diff options
| author | Florian Zschocke <f.zschocke+git@gmail.com> | 2022-04-09 19:29:17 +0200 |
|---|---|---|
| committer | Florian Zschocke <f.zschocke+git@gmail.com> | 2022-04-09 19:29:17 +0200 |
| commit | 41ff0f7218de7e9f31a61d889132a9696c912da4 (patch) | |
| tree | 419eaa57adcf56dc5b9cc589b54b28526291fb13 | |
| parent | ad52a89d40aef4a191bea8b65dc13597c0a7734d (diff) | |
| download | gitblit-41ff0f7218de7e9f31a61d889132a9696c912da4.tar.gz gitblit-41ff0f7218de7e9f31a61d889132a9696c912da4.zip | |
doc: Merge release 1.9.3 info into releases.moxie
| -rw-r--r-- | releases.moxie | 47 |
1 files changed, 43 insertions, 4 deletions
diff --git a/releases.moxie b/releases.moxie index dc20beca..c7a75a92 100644 --- a/releases.moxie +++ b/releases.moxie @@ -1,7 +1,7 @@ # # ${project.version} release # -r33: { +r34: { title: ${project.name} ${project.version} released id: ${project.version} date: ${project.buildDate} @@ -22,6 +22,45 @@ r33: { } # +# 1.9.3 release +# +r33: { + title: Gitblit 1.9.3 released + id: 1.9.3 + date: 2022-04-09 + note: '' + The 1.9 minor version is the last to support Java 7. From 1.10 on Gitblit will require Java 8. + '' + html: ~ + text: '' + !! IMPORTANT SECURITY FIX FOR CONFIG USER SERVICE !! + + There is a security vulnerability in version 1.9.2, which allows an attacker to gain + elevated access rights. This is present when the Config User Service is used as the + user service, which is the default. + + Version 1.9.2 introduced a new implementation to store user data in the user config file + which holds user name, password, access rights etc. This was done to solve problems with + very large user bases (pr-1364). This new implementation does not properly escape all + control characters, like newline and tab. As a result, a normal user, when logged into + Gitblit, can edit his profile data and enter values in e.g. the email address that are + interpreted as control characters in the text file stored on disk. This allows the malicious + user to give themselves e.g. elevated access rights on their account. + + This is fixed in 1.9.3. Updates of existing installations should be made to 1.9.3, not 1.9.2. + + Many thanks to Github user @YYHYlh for finding and reporting this issue (issue-1410). + '' + security: + - Fix escaping control characters in config user service, resolving a security vulnerability. (issue-1410) + fixes: ~ + changes: ~ + additions: ~ + dependencyChanges: ~ + contributors: ~ +} + +# # 1.9.2 release # r32: { @@ -2061,6 +2100,6 @@ r1: { - James Moger } -snapshot: &r33 -release: &r32 -releases: &r[1..32] +snapshot: &r34 +release: &r33 +releases: &r[1..33] |