Back to releases
Jun 19, 2014 - Jacob Vosmaer

Omnibus-gitlab security release: bundled Postgres trusts all local connections

Learn more about Omnibus GitLab Security Release: bundled Postgres trusts all local connections

Due to a configuration error, the PostgreSQL server that is bundled into omnibus-gitlab trusts all connections originating from the server omnibus-gitlab is running on. This has been rectified in omnibus-gitlab 6.9.2.omnibus.2 (GitLab Community Edition) and 6.9.4-ee.omnibus.1 (GitLab Enterprise Edition). We advise all users of omnibus-gitlab to update to the latest release.

Affected versions: all versions of omnibus-gitlab up to and including omnibus-gitlab 6.9.2.omnibus.1 (GitLab Community Edition) and 6.9.4-ee.omnibus (GitLab Enterprise Edition).

Not affected: Source and cookbook installations of GitLab (e.g. not using .deb or .rpm packages). Omnibus-gitlab installations which use an external DBMS are also not affected.

Fixed versions: omnibus-gitlab 6.9.2.omnibus.2 (GitLab Community Edition) and 6.9.4-ee.omnibus.1 (GitLab Enterprise Edition).

Releases

You can download the latest version of omnibus-gitlab for GitLab Community Edition or omnibus-gitlab for GitLab Enterprise Edition and follow the update instructions.

Impact

An attacker who can execute code on the server omnibus-gitlab runs on can get full superuser access to the bundled Postgres database which holds all GitLab metadata.

To see if your omnibus-gitlab installation is affected you can run the following command on your GitLab server.

sudo -u root /opt/gitlab/embedded/bin/psql -U gitlab-psql -d template1 -c '\echo connected to an insecure Postgres instance'

If the command echoes connected to an insecure Postgres instance your omnibus-gitlab installation is affected by this issue. If you receive an error message psql: FATAL: Peer authentication failed for user "gitlab-psql", your bundled Postgres service is secured.

Please contact us at support.gitlab.comif you have any questions.

More Posts Like This:

Upcoming GitLab.com narrow breaking changes to Secure Analyzers in GitLab 13.4

Our next release, 13.4, will include narrow breaking changes for our Secure scanning features. Find out how this could affect you and what you need to do.

Learn more

GitLab will extend package signing key expiration by one year

Our GPG key will now expire on July 1, 2021. Here's what you need to know.

Learn more

Artifact and job meta data expiration settings are changing for GitLab.com

Default expiration dates for job meta data and artifacts will change on June 22, 2020. Find out how this benefits all users of GitLab.com

Learn more

GitLab 14.4 released with Scheduled DAST scans and Integrated error tracking

GitLab 14.4 released with Scheduled on-demand DAST scans, Integrated error tracking, Remote Repositories for GitLab in Visual Studio Code, DevOps Adoption trend graph, GA for GitLab Operator and much more!

Learn more

GitLab Patch Release: 14.3.3

GitLab releases 14.3.3

Learn more

GitLab Patch Release: 14.3.2

GitLab releases 14.3.2

Learn more

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab Free
Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license
View page source — Edit in Web IDE — please contribute. Creative Commons License

Try GitLab risk-free for 30 days.

No credit card required. Have questions? Contact us.

Get Your Free Trial Today
Gitlab x icon svg