diff --git a/CHANGELOG.md b/CHANGELOG.md
index 91ef537ecd0f83ca904852c5b112c0496e28017b..8372afb8f4458f5c644a4ca329e78a1940e1b061 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -28,6 +28,7 @@ omnibus-gitlab repository.
 - Upgrade libyaml version to 0.1.7
 - Fix gitlab-ctl wrapper to allow '*' in arguments
 - Update failover_pgbouncer script to use the pgbouncer user for the database configuration
+- Update Mattermost to 4.2.0
 
 9.5.5
 
diff --git a/config/software/mattermost.rb b/config/software/mattermost.rb
index 43d55898521500b57316d75f7cd0d30d876624ad..1bbb6bb8270aa78306d16b183539553f9914f61a 100644
--- a/config/software/mattermost.rb
+++ b/config/software/mattermost.rb
@@ -17,10 +17,10 @@
 #
 
 name 'mattermost'
-default_version '4.1.0'
+default_version '4.2.0'
 
 source url: "https://releases.mattermost.com/#{version}/mattermost-team-#{version}-linux-amd64.tar.gz",
-       md5: 'd109076f86ba5e9e4794fbabdaabd471'
+       md5: 'c7b40031c049417d47ee3a30f1210bc5'
 
 relative_path 'mattermost'
 
diff --git a/files/gitlab-config-template/gitlab.rb.template b/files/gitlab-config-template/gitlab.rb.template
index d15ab75d6787093bd7dadb58aaaa2e789c52821c..651354dc57c012e76956c431329975fbdfa03062 100644
--- a/files/gitlab-config-template/gitlab.rb.template
+++ b/files/gitlab-config-template/gitlab.rb.template
@@ -1066,6 +1066,7 @@ external_url 'GENERATED_EXTERNAL_URL'
 # mattermost['service_enable_testing'] = false
 # mattermost['service_enable_security_fix_alert'] = true
 # mattermost['service_enable_insecure_outgoing_connections'] = false
+# mattermost['service_allowed_untrusted_internal_connections'] = ""
 # mattermost['service_allow_cors_from'] = ""
 # mattermost['service_enable_outgoing_webhooks'] = true
 # mattermost['service_enable_commands'] = true
@@ -1107,6 +1108,7 @@ external_url 'GENERATED_EXTERNAL_URL'
 # mattermost['team_restrict_team_names'] = true
 # mattermost['team_restrict_direct_message'] = "any"
 # mattermost['team_max_channels_per_team'] = 2000
+# mattermost['team_enable_x_to_leave_channels_from_lhs'] = false
 # mattermost['team_user_status_away_timeout'] = 300
 # mattermost['team_teammate_name_display'] = "full_name"
 
@@ -1177,6 +1179,7 @@ external_url 'GENERATED_EXTERNAL_URL'
 # mattermost["file_amazon_s3_ssl"] = true
 # mattermost["file_amazon_s3_sign_v2"] = false
 # mattermost['file_enable_file_attachments'] = true
+# mattermost["file_amazon_s3_trace"] = false
 
 # mattermost['ratelimit_enable_rate_limiter'] = false
 # mattermost['ratelimit_per_sec'] = 10
diff --git a/files/gitlab-cookbooks/gitlab/attributes/default.rb b/files/gitlab-cookbooks/gitlab/attributes/default.rb
index 605f4f61f385cb02bb8c2481ad5ffbf0cdf4eadf..340a6e1520fa3dc320d448e434da68772a27697e 100644
--- a/files/gitlab-cookbooks/gitlab/attributes/default.rb
+++ b/files/gitlab-cookbooks/gitlab/attributes/default.rb
@@ -708,6 +708,7 @@ default['gitlab']['mattermost']['service_enable_post_icon_override'] = true
 default['gitlab']['mattermost']['service_enable_testing'] = false
 default['gitlab']['mattermost']['service_enable_security_fix_alert'] = true
 default['gitlab']['mattermost']['service_enable_insecure_outgoing_connections'] = false
+default['gitlab']['mattermost']['service_allowed_untrusted_internal_connections'] = nil
 default['gitlab']['mattermost']['service_allow_cors_from'] = nil
 default['gitlab']['mattermost']['service_enable_outgoing_webhooks'] = false
 default['gitlab']['mattermost']['service_enable_commands'] = true
@@ -766,6 +767,7 @@ default['gitlab']['mattermost']["file_amazon_s3_lowercase_bucket"] = false
 default['gitlab']['mattermost']["file_amazon_s3_ssl"] = true
 default['gitlab']['mattermost']["file_amazon_s3_sign_v2"] = false
 default['gitlab']['mattermost']['file_enable_file_attachments'] = true
+default['gitlab']['mattermost']['file_amazon_s3_trace'] = false
 
 default['gitlab']['mattermost']['email_enable_sign_up_with_email'] = false
 default['gitlab']['mattermost']['email_enable_sign_in_with_email'] = true
@@ -808,6 +810,7 @@ default['gitlab']['mattermost']['team_site_name'] = "GitLab Mattermost"
 default['gitlab']['mattermost']['team_enable_team_creation'] = true
 default['gitlab']['mattermost']['team_enable_user_creation'] = true
 default['gitlab']['mattermost']['team_enable_open_server'] = false
+default['gitlab']['mattermost']['team_enable_x_to_leave_channels_from_lhs'] = false
 default['gitlab']['mattermost']['team_max_users_per_team'] = 150
 default['gitlab']['mattermost']['team_allow_public_link'] = true
 default['gitlab']['mattermost']['team_allow_valet_default'] = false
diff --git a/files/gitlab-cookbooks/gitlab/libraries/gitlab_mattermost.rb b/files/gitlab-cookbooks/gitlab/libraries/gitlab_mattermost.rb
index 3484758c74b23045463e295a54621dd1bed2d223..aa9895f83190b9e40c47bb7642e11537b65a96de 100644
--- a/files/gitlab-cookbooks/gitlab/libraries/gitlab_mattermost.rb
+++ b/files/gitlab-cookbooks/gitlab/libraries/gitlab_mattermost.rb
@@ -50,6 +50,12 @@ module GitlabMattermost
         Gitlab['mattermost']['gitlab_auth_endpoint'] ||= "#{gitlab_url}/oauth/authorize"
         Gitlab['mattermost']['gitlab_token_endpoint'] ||= "#{gitlab_url}/oauth/token"
         Gitlab['mattermost']['gitlab_user_api_endpoint'] ||= "#{gitlab_url}/api/v4/user"
+
+        # If mattermost is running on the same box as unicorn, allow it to communicate locally
+        if Services.enabled?('unicorn')
+          Gitlab['mattermost']['service_allowed_untrusted_internal_connections'] ||= ''
+          Gitlab['mattermost']['service_allowed_untrusted_internal_connections'] << " #{URI(gitlab_url.to_s).host}"
+        end
       end
 
       case uri.scheme
diff --git a/files/gitlab-cookbooks/gitlab/templates/default/config.json.erb b/files/gitlab-cookbooks/gitlab/templates/default/config.json.erb
index 7667c9e649f2a02a98ae7968ee0c21718428ef8c..6ab5f7e635432c6860485f9fd160bbfe621261c8 100644
--- a/files/gitlab-cookbooks/gitlab/templates/default/config.json.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/config.json.erb
@@ -23,6 +23,7 @@
         "EnableTesting": <%= @service_enable_testing %>,
         "EnableSecurityFixAlert": <%= @service_enable_security_fix_alert %>,
         "EnableInsecureOutgoingConnections":  <%= @service_enable_insecure_outgoing_connections %>,
+        "AllowedUntrustedInternalConnections":  "<%= @service_allowed_untrusted_internal_connections %>",
         "AllowCorsFrom":  "<%= @service_allow_cors_from %>",
         "EnableDeveloper": <%= @service_enable_developer %>,
         "SessionLengthWebInDays" : <%= @service_session_length_web_in_days %>,
@@ -50,6 +51,7 @@
         "RestrictTeamNames": <%= @team_restrict_team_names %>,
         "RestrictDirectMessage": "<%= @team_restrict_direct_message %>",
         "MaxChannelsPerTeam": <%= @team_max_channels_per_team %>,
+        "EnableXToLeaveChannelsFromLHS": <%= @team_enable_x_to_leave_channels_from_lhs %>,
         "UserStatusAwayTimeout": <%= @team_user_status_away_timeout %>,
         "TeammateNameDisplay" : "<%= @team_teammate_name_display %>"
     },
@@ -91,7 +93,8 @@
         "AmazonS3LowercaseBucket": <%= @file_amazon_s3_lowercase_bucket %>,
         "AmazonS3SSL": <%= @file_amazon_s3_ssl %>,
         "AmazonS3SignV2" : <%= @file_amazon_s3_sign_v2 %>,
-        "EnableFileAttachments": <%= @file_enable_file_attachments %>
+        "EnableFileAttachments": <%= @file_enable_file_attachments %>,
+        "AmazonS3Trace": <%= @file_amazon_s3_trace %>
     },
     "EmailSettings": {
         "EnableSignUpWithEmail": <%= @email_enable_sign_up_with_email %>,
diff --git a/files/gitlab-cookbooks/package/libraries/config/gitlab.rb b/files/gitlab-cookbooks/package/libraries/config/gitlab.rb
index ec80c2624a23a207a4b2c8d3a3da11b7c8b42e66..32abe77140fc41b30569e033d767fcf39f0c1715 100644
--- a/files/gitlab-cookbooks/package/libraries/config/gitlab.rb
+++ b/files/gitlab-cookbooks/package/libraries/config/gitlab.rb
@@ -57,9 +57,9 @@ module Gitlab
     attribute('postgresql',       priority: 20).use { Postgresql }
     attribute('unicorn',          priority: 20).use { Unicorn }
     attribute('mailroom',         priority: 20).use { IncomingEmail }
-    attribute('mattermost',       priority: 20).use { GitlabMattermost }
     attribute('gitlab_pages',     priority: 20).use { GitlabPages }
     attribute('prometheus',       priority: 20).use { Prometheus }
+    attribute('mattermost',       priority: 30).use { GitlabMattermost } # Mattermost checks if GitLab is enabled on the same box
     attribute('nginx',            priority: 40).use { Nginx } # Parse nginx last so all external_url are parsed before it
     attribute('external_url',            default: nil)
     attribute('registry_external_url',   default: nil)
diff --git a/spec/chef/recipes/mattermost_spec.rb b/spec/chef/recipes/mattermost_spec.rb
index 1d0597033e1bb7158d5d055719506480336c7167..875032f8cf45dbbb677d63ea2c52dc10a4a494f9 100644
--- a/spec/chef/recipes/mattermost_spec.rb
+++ b/spec/chef/recipes/mattermost_spec.rb
@@ -124,6 +124,29 @@ describe 'gitlab::mattermost' do
     expect(chef_run).to render_file('/opt/gitlab/sv/mattermost/run').with_content(/\-config \/var\/local\/gitlab\/mattermost\/config.json/)
   end
 
+  shared_examples 'gitlab address set in allowed internal connections' do
+    it 'includes gitlab in the list of allowed internal addresses' do
+      expect(chef_run).to render_file('/var/opt/gitlab/mattermost/config.json')
+        .with_content { |content|
+          config = JSON.parse(content)
+          expect(config).to have_key 'ServiceSettings'
+          expect(config['ServiceSettings']['AllowedUntrustedInternalConnections']).to match(/gitlab\.example\.com/)
+        }
+    end
+  end
+
+  context 'when no allowed internal connections are provided by gitlab.rb' do
+    it_behaves_like 'gitlab address set in allowed internal connections'
+  end
+
+  context 'when some allowed internal connections are provided by gitlab.rb' do
+    before do
+      stub_gitlab_rb(mattermost: { enable: true, service_allowed_untrusted_internal_connections: 'localhost' })
+    end
+
+    it_behaves_like 'gitlab address set in allowed internal connections'
+  end
+
   shared_examples 'no gitlab authorization performed' do
     it 'does not authorize mattermost with gitlab' do
       expect(chef_run).not_to run_ruby_block('authorize mattermost with gitlab')
@@ -140,6 +163,13 @@ describe 'gitlab::mattermost' do
     before { stub_gitlab_rb(gitlab_rails: { enable: false }) }
 
     it_behaves_like 'no gitlab authorization performed'
+
+    it 'does not add gitlab automatically to the list of allowed internal addresses' do
+      expect(chef_run).to render_file('/var/opt/gitlab/mattermost/config.json').with_content { |content|
+        config = JSON.parse(content)
+        expect(config['ServiceSettings']['AllowedUntrustedInternalConnections']).not_to match(/gitlab\.example\.com/)
+      }
+    end
   end
 
   context 'when database is not running' do