Apr 8, 2014 - Jacob Vosmaer

Security Release of omnibus-gitlab due to CVE-2014-0160 ('Heartbleed')

Learn more about Security Release of omnibus-gitlab due to CVE-2014-0160 ('Heartbleed')

Yesterday OpenSSL 1.0.1g was released to address the 'Heartbleed' security vulnerability (CVE-2014-0160). We have just released new omnibus-gitlab packages that update the version OpenSSL embedded in the package to version 1.0.1g. We advise all users of omnibus-gitlab to upgrade immediately.

Versions affected

Affected versions: all omnibus-gitlab packages prior to 6.7.3.omnibus.3 or 6.7.2-ee.omnibus.2.

Fixed versions: 6.7.3.omnibus.3 (CE) and 6.7.2-ee.omnibus.2 (EE).

You can check you omnibus-gitlab version by running dpkg-query -W gitlab (Ubuntu) or rpm -q gitlab (CentOS).

Impact

OpenSSL is used in the existing packages for omnibus-gitlab to make outgoing connections to remote hosts for e.g. HTTPS resources. Because omnibus-gitlab uses its own embedded copy of OpenSSL, it is required to update omnibus-gitlab in addition to updating your OS's copy of OpenSSL.

Releases

Omnibus-gitlab 6.7.3.omnibus.3 (CE) is available at the download page. Omnibus-gitlab 6.7.2-ee.omnibus.2 is available for subscribers only.

Upgrade instructions can be found in the omnibus-gitlab repository.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.

Share your feedback

Take GitLab for a spin

See what your team could do with The DevSecOps Platform.

Get free trial

Have a question? We're here to help.

Talk to an expert
Edit this page View source