Apr 15, 2015 - Jacob Vosmaer  

GitLab 7.9.4 security release

Learn more about GitLab Release 7.9.4 for GitLab Community Edition (CE) and Enterprise Edition (EE)

We have just released GitLab 7.9.4 which fixes an unrestricted local repository import vulnerability. Additionally, this version addresses LDAP group synchronization problems in GitLab Enterprise Edition and a bug that would prevent more than 25 commit messages from being loaded in the file browser.

Unrestricted local repository import vulnerability

GitLab allows users to import an existing repository when creating a new project using git clone. Insufficient sanitization of user input made it possible for an attacker with the rights to create new projects to clone any git repository on disk accessible to the git user on the GitLab server. If the attacker could guess the path on disk to a Git repository they could clone it, allowing them to read Git data that they perhaps should not have access to. An attacker needs to be authenticated as a GitLab user and to have the right to create new projects to exploit this vulnerability.

Versions affected: GitLab Community Edition 7.9.3 and older, GitLab Enterprise Edition 7.9.3 and older.

See below for update instructions.

LDAP group synchronization problems (Enterprise Edition only)

We have recently discovered an incompatibility between the support for multiple LDAP servers (added in GitLab EE 7.4) and the support for multiple identities per user (e.g. LDAP, OAuth, Kerberos, added in GitLab 7.6). This incompatibility causes the gradual introduction of invalid data into the SQL database, which in turn causes LDAP group synchronization to stop working. In GitLab 7.9.4 we have made application code changes to avoid this problem in the future. When you upgrade to GitLab 7.9.4 or newer any existing invalid data related to this issue is automatically purged and corrected.

Other fixes

GitLab 7.9.4 also fixes an issue where not all commit messages would get displayed in the file browser.

Upgrade barometer

We recommend shutting down your GitLab instance before upgrading to 7.9.4 because this release includes database migrations. The migrations themselves run very quickly.


Omnibus packages for GitLab 7.9.4 can be found via our downloads page.

For installations from source, use this guide.

Interested in GitLab Enterprise Edition? For an overview of feature exclusive to GitLab Enterprise Edition please have a look at the features exclusive to GitLab EE.

Access to GitLab Enterprise Edition is included with a subscription.

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum.

Share your feedback

Take GitLab for a spin

See what your team could do with The DevSecOps Platform.

Get free trial

Have a question? We're here to help.

Talk to an expert
Edit this page View source