--- title: "Security Advisory for GitLab related to CVE-2014-2525" date: 2014-04-07 13:58:46 +0200 categories: releases author: Marin Jankovski --- # Security Advisory for GitLab related to CVE-2014-2525 A recently discovered [vulnerability in ruby](https://www.ruby-lang.org/en/news/2014/03/29/heap-overflow-in-yaml-uri-escape-parsing-cve-2014-2525) allows a specially crafted string to cause a heap overflow which can lead to arbitrary code execution. We are not aware of this issue affecting GitLab. We recommend keeping your system packages up-to-date. ### Version affected All versions of GitLab using ruby 1.9.3-p0 and newer. ### Impact Because both GitLab and some of its dependencies use libyaml, it is theoretically possible that an attacker can use CVE-2014-2525 to remotely execute code on a server running GitLab. We are currently not aware of any real-world exploits against GitLab which take advantage of CVE-2014-2525. ### Workarounds By keeping libyaml package up to date on your OS this vulnerability is resolved. For example, on Ubuntu 12.04 run the following commands: ``` sudo apt-get update sudo apt-get upgrade sudo service gitlab reload ``` If your OS didn't release a package update you can compile [libyaml 0.1.6](http://pyyaml.org/download/libyaml/yaml-0.1.6.tar.gz) from source and then recompile ruby with path to new libyaml: `$ ./configure --with-yaml-dir=/path/to/libyaml` For more information see [ruby security announcement](https://www.ruby-lang.org/en/news/2014/03/29/heap-overflow-in-yaml-uri-escape-parsing-cve-2014-2525).