database.

Additionally, self-managed GitLab instances running versions 16.0.0 to 16.5.0 may have disclosed GitLab version information to unauthenticated users if administrators explicitly enabled the disabled-by-default super_sidebar_logged_out feature flag. If the super_sidebar_logged_out feature flag was left disabled (as is the default), version information would only be discoverable for authenticated users. There is no risk of a version information disclosure if the super_sidebar_logged_out was left disabled, as authenticated users can already find the version of GitLab by visiting the /help page.

Please forward this alert to appropriate people at your organization and have them subscribe to Security Notices. You can also receive security release blog updates by subscribing to our security release RSS feed or our RSS feed for all GitLab releases.

GitLab releases patches for vulnerabilities in two types of dedicated security releases: a monthly security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ.

Sincerely,
GitLab Security Team
go to about.gitlab.com
View Web Version   |     Blog    |    Twitter    |    Facebook    |    YouTube
GitLab  268 Bush Street, #350, San Francisco, CA 94104, USA
This email was sent to topf@zapf.in. You may unsubscribe anytime from GitLab's marketing emails but you will still receive operational emails related to your account.