|
|
@@ -1,7 +1,7 @@ |
|
|
|
# |
|
|
|
# ${project.version} release |
|
|
|
# |
|
|
|
r33: { |
|
|
|
r34: { |
|
|
|
title: ${project.name} ${project.version} released |
|
|
|
id: ${project.version} |
|
|
|
date: ${project.buildDate} |
|
|
@@ -21,6 +21,45 @@ r33: { |
|
|
|
- paladox |
|
|
|
} |
|
|
|
|
|
|
|
# |
|
|
|
# 1.9.3 release |
|
|
|
# |
|
|
|
r33: { |
|
|
|
title: Gitblit 1.9.3 released |
|
|
|
id: 1.9.3 |
|
|
|
date: 2022-04-09 |
|
|
|
note: '' |
|
|
|
The 1.9 minor version is the last to support Java 7. From 1.10 on Gitblit will require Java 8. |
|
|
|
'' |
|
|
|
html: ~ |
|
|
|
text: '' |
|
|
|
!! IMPORTANT SECURITY FIX FOR CONFIG USER SERVICE !! |
|
|
|
|
|
|
|
There is a security vulnerability in version 1.9.2, which allows an attacker to gain |
|
|
|
elevated access rights. This is present when the Config User Service is used as the |
|
|
|
user service, which is the default. |
|
|
|
|
|
|
|
Version 1.9.2 introduced a new implementation to store user data in the user config file |
|
|
|
which holds user name, password, access rights etc. This was done to solve problems with |
|
|
|
very large user bases (pr-1364). This new implementation does not properly escape all |
|
|
|
control characters, like newline and tab. As a result, a normal user, when logged into |
|
|
|
Gitblit, can edit his profile data and enter values in e.g. the email address that are |
|
|
|
interpreted as control characters in the text file stored on disk. This allows the malicious |
|
|
|
user to give themselves e.g. elevated access rights on their account. |
|
|
|
|
|
|
|
This is fixed in 1.9.3. Updates of existing installations should be made to 1.9.3, not 1.9.2. |
|
|
|
|
|
|
|
Many thanks to Github user @YYHYlh for finding and reporting this issue (issue-1410). |
|
|
|
'' |
|
|
|
security: |
|
|
|
- Fix escaping control characters in config user service, resolving a security vulnerability. (issue-1410) |
|
|
|
fixes: ~ |
|
|
|
changes: ~ |
|
|
|
additions: ~ |
|
|
|
dependencyChanges: ~ |
|
|
|
contributors: ~ |
|
|
|
} |
|
|
|
|
|
|
|
# |
|
|
|
# 1.9.2 release |
|
|
|
# |
|
|
@@ -2061,6 +2100,6 @@ r1: { |
|
|
|
- James Moger |
|
|
|
} |
|
|
|
|
|
|
|
snapshot: &r33 |
|
|
|
release: &r32 |
|
|
|
releases: &r[1..32] |
|
|
|
snapshot: &r34 |
|
|
|
release: &r33 |
|
|
|
releases: &r[1..33] |