Starting with Omnibus-GitLab 19.0 (releasing May 21, 2026), FIPS packages will no longer bundle a GitLab-built version of curl. Instead, they will rely on the curl package provided by the customer's Linux distribution, mirroring how FIPS packages already handle OpenSSL. The change was triggered by curl 8.18.0 deprecating compilation against OpenSSL 1.x, which broke the previous approach on Amazon Linux 2 and AlmaLinux 8. No immediate action is required from customers, but they will now be responsible for keeping their OS-level curl updated to receive security patches.
Table of contents
Why is this change happening?What do I need to do?Important implicationWhat do I do if I still have problems?Sort: