GitLab Security Release: 14.5.2, 14.4.4, and 14.3.6 --- Backport to 13.x?

Yesterday GitLab released security updates for the 14.3/4/5 branches. Does anyone know when or if these security patches will be back ported to the 13.x branch? Does anyone know what version of 13.x is considered secure?

TIA

Mark

1 Like

I am also trying to find out this information

According to GitLab release and maintenance policy | GitLab

Our current policy is:

  • Backporting security fixes to the previous two monthly releases in addition to the current stable release .

To ensure you receive all security updates and are patched against known vulnerabilities, I suggest upgrading GitLab to the latest release or previous two minor releases.

Can you clarify if this includes 13.x, as according to Gitlab documentation this is a supported version.

So just wanted to have confirmation if the security fixes will be backported to these supported versions? Or if these versions should be considered vulnerable and should not be used?

Hi @brett.tasker, great question!

There are multiple definitions of “support” and it’s easy to get them mixed up.

The “Statement of Support” page is specific to GitLab’s paid support offering. GitLab customers with a license or subscription are entitled to receive support from GitLab Support Engineers. This document defines what we [GitLab Support team) support in terms of our products, services, and applications.

Essentially, if you’re a GitLab customer, you can expect that Support will help you with any problems or questions you have with GitLab versions 12.0 through the latest 14.x. Statement of Support | GitLab

So just wanted to have confirmation if the security fixes will be backported to these supported versions?

Our release and maintence policy state that GitLab will backport security fixes to the previous two monthly releases in addition to the current stable release.

For example, the latest GitLab Security patches are available for 14.5 (latest stable version) and they’ve also been backported to 14.4 and 14.3: GitLab Security Release: 14.5.2, 14.4.4, and 14.3.6 | GitLab

There’s an open issue to discuss whether we should extend or change the maintenance policy here:

Or if these versions should be considered vulnerable and should not be used?

GitLab versions 13.x may be vulnerable to security issues that were patched after the release of 14.2.

Using software that has known vulnerabilities is a risk that can be avoided by upgrading or mitigated by locking-down access to the instance beyond the application layer. For example, customers running 12.x or 13.x who’re unable to upgrade often mitigate risk by restricting access to the instance at the network level. A simple example would be a firewall with a DENY ALL rule that only allows traffic to/from IP addresses that you’ve intentionally added to an allowlist.

If security is a concern and your GitLab instance is public-facing (anyone on the internet can access it by typing the URL in their browser), I advise that you regularly update both GitLab and system packages regularly. If you can’t update regularly, lock down access as much as possible so that only authorized individuals/machines can access your GitLab instance.

1 Like

I definitely wouldn’t interpret the published info that way - this is a rather big revelation to me (and most likely a lot of people!).

IMO the image in the dashboard needs to be changed as currently running V13 the assumption is everything is fine where as you are saying V13 is now it’s insecure and most likely not getting patched?

The status should be red - update ASAP.

Hi @mcjoppy , welcome to the GitLab Community Forum!

I definitely wouldn’t interpret the published info that way - this is a rather big revelation to me (and most likely a lot of people!).

Thanks for raising this. To make this point clearer to our entire community, I suggest you create an issue or submit a merge request to get the conversation started and raise awareness of this problem.

IMO the image in the dashboard needs to be changed as currently running V13 the assumption is everything is fine […]
The status should be red - update ASAP.

Can you clarify which image/dashboard you’re referring to?

It is my understanding that any user not running the latest stable release will see a red “Upgrade ASAP” image in their admin dashboard.

The “Upgrade ASAP” image uses Version Check (enabled by default) to check if a new version is available. If you’re running anything below 14.5.2 (current latest release), it’s possible that someone disabled the Version Check functionality.

If that’s the case, clicking the checkbox next to “Enable version check” should alert you via red “Upgrade ASAP” message at <yourgitlaburl>/admin anytime an update is available.

If you have version check enabled and you’re not seeing the “Upgrade ASAP” message, let us know as this sounds like a bug.

1 Like

That’s not the case:
gitlab-13-upgrade

(That screenshot was made less than a minute ago)

1 Like

Thanks for reporting this. I was able to reproduce it, and I’m investigating it now.

Ok I figured it out. Sorry for the confusion, thanks for bearing with me.

There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 22nd of each month), and ad-hoc security releases for critical vulnerabilities.
Critical vulnerabilities are defined based on CVSS v3.0 ratings. A vulnerability with CVSS of 9.0 to 10.0 is considered “Critical”, and discovery of a Critical vulnerability in GitLab or it’s components will prompt an ad-hoc Critical Security release to get the fix out ASAP.

The version check banner at /admin is displayed using the following logic:

  • update available (yellow) is displayed anytime an update (security or otherwise) is available
  • update ASAP is displayed when the GitLab version a critical security update is available (critical meaning that a patch to fix a vulnerability with CVSS score of 9.0-10.0 has been released)
  • up-to-date (green) is displayed when you’re running the latest stable release

The reason that 13.12.12 shows “update available” (yellow) instead of “update ASAP” (red) is because the last Critical Security Release was GitLab Critical Security Release: 14.0.4, 13.12.8, and 13.11.7 | GitLab

There have been regular security releases (released 1 week after each new minor release), but no Critical Security releases since 14.0.4/13.12.8/13.11.7.

See here for more info: Increase clarity that an upgrade is available for the instance (#295266) · Issues · GitLab.org / GitLab · GitLab Feel free to weigh-in and contribute to the issue comments there if you feel this could be made clearer.

Thanks!

2 Likes

I am also trying to find out this information

Hi @eagleapk10 welcome to the GitLab Community Forum! :wave:

13.x will not receive backports of the security patches in 14.5.2 / 14.4.4 / 14.3.6.

Do you have any questions need clarification on the answer provided here?