2014-04-07-security-advisory-for-gitlab-related-to-cve-2014-2525.html.md 1.54 KB
Newer Older
Robert Speicher's avatar
Robert Speicher committed
1 2 3
---
title: "Security Advisory for GitLab related to CVE-2014-2525"
date: 2014-04-07 13:58:46 +0200
4
categories: releases
Robert Speicher's avatar
Robert Speicher committed
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
author: Marin Jankovski
---

# Security Advisory for GitLab related to CVE-2014-2525

A recently discovered [vulnerability in ruby](https://www.ruby-lang.org/en/news/2014/03/29/heap-overflow-in-yaml-uri-escape-parsing-cve-2014-2525) allows a specially crafted string to cause a heap overflow which can lead to arbitrary code execution.

We are not aware of this issue affecting GitLab.

We recommend keeping your system packages up-to-date.


### Version affected

All versions of GitLab using ruby 1.9.3-p0 and newer.


### Impact

Because both GitLab and some of its dependencies use libyaml, it is theoretically possible that an attacker can use CVE-2014-2525 to remotely execute code on a server running GitLab. 

We are currently not aware of any real-world exploits against GitLab which take advantage of CVE-2014-2525.


### Workarounds

By keeping libyaml package up to date on your OS this vulnerability is resolved.

For example, on Ubuntu 12.04 run the following commands:

```
sudo apt-get update
sudo apt-get upgrade
sudo service gitlab reload
```

If your OS didn't release a package update you can compile [libyaml 0.1.6](http://pyyaml.org/download/libyaml/yaml-0.1.6.tar.gz) from source and then recompile ruby with path to new libyaml: `$ ./configure --with-yaml-dir=/path/to/libyaml`

For more information see [ruby security announcement](https://www.ruby-lang.org/en/news/2014/03/29/heap-overflow-in-yaml-uri-escape-parsing-cve-2014-2525).