diff --git a/.hgtags b/.hgtags --- a/.hgtags +++ b/.hgtags @@ -20,3 +20,4 @@ 7198bdec29c2872c974431d55200d0398354cdb1 bd1c8d230fe741c2dfd7100a0ef39fd0774fd581 v4.7.2 9731914f89765d9628dc4dddc84bc9402aa124c8 v4.8.0 c5a2b7d0e4bbdebc4a62d7b624befe375207b659 v4.9.0 +d9aa3b27ac9f7e78359775c75fedf7bfece232f1 v4.9.1 diff --git a/docs/release-notes/release-notes-4.9.1.rst b/docs/release-notes/release-notes-4.9.1.rst new file mode 100644 --- /dev/null +++ b/docs/release-notes/release-notes-4.9.1.rst @@ -0,0 +1,54 @@ +|RCE| 4.9.1 |RNS| +----------------- + +Release Date +^^^^^^^^^^^^ + +- 2017-10-26 + + +New Features +^^^^^^^^^^^^ + + + +General +^^^^^^^ + + + +Security +^^^^^^^^ + +- security(critical): repo-forks: fix issue when forging fork_repo_id parameter + could allow reading other people forks. +- security(high): auth: don't expose full set of permissions into channelstream + payload. Forged requests could return list of private repositories in the system. +- security(medium): general-security: limit the maximum password input length + to 72 characters. +- security(medium): select2: always escape .text attributes to prevent XSS + via branches or tags names. + + + +Performance +^^^^^^^^^^^ + +- git: improve performance and reduce memory usage on large clones. + + + +Fixes +^^^^^ + + +- user-groups: fix potential problem with ldap group sync in external auth plugins. + + + +Upgrade notes +^^^^^^^^^^^^^ + +- This release changes the maximum allowed input password to 72 characters. This + prevent resource consumption attack. If you need longer password than 72 + characters please contact our team. diff --git a/docs/release-notes/release-notes.rst b/docs/release-notes/release-notes.rst --- a/docs/release-notes/release-notes.rst +++ b/docs/release-notes/release-notes.rst @@ -9,6 +9,7 @@ Release Notes .. toctree:: :maxdepth: 1 + release-notes-4.9.1.rst release-notes-4.9.0.rst release-notes-4.8.0.rst release-notes-4.7.2.rst