Security Advisory for GitLab related to CVE-2014-2525
A recently discovered vulnerability in ruby allows a specially crafted string to cause a heap overflow which can lead to arbitrary code execution.
We are not aware of this issue affecting GitLab.
We recommend keeping your system packages up-to-date.
All versions of GitLab using ruby 1.9.3-p0 and newer.
Because both GitLab and some of its dependencies use libyaml, it is theoretically possible that an attacker can use CVE-2014-2525 to remotely execute code on a server running GitLab.
We are currently not aware of any real-world exploits against GitLab which take advantage of CVE-2014-2525.
By keeping libyaml package up to date on your OS this vulnerability is resolved.
For example, on Ubuntu 12.04 run the following commands:
sudo apt-get update sudo apt-get upgrade sudo service gitlab reload
If your OS didn't release a package update you can compile libyaml 0.1.6 from source and then recompile ruby with path to new libyaml:
$ ./configure --with-yaml-dir=/path/to/libyaml
For more information see ruby security announcement.