Encryption is the process of turning data into an unrecognizable format unless the necessary password (also known as passphrase) or decryption key is provided.This blog describes how to encrypt the pgBackRest repository. pgBackRest is the backup tool used to perform Postgres database backup, restoration, and point-in-time recovery (PITR). The repository is where pgBackRest stores backups […]

Today we are releasing versions 16.6.1, 16.5.3, 16.4.3 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Table of fixes Title Severity XSS and ReDoS in Markdown via Banzai pipeline of Jira High Members with admin_group_member custom permission can add members with higher role High Release Description visible in public projects despite release set as project members only through atom response Medium Manipulate the repository content in the UI (CVE-2023-3401 bypass) Medium External user can abuse policy bot to gain access to internal projects Medium Client-side DOS via Mermaid Flowchart Medium Developers can update pipeline schedules to use protected branches even if they don't have permission to merge Medium Users can install Composer packages from public projects even when Package registry is turned off Medium Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branches Low Guest users can react (emojis) on confidential work items which they cant see in a project Low XSS and ReDoS in Markdown via Banzai pipeline of Jira Improper neutralization of input in Jira integration configuration in GitLab CE/EE, affecting all versions from 15.10 prior to 16.6.1, 16.5 prior to 16.5.3, and 16.4 prior to 16.4.3 allowed attacker to execute javascript in victim's browser. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N, 8.7). It is now mitigated in the latest release and is assigned CVE-2023-6033. Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program. Members with admin_group_member custom permission can add members with higher role An issue has been discovered in GitLab EE affecting all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. When a user is assigned a custom role with admin_group_member` enabled, they may be able to add a member with a higher static role than themselves to the group which may lead to privilege escalation. This is a high severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, 8.1). It is now mitigated in the latest release and is assigned CVE-2023-6396. This vulnerability was discovered internally by GitLab team member jarka. Release Description visible in public projects despite release set as project members only through atom response An issue has been discovered in GitLab affecting all versions starting from 11.3 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for unauthorized users to view a public projects' release descriptions via an atom endpoint when release access on the public was set to only project members This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, 5.3). It is now mitigated in the latest release and is assigned CVE-2023-3949. Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program. Manipulate the repository content in the UI (CVE-2023-3401 bypass) An issue has been discovered in GitLab affecting all versions before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. Under certain circumstances, a malicious actor bypass prohibited branch checks using a specially crafted branch name to manipulate repository content in the UI. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N, 4.8). It is now mitigated in the latest release and is assigned CVE-2023-5226. Thanks shells3c for reporting this vulnerability through our HackerOne bug bounty program. External user can abuse policy bot to gain access to internal projects An issue has been discovered in GitLab EE affecting all versions starting from 16.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the policy bot to gain access to internal projects. This is a medium severity issue (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N, 4.4). It is now mitigated in the latest release and is assigned CVE-2023-5995. Thanks joaxcar for reporting this vulnerability through our HackerOne bug bounty program. Client-side DOS via Mermaid Flowchart An issue has been discovered in GitLab EE affecting all versions starting from 10.5 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to cause a client-side denial of service using malicious crafted mermaid diagram input. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-4912. Thanks toukakirishima for reporting this vulnerability through our HackerOne bug bounty program. Developers can update pipeline schedules to use protected branches even if they don't have permission to merge An issue has been discovered in GitLab affecting all versions starting from 9.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a user with the Developer role to update a pipeline schedule from an unprotected branch to a protected branch. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-4317. Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program. Users can install Composer packages from public projects even when Package registry is turned off An issue has been discovered in GitLab affecting all versions starting from 13.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for users to access composer packages on public projects that have package registry disabled in the project settings. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-3964. Thanks js_noob for reporting this vulnerability through our HackerOne bug bounty program. Unauthorized member can gain Allowed to push and merge access and affect integrity of protected branches An issue has been discovered in GitLab EE affecting all versions starting from 8.13 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for an attacker to abuse the Allowed to merge permission as a guest user, when granted the permission through a group. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-4658. Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program. Guest users can react (emojis) on confidential work items which they cant see in a project An issue has been discovered in GitLab affecting all versions starting from 12.1 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for a Guest user to add an emoji on confidential work items. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-3443. Thanks ashish_r_padelkar for reporting this vulnerability through our HackerOne bug bounty program. Mattermost Security Update Mattermost has been updated to the latest patch release to mitigate several security issues. Update to PG 14.9 and 13.12 PostgreSQL has been updated to 14.9 and 13.12 to mitigate CVE-2023-39417. Update pcre2 to 10.42 pcre2 has been updated to version 10.42 to mitigate CVE-2022-41409. Non Security Patches 16.6.1 Install Gitaly dependencies for project archiving (16.6 backport) Fix intermittent 404 errors loading GitLab Pages Prefer custom sort order with search in users API Backport "Fix group page erroring because of nil user" to 16-6-stable-ee Skip encrypted settings logic for Redis when used by Mailroom Allow + char in abuse detection for global search Backport "Move unlock pipeline cron scheduler out of ee" to 16.6 Fix bug with pages_deployments files not being deleted on disk Backport - Truncate verification failure message to 255 Backport "Revert "Merge branch 'sc1-release-goredis' into 'master'"" 16.5.3 Backport 10871d71b171db38701bfefe15883b05c234ca6d to 16-5-stable Geo: Reduce batch size of verification state backfill 16.4.3 Backport 10871d71b171db38701bfefe15883b05c234ca6d to 16-4-stable Backport to 16.4 the fix for test failure due to "not-existing.com" being registered Bump asdf-bootstrapped-verify version on 16.4 Fix bulk batch export of badges and uploads [16.4] ci: Fix broken master by not reading GITLAB_ENV Fix assign security check permission checks For 16.4: Fix Geo verification state backfill job can exceed batch size Geo: Reduce batch size of verification state backfill Updating To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page. Receive Security Release Notifications To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.

picture of two new titan security keys

This week’s system design refresher: *BIG* Announcement: We’ve launched an Instagram account Top 12 Tips for API Security Our Recommended Materials For Cracking Your Next Tech Interview (Youtube video) How To Release A Mobile App Git Vs Github *BIG* Announcement: We’ve launched an Instagram account

Redis Cloud Flexible and Annual plans across all AWS and Google Cloud regions achieve certification The post Redis Cloud Gains Payment Card Industry Data Security Standard Certification   appeared first on Redis.

You may wonder – what exactly does this certification mean? Let us break down the importance of PCI DSS certification and how it helps you confidently deliver data-oriented applications. The post Elevating Data Security: Redis Cloud Achieves PCI DSS Certification appeared first on Redis.

We are excited to announce the general availability (GA) of several key security features for Databricks on Google Cloud: Private connectivity with Private...

Today we are releasing versions 16.5.1, 16.4.2, 16.3.6 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. GitLab releases patches for vulnerabilities in dedicated security releases. There are two types of security releases: a monthly, scheduled security release, released a week after the feature release (which deploys on the 3rd Thursday of each month), and ad-hoc security releases for critical vulnerabilities. For more information, you can visit our security FAQ. You can see all of our regular and security release blog posts here. In addition, the issues detailing each vulnerability are made public on our issue tracker 30 days after the release in which they were patched. We are dedicated to ensuring all aspects of GitLab that are exposed to customers or that host customer data are held to the highest security standards. As part of maintaining good security hygiene, it is highly recommended that all customers upgrade to the latest security release for their supported version. You can read more best practices in securing your GitLab instance in our blog post. On 2023-10-20 11:03 UTC, GitLab internally discovered (CVE-2023-5831) that a change in the GitLab sidebar feature resulted in self-managed GitLab instances sending version-checks to version.gitlab.com each time they opened a page on their GitLab instance. This means that the hostnames and current versions of self-managed GitLab instances were being sent to version.gitlab.com any time a user of that GitLab instance opened any page, regardless of whether or not the sending of version-check was enabled. This information was only accessible to some GitLab team members and was not exposed externally, and GitLab is working to purge the erroneously collected data from our database. Recommended Action We strongly recommend that all installations running a version affected by the issues described below are upgraded to the latest version as soon as possible. When no specific deployment type (omnibus, source code, helm chart, etc.) of a product is mentioned, this means all types are affected. Table of fixes Title Severity Disclosure of CI/CD variables using Custom project templates High GitLab omnibus DoS crash via OOM with CI Catalogs Medium Parsing gitlab-ci.yml with large string via timeout input leads to Denial of Service Medium DoS - Blocking FIFO files in Tar archives Medium Titles exposed by service-desk template Medium Approval on protected environments can be bypassed Low Version information disclosure when super_sidebar_logged_out feature flag is enabled Low Add abuse detection for search syntax filter pipes Low Disclosure of CI/CD variables using Custom project templates An issue has been discovered in GitLab affecting all versions starting from 11.6 before 12.9.8, all versions starting from 12.10 before 12.10.7, all versions starting from 13.0 before 13.0.1. It was possible for an unauthorised project or group member to read the CI/CD variables using the custom project templates. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N, 8.5). It is now mitigated in the latest release and is assigned CVE-2023-3399. Thanks theluci for reporting this vulnerability through our HackerOne bug bounty program. GitLab omnibus DoS crash via OOM with CI Catalogs An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.2 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. A low-privileged attacker can point a CI/CD Component to an incorrect path and cause the server to exhaust all available memory through an infinite loop and cause Denial of Service. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, 6.5). It is now mitigated in the latest release and is assigned CVE-2023-5825. Thanks blakbat for reporting this vulnerability through our HackerOne bug bounty program" Parsing gitlab-ci.yml with large string via timeout input leads to Denial of Service An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.3 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. A Regular Expression Denial of Service was possible by adding a large string in timeout input in gitlab-ci.yml file." This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-3909. Thanks akadrian for reporting this vulnerability through our HackerOne bug bounty program. DoS - Blocking FIFO files in Tar archives An issue has been discovered in GitLab EE/CE affecting all versions starting before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1 which allows an attackers to block Sidekiq job processor. This is a medium severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, 4.3). It is now mitigated in the latest release and is assigned CVE-2023-3246. Thanks zhutyra for reporting this vulnerability through our HackerOne bug bounty program. Titles exposed by service-desk template An issue has been discovered in GitLab EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, all versions starting from 16.5 before 16.5.1. Arbitrary access to the titles of an private specific references could be leaked through the service-desk custom email template. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N, 3.1). It is now mitigated in the latest release and is assigned CVE-2023-5600. Thanks yvvdwf for reporting this vulnerability through our HackerOne bug bounty program. Approval on protected environments can be bypassed An authorization issue affecting GitLab EE affecting all versions from 14.7 prior to 16.3.6, 16.4 prior to 16.4.2, and 16.5 prior to 16.5.1, allowed a user to run jobs in protected environments, bypassing any required approvals. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N, 3.5). It is now mitigated in the latest release and is assigned CVE-2023-4700. Thanks Gregor Pirolt for reporting this vulnerability through our HackerOne bug bounty program. Version information disclosure when super_sidebar_logged_out feature flag is enabled An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, and all versions starting from 16.5.0 before 16.5.1 which have the super_sidebar_logged_out feature flag enabled. Affected versions with this default-disabled feature flag enabled may unintentionally disclose GitLab version metadata to unauthorized actors. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N, 3.7). It is now mitigated in the latest release and is assigned CVE-2023-5831. This vulnerability was discovered internally by the GitLab team. Add abuse detection for search syntax filter pipes An issue has been discovered in GitLab EE with Advanced Search affecting all versions from 13.9 to 16.3.6, 16.4 prior to 16.4.2 and 16.5 prior to 16.5.1 that could allow a denial of service in the Advanced Search function by chaining too many syntax operators. This is a low severity issue (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L, 3.1). It is now mitigated in the latest release. We have requested a CVE ID and will update this blog post when it is assigned. This vulnerability was found internally by GitLab. Update curl to v8.4.0 curl has been updated to v8.4.0 to mitigate CVE-2023-38545. Update mermaid to 10.5.0 mermaid has been updated to 10.5.0 to mitigate a security issue. Patch NGINX for CVE-2023-44487 NGINX has been patched to mitigate CVE-2023-44487. Non Security Patches 16.5.1 Revert better-error-messages-for-pull-mirroring Update post migration to drop column only if it exists Downgrade vue-apollo to prevent auto-restarting subscriptions on error 16.4.2 UBI: Explicitly add webrick gem to mailroom build Update VERSION files Update dependency prometheus-client-mmap to '>= 0.28.1' Backport: fix migration when commit_message_negative_regex is missing Backport to 16.4: Geo: Avoid getting resources stuck in Queued Fix pipeline schedules view when owner is nil Quarantine flaky delete_job_spec:46 Create Geo event when project is created Fix bug with batched gitaly ref deletion duplicates 16.3.6 UBI: Explicitly add webrick gem to mailroom build Backport 16.3: Upgrade exiftool to 12.65 Fixes the 16-3-stable branch Backport to 16.3: Geo: Avoid getting resources stuck in Queued Updating To update GitLab, see the Update page. To update Gitlab Runner, see the Updating the Runner page. Receive Security Release Notifications To receive security release blog notifications delivered to your inbox, visit our contact us page. To receive release notifications via RSS, subscribe to our security release RSS feed or our RSS feed for all releases.

使用Spring Security很复杂吗？这是一个有关简化Spring 的简单用户管理框架/入门的开源工具：提供基于 Spring Security 的注册、登录、注销等功能。 这个小框架允许您使用properties.yml配置Spring Security，并为您提供一些简单的入门注册、登录、Google和Facebook注册/登录等... SpringUserFramework 是一个 Java Spring Boot 用户管理框架，旨在简化基于 Spring

It's been two years since we announced Email Routing, our solution to create custom email addresses for your domains and route incoming emails to your preferred mailbox. Since then, the team has worked hard to evolve the product and add more powerful features to meet our users' expectations.