summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--releases.moxie31
-rw-r--r--src/site/upgrade_go.mkd22
2 files changed, 49 insertions, 4 deletions
diff --git a/releases.moxie b/releases.moxie
index 0b5afadd..b73038de 100644
--- a/releases.moxie
+++ b/releases.moxie
@@ -5,11 +5,33 @@ r31: {
title: ${project.name} ${project.version} released
id: ${project.version}
date: ${project.buildDate}
- note: ~
+ note: ''
+ When you have Gitblit installed as a service under Linux or Windows, you may need to edit your service script/definition. The command line to start Gitblit needs to be different, the classpath and class are speficied now.
+
+ See notes for release 1.9.0.
+ ''
html: ~
- text: ~
+ text: ''
+ !! IMPORTANT BUG FIX FOR PASSWORD HASH UPGRADE !!
+
+ There is a severe bug in version 1.9.0, which can lock users out from their accounts.
+ When updating from a previous version to 1.9.0, existing stored passwords are rehashed
+ with a more secure password hash mechanism when a user first logs in after the update.
+ This happens when the password hashing mechanism was left at default and not specifically
+ set in the configuration. An error in the implementation will destroy the stored password
+ instead and the user can no longer log in.
+
+ Only certain circumstances will lead to this wrong behaviour. It will most likely
+ affect users of the Gitblit Docker container. If you did not encounter any problems,
+ update to 1.9.1 to be on the safe side. If you were hit by this bug, we are deeply sorry.
+ There is no way to fix the affected accounts other than to set a new password.
+
+ This is fixed in 1.9.1. Updates of existing installations should be made to 1.9.1, not 1.9.0.
+ ''
security: ~
- fixes: ~
+ fixes:
+ - Fixed broken password hash upgrade destroying existing stored passwords on update.
+ - Fixed Linux service scripts to use `-cp` parameter instead of `-jar`.
changes: ~
additions: ~
dependencyChanges: ~
@@ -36,7 +58,8 @@ r30: {
When the `realm.ldap.bindpattern` property is set, GitBlit will only bind as the user to LDAP, not to a manager account or anonymously.
- Older password storage mechanisms are deprecated, PBKDF2 is the new default. When you switch from plaintext to a hashed scheme, or from the older hashed to the new PBKDF2 scheme, the stored password of a user will be rehashed with the more secure mechanism when the user logs in.
+ Older password storage mechanisms are deprecated, PBKDF2 is the new default. When you switch from plaintext to a hashed scheme, or from the older hashed to the new PBKDF2 scheme, the stored password of a user will be rehashed with the more secure mechanism when the user logs in.
+ !! THIS IS BROKEN IN 1.9.0. DO NOT UPDATE TO 1.9.0. USE 1.9.1 INSTEAD !!
''
html: ~
text: ''
diff --git a/src/site/upgrade_go.mkd b/src/site/upgrade_go.mkd
index a0092588..4bc2272f 100644
--- a/src/site/upgrade_go.mkd
+++ b/src/site/upgrade_go.mkd
@@ -1,3 +1,25 @@
+## Upgrading Gitblit GO (1.9.1+)
+
+The command line to start Gitblit has changed from
+
+```
+java -jar gitblit.jar --baseFolder data
+```
+
+to
+
+```
+java -cp "gitblit.jar:ext/*" com.gitblit.GitBlitServer --baseFolder data
+```
+
+or on Windows to
+
+```
+java -cp gitblit.jar;"%CD%\ext\*" com.gitblit.GitBlitServer --baseFolder data
+```
+
+The class path and main class need to be specified now. If you have installed Gitblit as a service you will need to adjust the service scripts or definitions accordingly.
+
## Upgrading Gitblit GO (1.7.0+)
The default `gitblit.properties` file has been split into two files: `gitblit.properties`, which is the recommended file for setting your configuration, and `defaults.properties` which are Gitblit's default settings.