u/pc/rhodecode-enterprise-ce-fork-pc Files · docs/release-notes/release-notes-4.9.0.rst

auth: don't break hashing in case of user with empty password....

auth: don't break hashing in case of user with empty password. In some cases such as LDAP user created via external scripts users might set the passwords to empty. The hashing uses the md5(password_hash) to store reference to detect password changes and forbid using the same password. In case of pure LDAP users this is not valid, and we shouldn't raise Errors in such case. This change makes it work for empty passwords now.

marcink - - Load All Authors

File last commit:

r2019:ca2092ce stable


                r2203:8a18c3c3

default

Download file

             release-notes-4.9.0.rst
        
                    66 lines
            
             | 1.9 KiB
            
                | text/x-rst
            
             |
                RstLexer
            
             / docs / release-notes / release-notes-4.9.0.rst
          
                    History
                
                 |
                  Source
                 | Raw
                 |Copy content
                 |Copy permalink

        marcink
    
docs: added release notes for 4.9.0

              r2019
            
      |RCE| 4.9.0 |RNS|

      -----------------

      Release Date

      ^^^^^^^^^^^^

      - 2017-08-12

      New Features

      ^^^^^^^^^^^^

      General

      ^^^^^^^

      - Off cycle Minor release to fix SCM vulnerabilities.

      Security

      ^^^^^^^^

      - security(critical): Bumped GIT to 2.9.5 fixes CVE-2017-1000117

        https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1466490.html

      - security(critical): Bumped SVN to 1.9.7 fixes CVE-2017-9800

        https://subversion.apache.org/security/CVE-2017-9800-advisory.txt

      - security(critical): Bumped Mercurial to 4.2.3 fixes  CVE-2017-1000116

        https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.282017-08-10.29

      Performance

      ^^^^^^^^^^^

      - Fixed Mercurial Stream support for very large repositories. Due to discovered

        bug in WebOb library we manage to fix Mercurial stream support.

        Now cloning very large repos e.g 100GB, ~1mln commits should be much

        faster, and use less memory.

      Fixes

      ^^^^^

      - Fixed problem with default-reviewers in EE package that was missing panel

        title and in some occasions generate 500 errors.

      - Fixed problem with potential URL generation inside our integration.

        This was introduced during pyramid porting. We know ensure that proper

        routing generation is done on all events.

      Upgrade notes

      ^^^^^^^^^^^^^

      - The 4.9.0 release is an off-cycle release. Due to the fact that we needed to

        bump Mercurial from 4.1.X to 4.2.X, and Subversion from 1.9.4 to 1.9.7, we

        released this version not as 4.8.1 security bug fix but 4.9.0.

        We know historically that SVN and Mercurial can have internal api changes.

        We tested basic functionality for all 3 vcs-es but due to very short release

        time we were unable to test everything. Please report any found problems to us

        and we'll for sure address them.

        Note to SVN users: Please make sure to upgrade mod_dav to 1.9.7 version.

        At this time we know Wandisco provides 1.9.7 packages for most major distros.

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages

marcink docs: added release notes for 4.9.0	r2019	\|RCE\| 4.9.0 \|RNS\|
		-----------------

		Release Date
		^^^^^^^^^^^^

		- 2017-08-12


		New Features
		^^^^^^^^^^^^



		General
		^^^^^^^

		- Off cycle Minor release to fix SCM vulnerabilities.


		Security
		^^^^^^^^

		- security(critical): Bumped GIT to 2.9.5 fixes CVE-2017-1000117
		https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1466490.html
		- security(critical): Bumped SVN to 1.9.7 fixes CVE-2017-9800
		https://subversion.apache.org/security/CVE-2017-9800-advisory.txt
		- security(critical): Bumped Mercurial to 4.2.3 fixes CVE-2017-1000116
		https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.3_.282017-08-10.29


		Performance
		^^^^^^^^^^^

		- Fixed Mercurial Stream support for very large repositories. Due to discovered
		bug in WebOb library we manage to fix Mercurial stream support.
		Now cloning very large repos e.g 100GB, ~1mln commits should be much
		faster, and use less memory.


		Fixes
		^^^^^

		- Fixed problem with default-reviewers in EE package that was missing panel
		title and in some occasions generate 500 errors.
		- Fixed problem with potential URL generation inside our integration.
		This was introduced during pyramid porting. We know ensure that proper
		routing generation is done on all events.


		Upgrade notes
		^^^^^^^^^^^^^


		- The 4.9.0 release is an off-cycle release. Due to the fact that we needed to
		bump Mercurial from 4.1.X to 4.2.X, and Subversion from 1.9.4 to 1.9.7, we
		released this version not as 4.8.1 security bug fix but 4.9.0.
		We know historically that SVN and Mercurial can have internal api changes.
		We tested basic functionality for all 3 vcs-es but due to very short release
		time we were unable to test everything. Please report any found problems to us
		and we'll for sure address them.

		Note to SVN users: Please make sure to upgrade mod_dav to 1.9.7 version.
		At this time we know Wandisco provides 1.9.7 packages for most major distros.