Security Release 9.2.5, 9.1.7, and 9.0.10
Be sure to follow the Security Releases guide.
Security issues
- #28917 (closed) Create group called 'project' then rename cause all project avatar lost: Affected versions 8.17.0-9.0.8, 9.1.0-9.1.5, 9.2.0-9.2.3, fix: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2112
- #25934 (closed) Information leakage with references to private project snippets: Affected versions 8.9.0-9.0.8, 9.1.0-9.1.5, 9.2.0-9.2.3, fix: https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2101
Description
- This release was needed because #28917 (closed) wasn't fixed completely in https://gitlab.com/gitlab-org/gitlab-ce/issues/32938
Tasks
-
Pick into respective security branches (if the MR was merged into
security-9-2, pick intosecurity-9-1andsecurity-9-0): -
Pick into respective
stablebranches from respective security branches: -
Push ce/9-2-stabletodevonly:git push dev 9-2-stable -
Push ee/9-2-stable-eetodevonly:git push dev 9-2-stable-ee -
Merge ce/9-2-stableintoee/9-2-stable-eefollowing the security process -
Push omnibus-gitlab/9-2-stabletodevonly:git push dev 9-2-stable -
Push omnibus-gitlab/9-2-stable-eetodevonly:git push dev 9-2-stable-ee -
While waiting for tests to be green, now is a good time to start on the blog post, in a private snippet: BLOG_POST_SNIPPET -
Ensure the blog post discloses as much information about the vulnerability as is responsibly possible. We aim for clarity and transparency, and try to avoid secrecy and ambiguity. -
If the vulnerability was responsibly disclosed to us by a security researcher, ensure they're publicly acknowledged and thank them again privately as well.
-
-
Ensure tests are green on CE -
Ensure tests are green on EE -
Check for any problematic migrations in EE (EE migrations include CE ones), and paste the diff in a snippet: git diff v9.2.3-ee..9-2-stable-ee -- db/migrate=> -
Tag the 9.2.4version using thereleasetask:```sh SECURITY=true bundle exec rake "release[9.2.4]" ``` -
Check that EE packages are built, CE packages are built and appears on packages.gitlab.com: EE / CE -
In #production:``` I'm going to deploy `9.2.4` to staging ``` -
Deploy 9.2.4to staging.gitlab.com -
In #production:``` I'm going to deploy `9.2.4` to production ``` -
Deploy 9.2.4to GitLab.com -
Create the 9.2.4version on https://version.gitlab.com -
Mark any applicable previous releases as vulnerable on https://version.gitlab.com. -
Check any sensitive information from the confidential security issues, and redact them if needed -
Create the blog post merge request -
Deploy the blog post -
Push ce/9-2-stableto all remotes -
Push ee/9-2-stable-eeto all remotes -
Push tags to all remotes -
Make the confidential security issues public -
Tweet (prepare the Tweet text below or paste the tweet URL instead): ``` GitLab 9.2.4 is released! BLOG_POST_URL DESCRIPTION OF THE CHANGES ``` -
Coordinate with the Marketing team to send out a security newsletter -
In the 9.2 Regressions issue:
-
Add the following notice: `9.2.4` has been tagged, further fixes will go into `9.2.5` as necessary. -
Remove notes for the regressions fixed by version 9.2.4
-
-
Cherry-pick the merges from the securitybranch intomasterand push to all remotes. -
Mark 9.2.3,9.1.6, and9.0.9as vulnerable -
Add omnibus-gitlab/9.2.4+ce.0CHANGELOG.md items toomnibus-gitlab/masterCHANGELOG.md
For references: