BigW Consortium Gitlab

security.md 3.65 KB
Newer Older
1
# Things to do when doing an out-of-bound security release
2

3 4 5 6
NOTE: This is a guide for GitLab developers. If you are trying to install GitLab see the latest stable [installation guide](install/installation.md) and if you are trying to upgrade, see the [upgrade guides](update).

## When to do a security release

7
Do a security release when there is a critical issue that needs to be addresses before the next monthly release. Otherwise include it in the monthly release and note there was a security fix in the release announcement.
8 9 10

## Security vulnerability disclosure

11
Please report suspected security vulnerabilities in private to <support@gitlab.com>, also see the [disclosure section on the GitLab.com website](https://about.gitlab.com/disclosure/). Please do NOT create publicly viewable issues for suspected security vulnerabilities.
12 13 14

## Release Procedure

15
1. Verify that the issue can be reproduced
16
1. Acknowledge the issue to the researcher that disclosed it
17
1. Inform the release manager that there needs to be a security release
18
1. Do the steps from [patch release document](doc/release/patch.md), starting with "Create an issue on private GitLab development server"
19
1. The MR with the security fix should get a 'security' label and be assigned to the release manager
20
1. Build the package for GitLab.com and do a deploy
21
1. Build the package for ci.gitLab.com and do a deploy
22
1. [Create new AMIs](https://dev.gitlab.org/gitlab/AMI/blob/master/README.md)
23
1. Create feature branches for the blog post on GitLab.com and link them from the code branch
24
1. Merge and publish the blog posts
25
1. Send tweets about the release from `@gitlabhq`
26
1. Send out an email to [the community google mailing list](https://groups.google.com/forum/#!forum/gitlabhq)
27
1. Post a signed copy of our complete announcement to [oss-security](http://www.openwall.com/lists/oss-security/) and request a CVE number. CVE is only needed for bugs that allow someone to own the server (Remote Code Execution) or access to code of projects they are not a member of.
28
1. Add the security researcher to the [Security Researcher Acknowledgments list](https://about.gitlab.com/vulnerability-acknowledgements/)
29
1. Thank the security researcher in an email for their cooperation
30
1. Update the blog post and the CHANGELOG when we receive the CVE number
31 32

The timing of the code merge into master should be coordinated in advance.
33

34
After the merge we strive to publish the announcements within 60 minutes.
35 36 37 38 39

## Blog post template

XXX Security Advisory for GitLab

40
A recently discovered critical vulnerability in GitLab allows [unauthenticated API access|remote code execution|unauthorized access to repositories|XXX|PICKSOMETHING]. All users should update GitLab and gitlab-shell immediately. We [have|haven't|XXX|PICKSOMETHING|] heard of this vulnerability being actively exploited.
41 42 43 44

### Version affected

GitLab Community Edition XXX and lower
45

46 47 48 49 50
GitLab Enterprise Edition XXX and lower

### Fixed versions

GitLab Community Edition XXX and up
51

52 53 54 55 56 57 58 59 60 61 62 63 64 65
GitLab Enterprise Edition XXX and up

### Impact

On GitLab installations which use MySQL as their database backend it is possible for an attacker to assume the identity of any existing GitLab user in certain API calls. This attack can be performed by [unauthenticated|authenticated|XXX|PICKSOMETHING] users.

### Workarounds

If you are unable to upgrade you should apply the following patch and restart GitLab.

XXX

### Credit

66
We want to thank XXX of XXX for the responsible disclosure of this vulnerability.
67 68 69 70 71 72 73 74 75 76

## Email template

We just announced a security advisory for GitLab at XXX

Please contact us at support@gitlab.com if you have any questions.

## Tweet template

We just announced a security advisory for GitLab at XXX