Show More
release-notes-4.9.1.rst
54 lines
| 1.0 KiB
| text/x-rst
|
RstLexer
r2197 | |RCE| 4.9.1 |RNS| | |||
----------------- | ||||
Release Date | ||||
^^^^^^^^^^^^ | ||||
- 2017-10-26 | ||||
New Features | ||||
^^^^^^^^^^^^ | ||||
General | ||||
^^^^^^^ | ||||
Security | ||||
^^^^^^^^ | ||||
- security(critical): repo-forks: fix issue when forging fork_repo_id parameter | ||||
could allow reading other people forks. | ||||
- security(high): auth: don't expose full set of permissions into channelstream | ||||
payload. Forged requests could return list of private repositories in the system. | ||||
- security(medium): general-security: limit the maximum password input length | ||||
to 72 characters. | ||||
- security(medium): select2: always escape .text attributes to prevent XSS | ||||
via branches or tags names. | ||||
Performance | ||||
^^^^^^^^^^^ | ||||
- git: improve performance and reduce memory usage on large clones. | ||||
Fixes | ||||
^^^^^ | ||||
- user-groups: fix potential problem with ldap group sync in external auth plugins. | ||||
Upgrade notes | ||||
^^^^^^^^^^^^^ | ||||
- This release changes the maximum allowed input password to 72 characters. This | ||||
prevent resource consumption attack. If you need longer password than 72 | ||||
characters please contact our team. | ||||