GitLab Security Vunerability
I just got this email from GitLab:
--------------------
We have discovered a critical security issue in all GitLab CE and EE versions from 8.2 to 8.7.
On Monday May 2, 2016 at 4:59pm PDT (23:59 GMT), we will publish new GitLab patch releases for all affected versions. We strongly recommend that all installations running a version mentioned above be upgraded as soon as possible after the release. Please forward this alert to the appropriate person at your organization and have them subscribe to Security Notices
The following versions are affected:
8.7.0 8.6.0 through 8.6.7 8.5.0 through 8.5.11 8.4.0 through 8.4.9 8.3.0 through 8.3.8 8.2.0 through 8.2.4
10 comments
[ 3.5 ms ] story [ 37.1 ms ] thread"CEO of GitLab checking in" ... @syste?
This is why when I set up GitLab CE we set it up behind a VPN. Now an attacker needs to compromise both the VPN and GitLab itself to get away with any internal IP. It isn't unbeatable, but if you want developers to be able to work remotely it is the least you should do.
Looks like someone got his hands on a bunch of email addresses.
We'll likely publish some public statement on this on our blog post before Monday.
Edit: just to be clear. This is not a fake warning and we are releasing new versions on Monday.