Yesterday OpenSSL 1.0.1g was released to address the 'Heartbleed' security vulnerability (CVE-2014-0160). We have just released new omnibus-gitlab packages that update the version OpenSSL embedded in the package to version 1.0.1g. We advise all users of omnibus-gitlab to upgrade immediately.
Versions affected
Affected versions: all omnibus-gitlab packages prior to 6.7.3.omnibus.3 or 6.7.2-ee.omnibus.2.
Fixed versions: 6.7.3.omnibus.3 (CE) and 6.7.2-ee.omnibus.2 (EE).
You can check you omnibus-gitlab version by running dpkg-query -W gitlab (Ubuntu) or rpm -q gitlab (CentOS).
Impact
OpenSSL is used in the existing packages for omnibus-gitlab to make outgoing connections to remote hosts for e.g. HTTPS resources. Because omnibus-gitlab uses its own embedded copy of OpenSSL, it is required to update omnibus-gitlab in addition to updating your OS's copy of OpenSSL.
Releases
Omnibus-gitlab 6.7.3.omnibus.3 (CE) is available at the download page. Omnibus-gitlab 6.7.2-ee.omnibus.2 is available for subscribers only.
Upgrade instructions can be found in the omnibus-gitlab repository.
We want to hear from you
Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.
Share your feedback