NETWAYS schreibt die Sicherheit ihrer gehosteten Kundenumgebungen groß – daher kamen auch wir nicht um das Sicherheitsupdate in den GitLab Community Edition und Enterprise Edition Versionen herum.
GitLab machte Mitte März öffentlich, dass man auf eine Sicherheitslücke sowohl in der Community als auch in der Enterprise Edition gestoßen sei. Dabei soll es sich um sogenannte Server Side Request Forgery (SSRF) handeln, was Angreifern unter anderem den Zugriff auf das lokale Netzwerk ermöglich kann. GitLab löste dieses Problem nun durch ein Software Update und den Einbau der Option “Allow requests to the local network from hooks and services“, die per default deaktiviert ist und somit den Zugriff der Software auf das lokale Netz unterbindet.
Das Update auf eine neuere Version ist für viele Nutzer eine gute Lösung – allerdings nur, wenn diese keine Webhooks oder Services, die das lokale Netz als Ziel haben, nutzen. Denn wenn plötzlich die Webhooks und Services nicht mehr funktionieren und weder der Admin noch der User weiß, dass man bei der obigen Option einen Haken setzen muss, dann beginnt erst mal die Fehlersuche.
Fazit: Wer unbedingt auf Webhooks und ähnliches angewiesen ist, muss wohl oder übel vorerst mit der Sicherheitslücke leben.
Eingebaut wurde der Fix in folgende GitLab CE und EE Versionen: 10.5.6 / 10.4.6 / 10.3.9. Eine vollständige Übersicht an Releases findet man hier: GitLab Release
Managed Hosting bei NETWAYS – GitLab CE und GitLab EE
NETWAYS Web Services – 30 Tage kostenfreies Testen von GitLab CE und GitLab EE
Since last week our Gitlab-ce and Gitlab-ee instances are able to use Let’s Encrypt for SSL encryption. As an owner of one of our instances, you are able to use Let’s Encrypt simply by activating it in your product view on our NWS platform.
With this, you can now use your own domain, without the need of an existing SSL-certificate. If you already have a SSL-certificate active and want to test Let’s Encrypt, you can do so. Your active certificate will be stored and will be activated again, as soon as you deactivate the SSL encryption with Let’s Encrypt.
In the screenshot below, you can see an example of how it looks in the product view. Activation and deactivation will always require a restart of your instances, since these are major configurations changes to your container.
If you are interested in one of our instances, just have a look on nws.netways.de! We have many more open-source apps available, such as Rocket.Chat, RT or Nextcloud and are currently working on some new features/apps.
In November, we had our international Open Source Monitoring Conference where Markus announced the last tickets for. Julia blogged live OSMC news, and Michael explained how to replace spaces with tabs in Visual Studio 2017, while Dirk told us about Custom Datatypes in Puppet.
Nicole always brings something interesting every month, this time she showed some NETWAYS Web Services: GitLab EE and connect to your own Domain!. Noah explained Icinga 2 – CA Proxy, Christoph brought some creative stuff in “Unusual Surveillances” and Isabel shared some news on the SMSEagle.
Later in November, Dirk shared his impressions of OSMC day 1 and 2 as well as the news from the Hackathon on the last day of OSMC. Keya announced the Call for Papers for the Open Source Data Center Conference and last but not least, Philipp shared exciting news from the NETWAYS Startupdays, before the Christmas month at NETWAYS starts.
The NETWAYS Web Services Team is proud to announce the arrival of a new product: Customers can now have their GitLab EE instances hosted on our NWS platform.
Version control has become one of the most important aspects of everyday work life and has gone far beyond being only used by development teams. Many more use cases for version control have been created so far and are still to come. Even small teams are already using GitLab CE for controlling their workflows which is one of our reasons to offer this software as a hosted product.
After realizing that many users needed higher performance for increasing their productivity, we decided to add GitLab EE to our portofolio as it offers many more options and features than the CE version – without having to take care of the underlying hard- and software layers needed for running the application.
The process of hosting GitLab EE with us is almost as simple and comfortable as with all our other products – create an NWS account, choose a product and get started. GitLab EE makes a little exception for it is an Enterprise product and therefore customers need to provide a license acquired at GitLab. You can be sure that all features included in your license will be available in your NWS container right from the start.
This license is the only aspect the customer needs to take care of – NWS will provide all the comfort our customers already know from our other products, like maintenance works, updates, patches and a stable and well monitored platform underneath.
All those who do not want to worry about their version control should take a look at our attractive and scalable plans as well as individually sized solutions for hosting GitLab EE. More information can be found on our NWS homepage, in our GitLab EE section or by contacting us via the NWS livechat.
Important note: All NWS products are up for a 30 day free trial!
In August, Johannes Meyer began with an overview of some future Github topics and Lennart continued with part 6 of Icinga 2 Best Practice.
Julia said thank you to our OSBConf Sponsors, while Georg wrote not one, not two, but three articles on simplifying SSL certificates!
Then Alex shared his happiness to be a Mac user now and Dirk reviewed the Foreman Birthday Bash!
On events, Julia announced the program for the Open Source Monitoring Conference, continued with the second reason to join the OSBConf and started the OSMC blog series “Stay tuned!”.
Later in August, Isabel presented the ConiuGo Modem and showed the advantages of the Braintower SMS Gateway.
Towards the end of August, Enrico started a blog series on Cloud Management and Gunnar told us about SSH authentication with GnuPG and smart cards.