Although the preferred way to install GitLab is to use our omnibus
packages, you can also install GitLab Community Edition or
Enterprise Edition 'from source'. If you used this installation method, and if
you compiled Git from source in the process then please check whether your Git
version defends against Git vulnerability CVE-2014-9390. This issue does not
apply to our Omnibus packages (DEB or RPM).
Although GitLab itself is not affected by
CVE-2014-9390,
a GitLab server may be used to deliver 'poisoned' Git repositories to users on
vulnerable systems. Upgrading Git on your GitLab server stops users from
pushing poisoned repositories to your GitLab server.
Due to an oversight, the guide for installing GitLab from
source
still contained instructions telling administrators to install Git 2.1.2 if the
version of Git provided by their Linux distribution was too old. Git 2.1.2 does
not defend against CVE-2014-9390.
If your GitLab server uses /usr/local/bin/git please check your Git version
using the instructions in this upgrade
guide.
