Update to GitLab for CVE-2014-9390?

J at DS's picture

Are we going to see an update that includes GitLab's update to mitigate security vulnerability CVE-2014-9390 soon?

GitLab Notice: https://about.gitlab.com/2014/12/24/gitlab-update-for-git-vulnerability/

TurnKey GitLab Release Note: http://www.turnkeylinux.org/updates/gitlab

 

Jeremy Davis's picture

But according to my research this vulnerability does not affect Linux.

Whilst technically the version of git on both TKL v12.x & v13.0 is affected (see here); as it only applies to case-insensitive file-systems (which TKL specifically isn't by default, nor is Linux in general) it really only affects GitLab running on Mac (if it is using a case insensitive FS) and Windows.

Having said that, I do note that whilst the TurnKey server itself wouldn't be compromised, it could still circulate malicious commits to Win and OSX machines which have a vulnerable version of git installed locally.

Regardless, the version of GitLab included in the TurnKey appliance is seriously out of date and we need to release the v13.1 TurnKey maintenance release (with an updated version) ASAP. Unfortunately we are currently tied up with important 'behind the scenes' development which is delaying the work required to get v13.1 out the door. If you would like to help, the current TKLDev GitLab appliance build code is hosted on GitHub here.

If you are keen to help but need some pointers, please ask and I'll help where I can.

Post new comment