Skip to content

1.10.0

Latest
Latest
Compare
Choose a tag to compare
@flaix flaix released this 14 Jun 17:22
· 1 commit to master since this release
v1.10.0
22f4aea

Update Note

This release fixes a vulnerability allowing an attacker to circumvent authentication on the SSH transport. Users are urged to update to this version.

Should you have disabled the Flash-based copy-to-clipboard function because it wasn't working anymore (web.allowFlashCopyToClipboard = false), you may want to rethink this and enable it again. The configuration property has the same name, but the mechanism was exchanged. Flash is gone, and a modern JavaScript solution is now used to copy text directly to the clipboard (via clipboard.js).

The setting server.requireClientCertificates now has three values: required, optional and none. While required is synonymous to the old true value, and optional is synonymous to the old false value, the new none value results in the server never asking the client to present any client certificate at all. The old values true and false can still be used and keep their meaning.

From 1.10.0 on Gitblit requires Java 8 as minimal Java version.

Highlights:

CONTRIBUTING.md HOME.md LICENSE NOTICE README.markdown build.moxie build.xml gitblit.iml release.template releases.moxie src Support for ECDSA and Ed25519 SSH keys
CONTRIBUTING.md HOME.md LICENSE NOTICE README.markdown build.moxie build.xml gitblit.iml release.template releases.moxie src Fix vulnerability that allowed SSH authentication to be circumvented
CONTRIBUTING.md HOME.md LICENSE NOTICE README.markdown build.moxie build.xml gitblit.iml release.template releases.moxie src Explicitly disable requesting optional client TLS certificates
CONTRIBUTING.md HOME.md LICENSE NOTICE README.markdown build.moxie build.xml gitblit.iml release.template releases.moxie src Copy-to-clipboard button is back and working
CONTRIBUTING.md HOME.md LICENSE NOTICE README.markdown build.moxie build.xml gitblit.iml release.template releases.moxie src Minimal required Java version is Java 8

While old DSA SSH host keys can still be used, a new Gitblit installation will no longer
generate a DSA host key. The default set of host keys is now RSA, ECDSA and Ed25519.

Snapshot builds of the current master branch are now available as Docker containers on
Docker Hub under the "Nightly" tag.

Security

  • Fix path traversal vulnerability which allowed access to "/resources//../WEB-INF/". (CVE-2022-31268) This was fixed by updating Jetty. (issue #1409)
  • Fix exploit circumventing SSH authentication. Many thanks to András Veres-Szentkirályi (silentsignal.eu) for the report. (CVE-2024-28080)
  • Fix vulnerability exposing user password hashes to administrators when an administrator edits a user's properties. Many thanks to Gerhard Klostermeier (syss.de) for the report.
Fixes

Fixes

  • Fix crash in Gitblit Authority when users were deleted from Gitblit but still had entries (certificates) in the Authority. (issue #1359, PR #1435)
  • Fix tab-to-space conversion to work like tabs. (PR #1065 by @QuentinC)
  • Fix user effective permission display when user is in multiple groups with different permissions. (PR #1100 by @felazuris)
  • Fix issue in pt under Python 3. (PR #1428 by @urkle)
  • Fix null pointer exception which could occur during debug logging. (PR #1433)
  • Fix Bugtraq to fallback to UTF-8 if the commit encoding is unsupported.
  • Fix errors in Bugtraq preventing display of commit completely.
  • Fix misaligned images in primary repository URL display. (issue #1437)
  • Fix incorrect text being copied by copy button on tickets page
  • Fix broken language files.
  • Fix problems with single quotes in message texts. (PR #1455 by @losiki)
Changes

Changes

  • Minimum Java required increased to Java 8. (PR #1218 by @paladox)
  • Added feedback on invalid keys to SSH key form. (issue #984, PR #1239 by @martinspielmann)
  • Replaced old Flash-based Clippy copy-paste buttons to copy repository URLs and other text to the clipboard with a modern JavaScript-based approach via clipboard.js. (issue #1241, issue #965, PR #1438 by @flaix)
  • Updated various dependencies that had known CVEs.
  • Updated Git clients list on empty repository page.
  • Improved Chinese translation of "fork".
  • Switched logging library from Log4j1 to reload4j.
  • Updating the BouncyCastle version required to switch from bc*-jdk15on to bc*-jdk18on
Additions

Additions

  • Option to explicitly disable optional client TLS certificates. (issue #1137, PR #1138 by @oddeirik)
  • Support for ECDSA and Ed25519 (EdDSA) user keys. (PR #1427, PR #1272)
  • New ECDSA and EdDSA host key types. (issue #1354, PR #1429 by @flaix)
  • French version of empty repository page. (by @piradix)
  • Add support for Jenkins access token. Use setting groovy.jenkinsToken. (issue #1423, PR #1425 by @TDesjardins)

Full release notes on gitblit.com

Contributors

oddeirik, urkle, and 8 other contributors
Assets 8
Loading