##// END OF EJS Templates
chore(release): merged default into stable branch
chore(release): merged default into stable branch

File last commit:

r2197:4edcf89e stable
r5558:77c2b736 merge v5.3.0 stable
Show More
release-notes-4.9.1.rst
54 lines | 1.0 KiB | text/x-rst | RstLexer
/ docs / release-notes / release-notes-4.9.1.rst
docs: added release notes for 4.9.1
r2197 |RCE| 4.9.1 |RNS|
-----------------
Release Date
^^^^^^^^^^^^
- 2017-10-26
New Features
^^^^^^^^^^^^
General
^^^^^^^
Security
^^^^^^^^
- security(critical): repo-forks: fix issue when forging fork_repo_id parameter
could allow reading other people forks.
- security(high): auth: don't expose full set of permissions into channelstream
payload. Forged requests could return list of private repositories in the system.
- security(medium): general-security: limit the maximum password input length
to 72 characters.
- security(medium): select2: always escape .text attributes to prevent XSS
via branches or tags names.
Performance
^^^^^^^^^^^
- git: improve performance and reduce memory usage on large clones.
Fixes
^^^^^
- user-groups: fix potential problem with ldap group sync in external auth plugins.
Upgrade notes
^^^^^^^^^^^^^
- This release changes the maximum allowed input password to 72 characters. This
prevent resource consumption attack. If you need longer password than 72
characters please contact our team.