I installed GitLab 6.6.5 via the omnibus package on Ubuntu 12.04 LTE. My question is will the Ubuntu OpenSSL heartbleed update cover the GitLab's installation? The installation has an embedded nginx that is installed. I have enabled SSL via the GitLab Omnibus Merge Request #66.
Having an embedded NGinX doesn't mean it won't use the /usr/bin/openssl
installed on your system. (for instance, the ngx_http_ssl_module does require openssl)
If that openssl is 1.0.1g or 1.0.2, you won't have any issue.
openssl version
If not, it is easy enough to recompile it and install it.
To be sure, you can type:
ldd /path/to/nginx
That will give you the path of the openssl used by the binary nginx
.
To get the full path, you can then use
readlink -f /path/to/libssl.so.1.0.0
Bruno adds in the comments:
It's probably more about
/lib/*/libssl.so.1.0.0
than/usr/bin/openssl
(whichldd
should indicate indeed).
In principle, upgrading to the package with the fix and restarting NGinX should fix the issue.Also note that the version numbers in distribution packages (e.g. Ubuntu) don't necessarily match the official version numbers exactly, because they tend to keep the same version number (for the same features), but backport the security patches
The OP crushedGrass points out in the comments Jacob Vosmaer (jacobvosmaer
)'s commit "Update omnibus-software (CVE-2014-0160)", in omnibus-gitlab
so all I had to do was run a reconfiguration.
I believe both your and Bruno's feedback is spot on, there are just more dependencies that have to match up.
GitLab uses Chef cookbooks to configure the setup and I definitely do not know enough about it to modify it downstream.