Security Release of Omnibus-gitlab Due to CVE-2014-0160 (‘Heartbleed’)

Yesterday OpenSSL 1.0.1g was released to address the 'Heartbleed' security vulnerability (CVE-2014-0160). We have just released new omnibus-gitlab packages that update the version OpenSSL embedded in the package to version 1.0.1g. We advise all users of omnibus-gitlab to upgrade immediately.

Versions affected

Affected versions: all omnibus-gitlab packages prior to 6.7.3.omnibus.3 or 6.7.2-ee.omnibus.2.

Fixed versions: 6.7.3.omnibus.3 (CE) and 6.7.2-ee.omnibus.2 (EE).

You can check you omnibus-gitlab version by running dpkg-query -W gitlab (Ubuntu) or rpm -q gitlab (CentOS).

Impact

OpenSSL is used in the existing packages for omnibus-gitlab to make outgoing connections to remote hosts for e.g. HTTPS resources. Because omnibus-gitlab uses its own embedded copy of OpenSSL, it is required to update omnibus-gitlab in addition to updating your OS's copy of OpenSSL.

Releases

Omnibus-gitlab 6.7.3.omnibus.3 (CE) is available at the download page. Omnibus-gitlab 6.7.2-ee.omnibus.2 is available for subscribers only.

Upgrade instructions can be found in the omnibus-gitlab repository.

Security Advisory for GitLab Related to CVE-2014-2525

Security Advisory for GitLab related to CVE-2014-2525

A recently discovered vulnerability in ruby allows a specially crafted string to cause a heap overflow which can lead to arbitrary code execution.

We are not aware of this issue affecting GitLab.

We recommend keeping your system packages up-to-date.

Version affected

All versions of GitLab using ruby 1.9.3-p0 and newer.

Impact

Because both GitLab and some of its dependencies use libyaml, it is theoretically possible that an attacker can use CVE-2014-2525 to remotely execute code on a server running GitLab.

We are currently not aware of any real-world exploits against GitLab which take advantage of CVE-2014-2525.

Workarounds

By keeping libyaml package up to date on your OS this vulnerability is resolved.

For example, on Ubuntu 12.04 run the following commands:

1
2
3
sudo apt-get update
sudo apt-get upgrade
sudo service gitlab reload

If your OS didn't release a package update you can compile libyaml 0.1.6 from source and then recompile ruby with path to new libyaml: $ ./configure --with-yaml-dir=/path/to/libyaml

For more information see ruby security announcement.

GitLab CE 6.7 Released!

screenshot

Hello everyone!

Gitlab is open source software made for collaborative coding. Today we announce the release of a new version of GitLab Community Edition (CE), with new features, usability improvements and bug fixes. The most notable new feature is the addition of public group profiles (see screenshot above).

This release's most valuable person (MVP) is Jason Hollingsworth for contributing the public group profile feature.

Installing a Packaged GitLab With GitLab Omnibus Screencast

Some time ago, we released a packaged version of GitLab for super fast and easy installation using Omnibus. To show how easy it is to use GitLab Omnibus and to help you getting started with building your own GitLab packages, we created this screencast. It covers:

  • Installing GitLab in minutes using an omnibus package
  • Configuring your omnibus GitLab
  • Creating your own package
  • Provisioning your own package
  • Setting up LDAP on GitLab omnibus

Testdriving GitLab

If you want to give Gitlab a quick testdrive, there are several options available for you. We show you the easiest ways in our latest screencast:

Moving to GitLab.com

We are moving the gitlab.org website and this blog to www.gitlab.com and www.gitlab.com/blog. All the content is preserved and all the blog articles still have their comments intact. On www.gitlab.com will be one blog with all our blog posts served over https.

The reason for this move is that keeping both sites up to date was causing a lot of duplicate work. Both sites were being updated the same group of people, Dmitriy and the rest of the GitLab.com team.

Also, the complete website is in a public repo so that you can fork it and send merge requests with improvements.

GitLab CI 4.3 Released

Hi everyone!

As you know GitLab CI is a continuous integration server. It integrates with your GitLab installation and runs tests for your projects.

Today we release a new version of GitLab CI.

The main purpose of this release is to improve the UI/UX of the application. It also includes the latest Rails version with security updates.

screenshot

Issues and Merge Requests in GitLab Screencast

GitLab has a very powerful issue tracker that integrates completely with the GitLab workflow, allowing you to reference and even close issues with commits. On top of that, you can easily comment on someone's code line by line, integrate GitLab CI, reference colaborators, vote for or against merge requests and much more. We are excited to show you some of the posibilities in our new screencast.

Case Study 360i Transitions to GitLab

360i, the increasingly sucessful digital media company from the US, agreed to spend some time with us and explain how they're transitioning to GitLab. You can read the case study here.

While moving away from SVN, they chose GitLab because it was the most cost-effective in-house solution. As it turns out, GitLab did more than just eliminate the frustrations of breaking code and of over-increasing storage space. What it also did, was to improve collaboration between developers and to encourage them to dig into the source code and come up with customizations.

Special thanks to Keith Harris for providing first-hand account on his experience with GitLab.