This morning we discovered a vulnerability in Gitorious which made us write this advisory on our mailing list and release version 2.4.7 of Gitorious. All users running their own Gitorious servers should upgrade immediately.
The steps for upgrading are, as usual:
- git fetch origin
- git merge v2.4.7
- git submodule update
- bundle install
- touch tmp/restart.txt (assuming you’re using Passenger. For non-Passenger deployments, restart your application server like you normally do)
If you’re running on the next branch, that has been updated as well. Just pull from mainline, then restart your server, and you’re all set.
You will note that the advisory and the v2.4.7 tag were both signed with our PGP key, as part of the Security Policy described at our security page. By signing release tags and security advisories you can verify that these were in fact issued by the Gitorious team.