Commit f614fa97ae5068f0793ce1bcc73d474e44843695
Exists in
master
and in
4 other branches
Merge branch 'security-update' of /home/git/repositories/gitlab/gitlabhq
Showing
1 changed file
with
10 additions
and
4 deletions
Show diff stats
doc/release/security.md
| @@ -13,12 +13,14 @@ Please report suspected security vulnerabilities in private to support@gitlab.co | @@ -13,12 +13,14 @@ Please report suspected security vulnerabilities in private to support@gitlab.co | ||
| 13 | 13 | ||
| 14 | 1. Verify that the issue can be repoduced | 14 | 1. Verify that the issue can be repoduced |
| 15 | 1. Acknowledge the issue to the researcher that disclosed it | 15 | 1. Acknowledge the issue to the researcher that disclosed it |
| 16 | -1. Fix the issue on a feature branch, do this on the private dev.gitlab.org server and update the VERSION and CHANGELOG | 16 | +1. Fix the issue on a feature branch, do this on the private GitLab development server and update the VERSION and CHANGELOG in this branch |
| 17 | 1. Consider creating and testing workarounds | 17 | 1. Consider creating and testing workarounds |
| 18 | 1. Create feature branches for the blog posts on GitLab.org and GitLab.com and link them from the code branch | 18 | 1. Create feature branches for the blog posts on GitLab.org and GitLab.com and link them from the code branch |
| 19 | -1. Merge the code feature branch | ||
| 20 | -1. Create a git tag vX.X.X for CE and another one for EE | 19 | +1. Merge the code feature branch into master |
| 20 | +1. Cherry-pick the code into the latest stable branch | ||
| 21 | +1. Create a git tag vX.X.X for CE and another patch release for EE | ||
| 21 | 1. Push the code and the tags to all the CE and EE repositories | 22 | 1. Push the code and the tags to all the CE and EE repositories |
| 23 | +1. Apply the patch to GitLab Cloud and the private GitLab development server | ||
| 22 | 1. Merge and publish the blog posts | 24 | 1. Merge and publish the blog posts |
| 23 | 1. Send tweets about the release from @gitlabhq and @git_lab | 25 | 1. Send tweets about the release from @gitlabhq and @git_lab |
| 24 | 1. Send out an email to the subscribers mailing list on MailChimp | 26 | 1. Send out an email to the subscribers mailing list on MailChimp |
| @@ -27,13 +29,17 @@ Please report suspected security vulnerabilities in private to support@gitlab.co | @@ -27,13 +29,17 @@ Please report suspected security vulnerabilities in private to support@gitlab.co | ||
| 27 | 1. Post a signed copy of our announcement to [oss-security](http://www.openwall.com/lists/oss-security/) and request a CVE number | 29 | 1. Post a signed copy of our announcement to [oss-security](http://www.openwall.com/lists/oss-security/) and request a CVE number |
| 28 | 1. Add the security researcher to the [Security Researcher Acknowledgments list](http://www.gitlab.com/vulnerability-acknowledgements/) | 30 | 1. Add the security researcher to the [Security Researcher Acknowledgments list](http://www.gitlab.com/vulnerability-acknowledgements/) |
| 29 | 1. Thank the security researcher in an email for their cooperation | 31 | 1. Thank the security researcher in an email for their cooperation |
| 30 | -1. Update the blogposts when we receive a CVE number | 32 | +1. Update the blogposts when we receive the CVE number |
| 33 | + | ||
| 34 | +The timing of the code merge into master should be coordinated in advance. | ||
| 35 | +After the merge we strive to publish the announcements within 60 minutes. | ||
| 31 | 36 | ||
| 32 | ## Blog post template | 37 | ## Blog post template |
| 33 | 38 | ||
| 34 | XXX Security Advisory for GitLab | 39 | XXX Security Advisory for GitLab |
| 35 | 40 | ||
| 36 | A recently discovered critical vulnerability in GitLab allows [unauthenticated API access|remote code execution|unauthorized access to repositories|XXX|PICKSOMETHING]. All users should update GitLab and gitlab-shell immediately. | 41 | A recently discovered critical vulnerability in GitLab allows [unauthenticated API access|remote code execution|unauthorized access to repositories|XXX|PICKSOMETHING]. All users should update GitLab and gitlab-shell immediately. |
| 42 | +We [have|haven't|XXX|PICKSOMETHING|] heard of this vulnerability being actively exploited. | ||
| 37 | 43 | ||
| 38 | ### Version affected | 44 | ### Version affected |
| 39 | 45 |