Critical Security Alert - Expose latest stable patch outside 3 minor versions
What / Why
Customer rose concern: #387719 (comment 1728348297)
When a customer is more than 3 minor versions behind the latest release and a critical security vulnerability is exposed they are given a pop up to inform them. We only list the last 3 minor versions that are stable and thus the customer is presented with an alert that makes it appear they need to do a more intensive upgrade than needed.
In the below screenshot there is an available patch on 16.3.7 but the customer only sees 16.5.7 as the least available upgrade which for them could be a major effort.
Proposal
Thank you @leipert for the effort breaking this down!
Version Check (API) Changes
Update API to include latest_version_of_your_minor
{
"latest_stable_versions": [
"16.7.2",
"16.6.4",
"16.5.6"
],
+ "latest_version_of_your_minor": "16.3.7"
"latest_version": "16.7.2",
"severity": "danger",
"critical_vulnerability": true,
"details": ""
}
Only provide data to this key if: (thank you @lstahlman)
- Current minor version is not in the list of supported versions
- Latest patch for current minor version is not vulnerable
GitLab (UI) Changes
Update UI to check for information in the new key latest_version_of_your_minor
and if it exists present it in the pop up alert.
You are currently on version 16.9.0! We strongly recommend upgrading your GitLab installation to one of the following versions immediately: 16.12.3, 16.11.5, 16.10.7.
Additionally, there is an available stable patch on your current GitLab minor version: 16.9.2
Considerations
Version Check utilizes a complicated Reactive Cache implementation. We will want to ensure there aren't any nuances to getting the new data key into the cache.
Additionally we will want to explore back porting this change if possible else we won't see any benefits from it for 3+ minor versions.