Gitblit

Current Release (1.9.3) this is the current stable release

2022-04-09

!! IMPORTANT SECURITY FIX FOR CONFIG USER SERVICE !!

There is a security vulnerability in version 1.9.2, which allows an attacker to gain
elevated access rights. This is present when the Config User Service is used as the
user service, which is the default.

Version 1.9.2 introduced a new implementation to store user data in the user config file
which holds user name, password, access rights etc. This was done to solve problems with
very large user bases (pull request #1364). This new implementation does not properly escape all
control characters, like newline and tab. As a result, a normal user, when logged into
Gitblit, can edit his profile data and enter values in e.g. the email address that are
interpreted as control characters in the text file stored on disk. This allows the malicious
user to give themselves e.g. elevated access rights on their account.

This is fixed in 1.9.3. Updates of existing installations should be made to 1.9.3, not 1.9.2.

Many thanks to Github user @YYHYlh for finding and reporting this issue (issue 1410).

Note

The 1.9 minor version is the last to support Java 7. From 1.10 on Gitblit will require Java 8.

security

Fix escaping control characters in config user service, resolving a security vulnerability. (issue 1410)

Next Release (1.10.0-SNAPSHOT) these changes are queued for an upcoming release

PENDING

Highlights:

* Support for ECDSA and Ed25519 SSH keys
* Move to Java 8
* Explicitly disable requesting optional client TLS certificates
* Copy-to-clipboard button is back and working

While old DSA SSH host keys can still be used, a new Gitblit installation will no longer
generate a DSA host key. The default set of host keys is now RSA, ECDSA and Ed25519.

Snapshot builds of the current master branch are now available as Docker containers on
Docker Hub under the "Nightly" tag.

Note

From 1.10.0 on Gitblit requires Java 8 as minimum Java version.

Should you have disabled the Flash-based copy-to-clipboard function because it wasn't working anymore (web.allowFlashCopyToClipboard = false), you may want to rethink this and enable it again. The configuration property has the same name, but the mechanism was exchanged. Flash is gone, and a modern JavaScript solution is now used to copy text directly to the clipboard (via clipboard.js).

The setting 'server.requireClientCertificates' now has three values: required, optional and none. While 'required' is synonymous to the old 'true' value, and 'optional' is synonymous to the old 'false' value, the new 'none' value results in the server never asking the client to present any client certificate at all. The old values 'true' and 'false' can still be used and keep their meaning.

security

Fix path traversal vulnerability which allowed access to "/resources//../WEB-INF/". (CVE-2022-31268) This was fixed by updating Jetty. (issue 1409)

fixes

Fix crash in Gitblit Authority when users were deleted from Gitblit but still had entries (certificates) in the Authority. (issue 1359, pull request #1435)
Fix tab-to-space conversion to work like tabs. (pull request #1065 by @QuentinC)
Fix user effective permission display when user is in multiple groups with different permissions. (pull request #1100 by @felazuris)
Fix issue in pt under Python 3. (pull request #1428 by @urkle)
Fix null pointer exception which could occur during debug logging. (pull request #1433)
Fix Bugtraq to fallback to UTF-8 if the commit encoding is unsupported.
Fix errors in Bugtraq preventing display of commit completely.
Fix misaligned images in primary repository URL display. (issue 1437)
Fix incorrect text being copied by copy button on tickets page

changes

Minimum Java required increased to Java 8. (pull request #1218 by @paladox)
Add feedback on invalid keys to SSH key form. (issue 984, pull request #1239 by @martinspielmann)
Replace old Flash-based Clippy copy-paste buttons to copy repository URLs and other text to the clipboard with a modern JavaScript-based approach via clipboard.js. (issue 1241, issue 965, pull request #1438 by @flaix)

additions

Option to explicitly disable optional client TLS certificates. (issue 1137, pull request #1138 by @oddeirik)
Support for ECDSA and Ed25519 (EdDSA) user keys. (pull request #1427, pull request #1272)
New ECDSA and EdDSA host key types. (issue 1354, pull request #1429 by @flaix)
French version of empty repository page. (by @piradix)
Add support for Jenkins access token. Use setting 'groovy.jenkinsToken'. (issue 1423, pull request #1425 by @TDesjardins)

new settings

server.requireClientCertificates

optional

dependency changes

update to JavaMail 1.5.6 (pull request #1217 by @paladox)
update to Google Guice 5.1.0
update to Google Guava 31.1-jre
update to Google Gson 2.10
update to Apache commons-io 2.11.0
update to Apache commons-codec 1.9
update to Apache commons-compress 1.22
update to libpam4j 1.11
update to MINA SSHD 1.7.0
update to BouncyCastle 1.69
update to Jetty 9.4.49.v20220914 (pull request #1213 by @paladox, plus more)
update to JGit 4.11.9.201909030838-r (pull request #1252 by @jvanhercke, plus more)
update to Bugtraq v0.4
added clipboard.js, replacing Clippy

contributors

@felazuris
@paladox
@piradix
@QuentinC
@xxcdd
Edward Rudd
Florian Zschocke
Jan Vanhercke
Martin Spielmann
Odd Eirik Nes
Tino Desjardins