Jul 10, 2015 - Jacob Vosmaer

Omnibus packages with OpenSSL 1.0.1p

We have just released new Omnibus packages for GitLab Community Edition, GitLab Enterprise Edition and GitLab Continuous Integration. These new packages contain an OpenSSL security update.

Yesterday a new version of OpenSSL was released to address security vulnerability CVE-2015-1793. This vulnerability, present in OpenSSL 1.0.1n and 1.0.1o, allows an attacker to trick an SSL client into accepting an untrusted server certificate. This OpenSSL issue affects the Omnibus packages for GitLab 7.12 and newer because they contain OpenSSL 1.0.1o. Older GitLab packages contain older versions of OpenSSL which are not affected by this particular issue. This issue only affects outgoing SSL connections initiated by GitLab such as webhooks and 'git clone' repository imports. Incoming HTTPS requests are not affected (unless you use client side SSL certificates which is very uncommon).

If you installed GitLab from source you need to check whether the OpenSSL version provided by your operating system is affected. Omnibus users should upgrade to the 7.12.2-omnibus.1 packages and run sudo gitlab-ctl restart to make sure the latest version of OpenSSL is used.

Please see our Update page for update instructions. Coming from 7.12.x this upgrade requires short downtime because of gitlab-ctl restart.

For the latest and most detailed news follow @gitlab on Twitter. Future blog posts suggestions.

Install GitLab in 2 minutes

With Ubuntu, Debian, CentOS and Raspbian packages or from source

Install GitLab Now

Try GitLab Enterprise Edition risk-free for 30 days.

No credit card required. Have questions? Contact us.