---
title: "Security Release of omnibus-gitlab due to CVE-2014-0160 ('Heartbleed')"
date: 2014-04-08
categories: releases
author: Jacob Vosmaer
---

Yesterday OpenSSL 1.0.1g was released to address the ['Heartbleed' security vulnerability (CVE-2014-0160)](http://heartbleed.com/).
We have just released new omnibus-gitlab packages that update the version OpenSSL embedded in the package to version 1.0.1g.
We advise all users of omnibus-gitlab to upgrade immediately.

### Versions affected

Affected versions: all omnibus-gitlab packages prior to 6.7.3.omnibus.3 or 6.7.2-ee.omnibus.2.

Fixed versions: 6.7.3.omnibus.3 (CE) and 6.7.2-ee.omnibus.2 (EE).

You can check you omnibus-gitlab version by running `dpkg-query -W gitlab` (Ubuntu) or `rpm -q gitlab` (CentOS).

### Impact

OpenSSL is used in the existing packages for omnibus-gitlab to make outgoing connections to remote hosts for e.g. HTTPS resources.
Because omnibus-gitlab uses its own embedded copy of OpenSSL, it is required to update omnibus-gitlab in addition to updating your OS's copy of OpenSSL.

### Releases

Omnibus-gitlab 6.7.3.omnibus.3 (CE) is available at [the download page](/install/).
Omnibus-gitlab 6.7.2-ee.omnibus.2 is available [for subscribers only](https://gitlab.com/subscribers/gitlab-ee/blob/master/doc/install/packages.md).

Upgrade instructions can be found [in the omnibus-gitlab repository](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/doc/update.md).