Back to releases
Apr 7, 2014 - Marin Jankovski

Security Advisory for GitLab related to CVE-2014-2525

Learn more about Security Advisory for GitLab related to CVE-2014-2525

Security Advisory for GitLab related to CVE-2014-2525

A recently discovered vulnerability in ruby allows a specially crafted string to cause a heap overflow which can lead to arbitrary code execution.

We are not aware of this issue affecting GitLab.

We recommend keeping your system packages up-to-date.

Version affected

All versions of GitLab using ruby 1.9.3-p0 and newer.

Impact

Because both GitLab and some of its dependencies use libyaml, it is theoretically possible that an attacker can use CVE-2014-2525 to remotely execute code on a server running GitLab.

We are currently not aware of any real-world exploits against GitLab which take advantage of CVE-2014-2525.

Workarounds

By keeping libyaml package up to date on your OS this vulnerability is resolved.

For example, on Ubuntu 12.04 run the following commands:

sudo apt-get update
sudo apt-get upgrade
sudo service gitlab reload

If your OS didn't release a package update you can compile libyaml 0.1.6 from source and then recompile ruby with path to new libyaml: $ ./configure --with-yaml-dir=/path/to/libyaml

For more information see ruby security announcement.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.

Share your feedback

Take GitLab for a spin

See what your team could do with The DevSecOps Platform.

Get free trial

Have a question? We're here to help.

Talk to an expert
Edit this page View source