diff options
author | Florian Zschocke <f.zschocke+git@gmail.com> | 2022-03-14 20:43:39 +0100 |
---|---|---|
committer | Florian Zschocke <f.zschocke+git@gmail.com> | 2022-03-14 20:44:02 +0100 |
commit | 2e5fe0f22dbc9e459f3f3ad7c0b326c4a543100f (patch) | |
tree | 667dfefe3e2ca0ee55385dfeab4cc2f533bc0d7d | |
parent | b0c15656235a2502eb8cb06b71c963a6bc305b48 (diff) | |
download | gitblit-2e5fe0f22dbc9e459f3f3ad7c0b326c4a543100f.tar.gz gitblit-2e5fe0f22dbc9e459f3f3ad7c0b326c4a543100f.zip |
doc: Update release notes
-rw-r--r-- | releases.moxie | 27 |
1 files changed, 24 insertions, 3 deletions
diff --git a/releases.moxie b/releases.moxie index 4b8f0717..d7e75810 100644 --- a/releases.moxie +++ b/releases.moxie @@ -5,10 +5,31 @@ r33: { title: ${project.name} ${project.version} released id: ${project.version} date: ${project.buildDate} - note: ~ + note: '' + The 1.9 minor version is the last to support Java 7. From 1.10 on Gitblit will require Java 8. + '' html: ~ - text: ~ - security: ~ + text: '' + !! IMPORTANT SECURITY FIX FOR CONFIG USER SERVICE !! + + There is a security vulnerability in version 1.9.2, which allows an attacker to gain + elevated access rights. This is present when the Config User Service is used as the + user service, which is the default. + + Version 1.9.2 introduced a new implementation to store user data in the user config file + which holds user name, password, access rights etc. This was done to solve problems with + very large user bases (pr-1364). This new implementation does not properly escape all + control characters, like newline and tab. As a result, a normal user, when logged into + Gitblit, can edit his profile data and enter values in e.g. the email address that are + interpreted as control characters in the text file stored on disk. This allows the malicious + user to give themselves e.g. elevated access rights on their account. + + This is fixed in 1.9.3. Updates of existing installations should be made to 1.9.3, not 1.9.2. + + Many thanks to Github user @YYHYlh for finding and reporting this issue (issue-1410). + '' + security: + - Fix escaping control characters in config user service, resolving a security vulnerability. (issue-1410) fixes: ~ changes: ~ additions: ~ |