Download: 2.11.12 | 2.11.11 | 2.11.10 | 2.11.9 | 2.11.8 | 2.11.7 | 2.11.6 | 2.11.5 | 2.11.4 | 2.11.3 | 2.11.2 | 2.11.1 | 2.11

Documentation: 2.11.12 | 2.11.11 | 2.11.10 | 2.11.9 | 2.11.8 | 2.11.7 | 2.11.6 | 2.11.5 | 2.11.4 | 2.11.3 | 2.11.2 | 2.11.1 | 2.11

Release Highlights

  • Issue 505: Changes can be created and edited directly in the browser.
  • Many improvements in the new change screen.
  • The old change screen is removed.
  • For full details please refer to the release notes on the old site.

Bugfix Releases

2.11.12

  • Issue 10262: Fix validation of wants in git-upload-pack for protocol v0 stateless transports.

    See the following section for details.

  • Upgrade JGit to 4.5.5.201812240535-r.

    This upgrade includes several major versions since 4.0.1 used in Gerrit version 2.11.11. Important fixes are summarized below. Please refer to the corresponding JGit release notes for full details.

    • JGit 4.5.5:

      • Issue 10262: Fix validation of wants in git-upload-pack for protocol v0 stateless transports.

        AdvertiseRefsHook was not called for git-upload-pack in protocol v0 stateless transports, meaning that wants were not validated and a user could fetch anything that is pointed to by any ref (using fetch-by-sha1), as long as they could guess the object name.

    • JGit 4.5.4:

      • Fix LockFile semantics when running on NFS.
      • Honor trustFolderStats also when reading packed-refs.
    • JGit 4.5.3:

      • Fix exception handling for opening bitmap index files.
    • JGit 4.5.2:

      • Fix pack marked as corrupted even if it isn’t.
    • JGit 4.5.1:

      • Don’t remove Pack when FileNotFoundException is transient.
    • JGit 4.1.0:

      • Handle stale NFS file handles on packed-refs file.
      • Use java.io.File instead of NIO to check existence of loose objects in ObjectDirectory to speed up inserting of loose objects.
      • Reduce memory consumption when creating bitmaps during writing pack files.

2.11.11

Upgrade jsch from 0.1.51 to 0.1.54 to get security fixes:

  • CVE-2015-4000: Weak Diffie-Hellman vulnerability, AKA “Logjam”. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. On February 22, 2018, Github removed support for weak cryptographic standards. As a result of this, replication to Github over SSH no longer works with diffie-hellman-group1-sha1 or diffie-hellman-group14-sha1 SSH keys.
  • CVE-2016-5725: Directory traversal vulnerability. Versions of jsch prior to 0.1.54 have a directory traversal vulnerability on Windows. When the mode is ChannelSftp.OVERWRITE, it allows remote SFTP servers to write to arbitrary files via a ..\ (dot dot backslash) in a response to a recursive GET command. For other fixes in jsch since 0.1.51, please refer to the jsch change log.