I’m not sure if GitLab uses the standard git libraries or its own, but if it is, is this CVE something that will be addressed? # CVE-2021-40330
It uses git. The current version of Gitlab 14.2.3 has this version of git:
root@gitlab:/opt/gitlab/embedded/bin# ./git --version git version 2.32.0
and for verification on my system:
root@gitlab:/opt/gitlab/embedded/bin# dpkg -l | grep -i gitlab ii gitlab-ce 14.2.3-ce.0 amd64 GitLab Community Edition (including NGINX, Postgres, Redis)
Since Gitlab 14.2.3 has a newer version, this CVE is not relevant and therefore not a problem.
So if you are using an older version of Gitlab, and after using the commands above, you have a version of git lower than version: 2.30.1 that is mentiond in the CVE, then you may wish to upgrade your Gitlab installation following the Gitlab Upgrade docs. Please also note, since git is on the server itself, you also need to pay attention to all the client computers connecting to Gitlab, since they also will have a version of git, and may be older than the version in the CVE, or also newer, and thus not a problem.