Oct 31, 2014 - Jacob Vosmaer

GitLab not affected by Rails vulnerability CVE-2014-7818

Yesterday the developers of Ruby on Rails released a security advisory for file existence disclosure vulnerability CVE-2014-7818. GitLab is not affected by this vulnerability.

Background

CVE-2014-7818 affects Rails applications which have the config.serve_static_assets = true setting. GitLab is shipped with config.serve_static_assets set to false in config/environments/production.rb because it lets NGINX (or Apache) serve static files.

Please contact us at support@gitlab.com if you have any questions about this issue.

For the latest and most detailed news follow @gitlab on Twitter. Future blog posts suggestions.

Install GitLab in 2 minutes

With Ubuntu, Debian, CentOS and Raspbian packages or from source

Install GitLab Now

Try GitLab Enterprise Edition risk-free for 30 days.

No credit card required. Have questions? Contact us.