Blog post: https://about.gitlab.com/releases/2024/09/11/patch-release-gitlab-17-3-2-released/
Includes the following fixes:
Execute environment stop actions as the owner of the stop action job Critical Prevent code injection in Product Analytics funnels YAML High SSRF via Dependency Proxy High Denial of Service via sending a large glm_source parameter High CI_JOB_TOKEN can be used to obtain GitLab session token Medium Variables from settings are not overwritten by PEP if a template is included Medium Guests can disclose the full source code of projects using custom group-level templates Medium IdentitiesController allows linking of arbitrary unclaimed provider identities Medium Open redirect in repo/tree/:id endpoint can lead to account takeover through broken OAuth flow Medium Open redirect in release permanent links can lead to account takeover through broken OAuth flow Medium Guest user with Admin group member permission can edit custom role to gain other permissions Medium Exposure of protected and masked CI/CD variables by abusing on-demand DAST Medium Credentials disclosed when repository mirroring fails Medium Commit information visible through release atom endpoint for guest users Medium Dependency Proxy Credentials are Logged in Plaintext in graphql Logs Medium User Application can spoof the redirect url Low Group Developers can view group runners information Low
docs
[version specific upgrade docs]()
[deprecations]()
[changelog]()
Test instance:
- gitlab-prod-1002.devtools.eqiad1.wikimedia.cloud
-
gitlab-runner-1002.devtools.eqiad1.wikimedia.cloudno update needed -
gitlab-runner-1003.devtools.eqiad1.wikimedia.cloudno update needed -
gitlab-runner-1005.devtools.eqiad1.wikimedia.cloudno update needed
Replicas:
- gitlab1003.wikimedia.org
- gitlab1004.wikimedia.org
Production:
- gitlab2002.wikimedia.org
-
Trusted runnersno update needed -
Shared runnersno update needed -
Cloud runnersno update needed