Jun 19, 2014 - Jacob Vosmaer

Omnibus-gitlab security release: bundled Postgres trusts all local connections

Learn more about Omnibus GitLab Security Release: bundled Postgres trusts all local connections

Due to a configuration error, the PostgreSQL server that is bundled into omnibus-gitlab trusts all connections originating from the server omnibus-gitlab is running on. This has been rectified in omnibus-gitlab 6.9.2.omnibus.2 (GitLab Community Edition) and 6.9.4-ee.omnibus.1 (GitLab Enterprise Edition). We advise all users of omnibus-gitlab to update to the latest release.

Affected versions: all versions of omnibus-gitlab up to and including omnibus-gitlab 6.9.2.omnibus.1 (GitLab Community Edition) and 6.9.4-ee.omnibus (GitLab Enterprise Edition).

Not affected: Source and cookbook installations of GitLab (e.g. not using .deb or .rpm packages). Omnibus-gitlab installations which use an external DBMS are also not affected.

Fixed versions: omnibus-gitlab 6.9.2.omnibus.2 (GitLab Community Edition) and 6.9.4-ee.omnibus.1 (GitLab Enterprise Edition).

Releases

You can download the latest version of omnibus-gitlab for GitLab Community Edition or omnibus-gitlab for GitLab Enterprise Edition and follow the update instructions.

Impact

An attacker who can execute code on the server omnibus-gitlab runs on can get full superuser access to the bundled Postgres database which holds all GitLab metadata.

To see if your omnibus-gitlab installation is affected you can run the following command on your GitLab server.

sudo -u root /opt/gitlab/embedded/bin/psql -U gitlab-psql -d template1 -c '\echo connected to an insecure Postgres instance'

If the command echoes connected to an insecure Postgres instance your omnibus-gitlab installation is affected by this issue. If you receive an error message psql: FATAL: Peer authentication failed for user "gitlab-psql", your bundled Postgres service is secured.

Please contact us at support.gitlab.comif you have any questions.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.

Share your feedback

Take GitLab for a spin

See what your team could do with The DevSecOps Platform.

Get free trial

Have a question? We're here to help.

Talk to an expert
Edit this page View source