u/pc/rhodecode-enterprise-ce-fork-pc Files · docs/release-notes/release-notes-4.9.1.rst

authentication: introduce a group sync flag for plugins....

authentication: introduce a group sync flag for plugins. - we'll skip any syncing on plugins which simply don't get any group information - we let plugins define if they wish to sync groups - prevent from odd cases in which someone sets user groups as syncing, and using regular plugin. In this case memebership of that group would be wiped, and it's generaly bad behaviour.

marcink - - Load All Authors

File last commit:

r2197:4edcf89e stable


                r2495:4f076134

default

Download file

             release-notes-4.9.1.rst
        
                    54 lines
            
             | 1.0 KiB
            
                | text/x-rst
            
             |
                RstLexer
            
             / docs / release-notes / release-notes-4.9.1.rst
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        marcink
    
docs: added release notes for 4.9.1

              r2197
            
      |RCE| 4.9.1 |RNS|

      -----------------

      Release Date

      ^^^^^^^^^^^^

      - 2017-10-26

      New Features

      ^^^^^^^^^^^^

      General

      ^^^^^^^

      Security

      ^^^^^^^^

      - security(critical): repo-forks: fix issue when forging fork_repo_id parameter

        could allow reading other people forks.

      - security(high): auth: don't expose full set of permissions into channelstream

        payload. Forged requests could return list of private repositories in the system.

      - security(medium): general-security: limit the maximum password input length

        to 72 characters.

      - security(medium): select2: always escape .text attributes to prevent XSS

        via branches or tags names.

      Performance

      ^^^^^^^^^^^

      - git: improve performance and reduce memory usage on large clones.

      Fixes

      ^^^^^

      - user-groups: fix potential problem with ldap group sync in external auth plugins.

      Upgrade notes

      ^^^^^^^^^^^^^

      - This release changes the maximum allowed input password to 72 characters. This

        prevent resource consumption attack. If you need longer password than 72

        characters please contact our team.

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

marcink docs: added release notes for 4.9.1	r2197	\|RCE\| 4.9.1 \|RNS\|
		-----------------

		Release Date
		^^^^^^^^^^^^

		- 2017-10-26


		New Features
		^^^^^^^^^^^^



		General
		^^^^^^^



		Security
		^^^^^^^^

		- security(critical): repo-forks: fix issue when forging fork_repo_id parameter
		could allow reading other people forks.
		- security(high): auth: don't expose full set of permissions into channelstream
		payload. Forged requests could return list of private repositories in the system.
		- security(medium): general-security: limit the maximum password input length
		to 72 characters.
		- security(medium): select2: always escape .text attributes to prevent XSS
		via branches or tags names.



		Performance
		^^^^^^^^^^^

		- git: improve performance and reduce memory usage on large clones.



		Fixes
		^^^^^


		- user-groups: fix potential problem with ldap group sync in external auth plugins.



		Upgrade notes
		^^^^^^^^^^^^^

		- This release changes the maximum allowed input password to 72 characters. This
		prevent resource consumption attack. If you need longer password than 72
		characters please contact our team.