Document issues related to emails and upgrades to 13.2
As we don't include a lot of security info in our docs, this plan is subject to change.
Problem to solve
Based on gitlab-com/www-gitlab-com#7942 (closed), we've done extensive work to protect the integrity of GitLab accounts.
We reported the User Email Verification Bypass issue in 13.0.1, ref https://about.gitlab.com/releases/2020/05/27/security-release-13-0-1-released/
At that time, "We strongly recommend that all installations running an affected version above are upgraded to the latest version as soon as possible."
For upgrades to 13.2, we know of a number of issues (to be added to this description)
Further details
Related issues, MRs:
- !36634 (merged)
- !35492 (merged)
- !37361 (merged)
- gitlab-com/www-gitlab-com!56840 (merged)
- !34818 (merged)
Proposal
Development work is complete; we need to document related issues during an upgrade to 13.2. For that purpose, I propose including a new page someplace like doc/user/upgrade_email_bypass.md. In that file, I suggest that we cover:
- Background, including the security notice, and possibly also the CVE
- Summary of how we've addressed the issue for 13.2
- List of issues that might arise during / after the upgrade for users
- Issue 1, explanation, response
- Issue 2, explanation, response
- etc (I expect 8)
Who can address the issue
As this should help people who are tasked with explaining the issue to our customers, IMO, it should be written for those readers, in other words, Support Engineers, Technical Account Managers and Self-Managed System Administrators. Ideally, it should be written by them.