diff options
Diffstat (limited to 'releases.moxie')
| -rw-r--r-- | releases.moxie | 51 |
1 files changed, 46 insertions, 5 deletions
diff --git a/releases.moxie b/releases.moxie index 9776f0a9..b73038de 100644 --- a/releases.moxie +++ b/releases.moxie @@ -1,11 +1,51 @@ # # ${project.version} release # -r30: { +r31: { title: ${project.name} ${project.version} released id: ${project.version} date: ${project.buildDate} note: '' + When you have Gitblit installed as a service under Linux or Windows, you may need to edit your service script/definition. The command line to start Gitblit needs to be different, the classpath and class are speficied now. + + See notes for release 1.9.0. + '' + html: ~ + text: '' + !! IMPORTANT BUG FIX FOR PASSWORD HASH UPGRADE !! + + There is a severe bug in version 1.9.0, which can lock users out from their accounts. + When updating from a previous version to 1.9.0, existing stored passwords are rehashed + with a more secure password hash mechanism when a user first logs in after the update. + This happens when the password hashing mechanism was left at default and not specifically + set in the configuration. An error in the implementation will destroy the stored password + instead and the user can no longer log in. + + Only certain circumstances will lead to this wrong behaviour. It will most likely + affect users of the Gitblit Docker container. If you did not encounter any problems, + update to 1.9.1 to be on the safe side. If you were hit by this bug, we are deeply sorry. + There is no way to fix the affected accounts other than to set a new password. + + This is fixed in 1.9.1. Updates of existing installations should be made to 1.9.1, not 1.9.0. + '' + security: ~ + fixes: + - Fixed broken password hash upgrade destroying existing stored passwords on update. + - Fixed Linux service scripts to use `-cp` parameter instead of `-jar`. + changes: ~ + additions: ~ + dependencyChanges: ~ + contributors: ~ +} + +# +# 1.9.0 release +# +r30: { + title: Gitblit 1.9.0 released + id: 1.9.0 + date: 2020-02-01 + note: '' Gitblit uses Servlet 3.0 and thus drops support for Tomcat 6. Run on Tomcat 6 at your own risk. With the update to Lucene 5.5.2 reindexing of the tickets is necessary. This is done automatically during the first server start after an upgrade. Depending on the amount of tickets you have, this could take a little while. The old index is kept, so that a downgrade is still possible without losing information. The old index can be deleted, when a downgrade is no longer required. @@ -18,7 +58,8 @@ r30: { When the `realm.ldap.bindpattern` property is set, GitBlit will only bind as the user to LDAP, not to a manager account or anonymously. - Older password storage mechanisms are deprecated, PBKDF2 is the new default. When you switch from plaintext to a hashed scheme, or from the older hashed to the new PBKDF2 scheme, the stored password of a user will be rehashed with the more secure mechanism when the user logs in. + Older password storage mechanisms are deprecated, PBKDF2 is the new default. When you switch from plaintext to a hashed scheme, or from the older hashed to the new PBKDF2 scheme, the stored password of a user will be rehashed with the more secure mechanism when the user logs in. + !! THIS IS BROKEN IN 1.9.0. DO NOT UPDATE TO 1.9.0. USE 1.9.1 INSTEAD !! '' html: ~ text: '' @@ -1949,6 +1990,6 @@ r1: { - James Moger } -snapshot: &r30 -release: &r29 -releases: &r[1..29] +snapshot: &r31 +release: &r30 +releases: &r[1..30] |