Yesterday the developers of Ruby on Rails released a security advisory for file existence disclosure vulnerability CVE-2014-7818. GitLab is not affected by this vulnerability.

Background

CVE-2014-7818 affects Rails applications which have the config.serve_static_assets = true setting. GitLab is shipped with config.serve_static_assets set to false in config/environments/production.rb because it lets NGINX (or Apache) serve static files.

Please contact us at support.gitlab.comif you have any questions about this issue.

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab Free
Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license

Try the GitLab DevOps Platform for free for 30 days

Achieve higher productivity, faster and secure deployments

Start your free trial Maybe later