GitLab Omnibus SSL Vulnerability (Heartbleed)

623 Views Asked by Curtis Kelsey At 05 April 2025 at 12:55

I installed GitLab 6.6.5 via the omnibus package on Ubuntu 12.04 LTE. My question is will the Ubuntu OpenSSL heartbleed update cover the GitLab's installation? The installation has an embedded nginx that is installed. I have enabled SSL via the GitLab Omnibus Merge Request #66.

Original Q&A

There are 2 best solutions below

VonC On 08 April 2014 at 18:55 BEST ANSWER

Having an embedded NGinX doesn't mean it won't use the /usr/bin/openssl installed on your system. (for instance, the ngx_http_ssl_module does require openssl)

If that openssl is 1.0.1g or 1.0.2, you won't have any issue.

openssl version

If not, it is easy enough to recompile it and install it.

To be sure, you can type:

ldd /path/to/nginx

That will give you the path of the openssl used by the binary nginx.
To get the full path, you can then use

readlink -f /path/to/libssl.so.1.0.0

Bruno adds in the comments:

It's probably more about /lib/*/libssl.so.1.0.0 than /usr/bin/openssl (which ldd should indicate indeed).
In principle, upgrading to the package with the fix and restarting NGinX should fix the issue.

Also note that the version numbers in distribution packages (e.g. Ubuntu) don't necessarily match the official version numbers exactly, because they tend to keep the same version number (for the same features), but backport the security patches

The OP crushedGrass points out in the comments Jacob Vosmaer (jacobvosmaer)'s commit "Update omnibus-software (CVE-2014-0160)", in omnibus-gitlab

so all I had to do was run a reconfiguration.
I believe both your and Bruno's feedback is spot on, there are just more dependencies that have to match up.
GitLab uses Chef cookbooks to configure the setup and I definitely do not know enough about it to modify it downstream.

jevinskie On 15 April 2014 at 01:34

Just so it is clear:

-> # ldd /opt/gitlab/embedded/sbin/nginx
...
libssl.so.1.0.0 => /opt/gitlab/embedded/lib/libssl.so.1.0.0 (0x00007fe3cf8f9000)
libcrypto.so.1.0.0 => /opt/gitlab/embedded/lib/libcrypto.so.1.0.0 (0x00007fe3cf520000)
...

Gitlab omnibus uses its own bundled OpenSSL. apt-get update will not update and protect an install of gitlab omnibus.

GitLab Omnibus SSL Vulnerability (Heartbleed)

There are 2 best solutions below

Related Questions in SECURITY

Related Questions in SSL

Related Questions in GITLAB

Related Questions in HEARTBLEED-BUG

Trending Questions

Popular # Hahtags

Popular Questions