Yesterday the developers of Ruby on Rails released a security advisory for parameter injection vulnerability CVE-2014-3514. GitLab is not affected by this vulnerability.
CVE-2014-3514 affects applications which pass unsanitized user input to the ActiveRecord
create_with method. GitLab 7.1 nor its dependencies use
create_with. GitLab 7.2 (to be released) does use
create_with in two locations, but neither of those two call sites passes user input to the method.
We would like to thank Robert Schilling and Jeroen van Baarsen of the GitLab core team for their assistance in investigating this issue.
Please contact us at firstname.lastname@example.org if you have any questions about this issue.