##// END OF EJS Templates
rhodecode-enterprise-ce
RSS
dependencies: bumped few libraries....
dependencies: bumped few libraries. - atomicwrites==1.2.1 - attrs==18.2.0 - dogpile.cache==0.6.7 - psutil==5.4.7 - pathlib2==2.3.2 - subprocess32==3.5.2 - gevent==1.3.6 - greenlet==0.4.15 - pytest==3.8.1 - py==1.6.0 - pytest-cov==2.6.0 - pytest-timeout==1.3.2 - coverage==4.5.1 - psycopg2==2.7.5
marcink - - Load All Authors

File last commit:

r2197:4edcf89e stable
r3096:5e20ef75 default
Show More
release-notes-4.9.1.rst
54 lines | 1.0 KiB | text/x-rst | RstLexer
/ docs / release-notes / release-notes-4.9.1.rst
History | Annotation | Raw |Copy content |Copy permalink

|RCE| 4.9.1 |RNS|

Release Date

  • 2017-10-26

New Features

General

Security

  • security(critical): repo-forks: fix issue when forging fork_repo_id parameter could allow reading other people forks.
  • security(high): auth: don't expose full set of permissions into channelstream payload. Forged requests could return list of private repositories in the system.
  • security(medium): general-security: limit the maximum password input length to 72 characters.
  • security(medium): select2: always escape .text attributes to prevent XSS via branches or tags names.

Performance

  • git: improve performance and reduce memory usage on large clones.

Fixes

  • user-groups: fix potential problem with ldap group sync in external auth plugins.

Upgrade notes

  • This release changes the maximum allowed input password to 72 characters. This prevent resource consumption attack. If you need longer password than 72 characters please contact our team.