Releases: flaix/gitblit
1.10.0
Update Note
This release fixes a vulnerability allowing an attacker to circumvent authentication on the SSH transport. Users are urged to update to this version.
Should you have disabled the Flash-based copy-to-clipboard function because it wasn't working anymore (web.allowFlashCopyToClipboard = false), you may want to rethink this and enable it again. The configuration property has the same name, but the mechanism was exchanged. Flash is gone, and a modern JavaScript solution is now used to copy text directly to the clipboard (via clipboard.js).
The setting server.requireClientCertificates now has three values: required, optional and none. While required is synonymous to the old true value, and optional is synonymous to the old false value, the new none value results in the server never asking the client to present any client certificate at all. The old values true and false can still be used and keep their meaning.
From 1.10.0 on Gitblit requires Java 8 as minimal Java version.
Highlights:
* Support for ECDSA and Ed25519 SSH keys
* Fix vulnerability that allowed SSH authentication to be circumvented
* Explicitly disable requesting optional client TLS certificates
* Copy-to-clipboard button is back and working
* Minimal required Java version is Java 8
While old DSA SSH host keys can still be used, a new Gitblit installation will no longer
generate a DSA host key. The default set of host keys is now RSA, ECDSA and Ed25519.
Snapshot builds of the current master branch are now available as Docker containers on
Docker Hub under the "Nightly" tag.
Security
- Fix path traversal vulnerability which allowed access to "/resources//../WEB-INF/". (CVE-2022-31268) This was fixed by updating Jetty. (issue gitblit-org#1409)
- Fix exploit circumventing SSH authentication. Many thanks to András Veres-Szentkirályi (silentsignal.eu) for the report. (CVE-2024-28080)
- Fix vulnerability exposing user password hashes to administrators when an administrator edits a user's properties. Many thanks to Gerhard Klostermeier (syss.de) for the report.
Fixes
Fixes
- Fix crash in Gitblit Authority when users were deleted from Gitblit but still had entries (certificates) in the Authority. (issue gitblit-org#1359, PR gitblit-org#1435)
- Fix tab-to-space conversion to work like tabs. (PR gitblit-org#1065 by @QuentinC)
- Fix user effective permission display when user is in multiple groups with different permissions. (PR gitblit-org#1100 by @felazuris)
- Fix issue in pt under Python 3. (PR gitblit-org#1428 by @urkle)
- Fix null pointer exception which could occur during debug logging. (PR gitblit-org#1433)
- Fix Bugtraq to fallback to UTF-8 if the commit encoding is unsupported.
- Fix errors in Bugtraq preventing display of commit completely.
- Fix misaligned images in primary repository URL display. (issue gitblit-org#1437)
- Fix incorrect text being copied by copy button on tickets page
- Fix broken language files.
- Fix problems with single quotes in message texts. (PR gitblit-org#1455 by @losiki)
Changes
Changes
- Minimum Java required increased to Java 8. (PR gitblit-org#1218 by @paladox)
- Added feedback on invalid keys to SSH key form. (issue gitblit-org#984, PR gitblit-org#1239 by @martinspielmann)
- Replaced old Flash-based Clippy copy-paste buttons to copy repository URLs and other text to the clipboard with a modern JavaScript-based approach via clipboard.js. (issue gitblit-org#1241, issue gitblit-org#965, PR gitblit-org#1438 by @flaix)
- Updated various dependencies that had known CVEs.
- Updated Git clients list on empty repository page.
- Improved Chinese translation of "fork".
- Switched logging library from Log4j1 to reload4j.
- Updating the BouncyCastle version required to switch from bc*-jdk15on to bc*-jdk18on
Additions
Additions
- Option to explicitly disable optional client TLS certificates. (issue gitblit-org#1137, PR gitblit-org#1138 by @oddeirik)
- Support for ECDSA and Ed25519 (EdDSA) user keys. (PR gitblit-org#1427, PR gitblit-org#1272)
- New ECDSA and EdDSA host key types. (issue gitblit-org#1354, PR gitblit-org#1429 by @flaix)
- French version of empty repository page. (by @piradix)
- Add support for Jenkins access token. Use setting
groovy.jenkinsToken. (issue gitblit-org#1423, PR gitblit-org#1425 by @TDesjardins)
Contributors
Assets 8
1.9.3
Update Note
The 1.9 minor version is the last to support Java 7. From 1.10 on Gitblit will require Java 8.
!! IMPORTANT SECURITY FIX FOR CONFIG USER SERVICE !!
There is a security vulnerability in version 1.9.2, which allows an attacker to gain
elevated access rights. This is present when the Config User Service is used as the
user service, which is the default.
Version 1.9.2 introduced a new implementation to store user data in the user config file
which holds user name, password, access rights etc. This was done to solve problems with
very large user bases (PR #1364). This new implementation does not properly escape all
control characters, like newline and tab. As a result, a normal user, when logged into
Gitblit, can edit his profile data and enter values in e.g. the email address that are
interpreted as control characters in the text file stored on disk. This allows the malicious
user to give themselves e.g. elevated access rights on their account.
This is fixed in 1.9.3. Updates of existing installations should be made to 1.9.3, not 1.9.2.
Many thanks to Github user @YYHYlh for finding and reporting this issue (issue #1410).
Security
- Fix escaping control characters in config user service, resolving a security vulnerability. (issue gitblit-org#1410)
1.9.2
Update Note
The 1.9 minor version is the last to support Java 7. From 1.10 on Gitblit will require Java 8.
Fixes
Fixes
- Fix raw links broken for branches with a forward slash in the name (issue gitblit-org#1290, issue gitblit-org#1234, issue gitblit-org#813)
- Fix markdown links to files in subfolders (issue gitblit-org#1358, PR gitblit-org#1392 by @TomaszSzt)
- Fix high CPU load when saving huge users.conf file (PR gitblit-org#1364 by @Curly060)
- Fix broken encoding in Norwegian language file (issue gitblit-org#834, PR gitblit-org#1379)
- Fix various issues (typos, broken and duplicate keys) in language properties files (PR gitblit-org#1380 by @flaix)
- Fix mirrored HTTP(S) with a user name and password (issue gitblit-org#1059, PR gitblit-org#1381 by @edram)
- Fix relative time display being off on activity page (issue gitblit-org#800, issue gitblit-org#1248, PR gitblit-org#1382)
- Fix URL encoding for links to raw view for files (issue gitblit-org#1375, PR gitblit-org#1383)
- Resolve StackOverflowErrors on page serialization (issue gitblit-org#1011, PR gitblit-org#1141 by @tomaswolf)
- Fix double encoding links in Markdown/Wiki pages (issue gitblit-org#864)
Changes
Changes
- Updated traditional Chinese translation (PR gitblit-org#1367 by @YMNNs)
- Make it possible to call the Windows batch commands on the command line from a different folder (PR gitblit-org#1370 by @Zwixx)
- Updated Japanese translation (PR gitblit-org#1398 by @TakehideMorimoto)
Additions
Additions
- Add service scripts for FreeBSD (PR gitblit-org#1345 by @davehofmann)
- Add Russian translation (PR gitblit-org#1343 by @vhot2076)
Contributors
Assets 8
1.9.0
Update Note
Gitblit uses Servlet 3.0 and thus drops support for Tomcat 6. Run on Tomcat 6 at your own risk.
With the update to Lucene 5.5.2 reindexing of the tickets is necessary. This is done automatically during the first server start after an upgrade. Depending on the amount of tickets you have, this could take a little while. The old index is kept, so that a downgrade is still possible without losing information. The old index can be deleted, when a downgrade is no longer required.
The interface for the ITicketService changed. If you have your own derived implementation, rename start to onStart. (see commit 63dbdfd)
To support Java 9+, Gitblit can no longer load JARs from the 'ext' folder by itself. In order to include the folder, it needs to be added to the classpath explicitly by changing the command line. Check the new start scripts to see the new required command line.
The 1.9 minor version will be the last to support Java 7. From 1.10 on Gitblit will require Java 8.
When the realm.ldap.bindpattern property is set, GitBlit will only bind as the user to LDAP, not to a manager account or anonymously.
Older password storage mechanisms are deprecated, PBKDF2 is the new default. When you switch from plaintext to a hashed scheme, or from the older hashed to the new PBKDF2 scheme, the stored password of a user will be rehashed with the more secure mechanism when the user logs in.
Highlights:
* Collapsible and nested repository groups on the repositories page
* Runs on Java 11
* Retrieve SSH keys from LDAP
* User language preference
* Option to merge ticket branches fast-forward or with merge commit
Security
- Change authentication cookie to use random value instead of user information (issue gitblit-org#1063, PR gitblit-org#1116)
- Increase cookie security (PR gitblit-org#1167)
Fixes
Fixes
- Fixed wrong HTML entity (&rt;) in HTML emails (PR gitblit-org#1105)
- Fixed Dutch translation (PR gitblit-org#1130)
- Changed LDAP binding strategies, to correctly find team membership (issue gitblit-org#833, issue gitblit-org#920, PR gitblit-org#247, PR gitblit-org#1149)
- Fixed disabled links in the PagerPanel to really be disabled (PR gitblit-org#1147)
- Set "can admin" permission on LDAP users and teams correctly (PR gitblit-org#1152)
- Fixed user mentions in tickets (issue gitblit-org#985)
- Fixed JEE Servlet 3.0 definition (issue gitblit-org#1132, PR gitblit-org#1178)
- Fixed proxy setup documentation (PR gitblit-org#1183)
- Fixed bug with reverse proxy when using a non-standard HTTPS port (issue gitblit-org#1114, PR gitblit-org#1201)
- Fixed wrapping of last column in tree page (PR gitblit-org#1202)
- Fixed NPE with unsupported transport URL protocol (PR gitblit-org#1238)
- Fixed unit tests by providing zipped local versions of external git repositories used for tests (issue gitblit-org#1275, PR gitblit-org#1309)
- Fixed NPE for symbolic links to repositories (issue gitblit-org#837, issue gitblit-org#891)
- Fixed NPE for ticket milestones without due date (PR gitblit-org#1278)
- Fixed NPE with special characters in repository names (issue gitblit-org#999, PR gitblit-org#1194)
- Fixed NPE when stopping GitBlit
- Fixed exception due to MAC error on SSH connections (issue gitblit-org#1282)
- Fixed link to LDAP sample LDIF file in documentation
- Fixed NPE on unknown git commands. (issue gitblit-org#1092)
- Fixed NPE for URLs to non-existing documents (PR gitblit-org#1324)
Changes
Changes
- Updated traditional Chinese translation (PR gitblit-org#1110)
- Load commit cache in the background to improve start-up time (PR gitblit-org#1140)
- Improved logging when sending emails fails, to assist in analysis (PR gitblit-org#1144)
- Support customized IUserService that can access application settings (PR gitblit-org#1171)
- Added feedback for invalid input on user SSH key form (PR gitblit-org#1239)
- Encode email sender's name with UTF-8 (PR gitblit-org#1206)
- Made Gitblit run on Java 9+ (issue gitblit-org#1262, issue gitblit-org#1294, PR gitblit-org#1266)
- The JRE version is reported upon starting
- Add the
extdirectory to the classpath on the command-line to start Gitblit and related programs. - Report back that git command
clone.bundleis unsupported instead of simply failing
Additions
Additions
- Added option to merge a ticket branch to the integration branch fast-forward or with a merge commit (PR gitblit-org#1142)
- Added SSH key manager that retrieves keys from LDAP directory (PR gitblit-org#1160)
- Updated Korean translation (PR gitblit-org#1176)
- The list of SSH authentication methods accepted by the server was made configurable (PR gitblit-org#1159)
- User language preference setting (PR gitblit-org#1198)
- Gitblit Authority sends user certificate email based on user preferred language (PR gitblit-org#1198)
- List branches over RPC for a given repository (PR gitblit-org#1192)
- Added Czech translation (PR gitblit-org#1200)
- Added setting to set HTTP idle timeout to prevent timeouts when cloning large repositories over HTTP(S) (PR gitblit-org#1243)
- Made the repository groups on the repositories page collapsible (issue gitblit-org#527, PR gitblit-org#1224)
- Made the repository groups on the repositories page nested (issue gitblit-org#725, PR gitblit-org#1267)
- Added PBKDF2 as password hashing algorithm. Other password storage choices are deprecated (issue gitblit-org#1166, PR gitblit-org#1172)