Please run "apt-get upgrade" on your AMIs
The Gitlab EE AMIs are missing many updates from Ubuntu.
Would you please consider running "apt-get upgrade" prior to releasing them?
e.g. today (6-Mar-2020) I loaded up the 12.8.2 Gitlab EE AMI. 12.8.2 was released two days ago.
The AMI is missing security updates going back over 3 years, such as a fix for CVE-2016-0634 in bash
and CVE-2016-7076 in sudo
.
There are also updates for various tools, notably cloud-init
which has moved on from 0.7.8-49-g9e904bb-0ubuntu1~16.04.3
to 19.4-33-gbb4131a2-0ubuntu1~16.04.1
, bringing many updates along the way. It is possible (although I haven't checked) that transient EC2 credentials make it into your image due to https://bugs.launchpad.net/cloud-init/+bug/1638312 which was fixed back in March 2017.
Like any good user, I apply these fixes when consuming the AMI internally, but your users will be safer (and far more importantly, I will be saved some time) if you were to apply these fixes prior to releasing the AMI.