Florian Zschocke
2 years ago
1 changed files with 43 additions and 4 deletions
+ 43
- 4
releases.moxie
View File
| @@ -1,7 +1,7 @@ | |||
| # | |||
| # ${project.version} release | |||
| # | |||
| r33: { | |||
| r34: { | |||
| title: ${project.name} ${project.version} released | |||
| id: ${project.version} | |||
| date: ${project.buildDate} | |||
| @@ -21,6 +21,45 @@ r33: { | |||
| - paladox | |||
| } | |||
| # | |||
| # 1.9.3 release | |||
| # | |||
| r33: { | |||
| title: Gitblit 1.9.3 released | |||
| id: 1.9.3 | |||
| date: 2022-04-09 | |||
| note: '' | |||
| The 1.9 minor version is the last to support Java 7. From 1.10 on Gitblit will require Java 8. | |||
| '' | |||
| html: ~ | |||
| text: '' | |||
| !! IMPORTANT SECURITY FIX FOR CONFIG USER SERVICE !! | |||
| There is a security vulnerability in version 1.9.2, which allows an attacker to gain | |||
| elevated access rights. This is present when the Config User Service is used as the | |||
| user service, which is the default. | |||
| Version 1.9.2 introduced a new implementation to store user data in the user config file | |||
| which holds user name, password, access rights etc. This was done to solve problems with | |||
| very large user bases (pr-1364). This new implementation does not properly escape all | |||
| control characters, like newline and tab. As a result, a normal user, when logged into | |||
| Gitblit, can edit his profile data and enter values in e.g. the email address that are | |||
| interpreted as control characters in the text file stored on disk. This allows the malicious | |||
| user to give themselves e.g. elevated access rights on their account. | |||
| This is fixed in 1.9.3. Updates of existing installations should be made to 1.9.3, not 1.9.2. | |||
| Many thanks to Github user @YYHYlh for finding and reporting this issue (issue-1410). | |||
| '' | |||
| security: | |||
| - Fix escaping control characters in config user service, resolving a security vulnerability. (issue-1410) | |||
| fixes: ~ | |||
| changes: ~ | |||
| additions: ~ | |||
| dependencyChanges: ~ | |||
| contributors: ~ | |||
| } | |||
| # | |||
| # 1.9.2 release | |||
| # | |||
| @@ -2061,6 +2100,6 @@ r1: { | |||
| - James Moger | |||
| } | |||
| snapshot: &r33 | |||
| release: &r32 | |||
| releases: &r[1..32] | |||
| snapshot: &r34 | |||
| release: &r33 | |||
| releases: &r[1..33] | |||
Loading…