Yesterday the developers of Ruby on Rails released a security advisory for file existence disclosure vulnerability CVE-2014-7818. GitLab is not affected by this vulnerability.
CVE-2014-7818 affects Rails applications which have the
config.serve_static_assets = true setting. GitLab is shipped with
config.serve_static_assets set to
config/environments/production.rb because it lets NGINX (or Apache) serve static files.
Please contact us at firstname.lastname@example.org if you have any questions about this issue.