Google Git
Sign in
gerrit / homepage / 80752ca7bb88b8420878689098193c3f25d867b7^! / .
commit80752ca7bb88b8420878689098193c3f25d867b7[log] [tgz]
authorMarco Miller <marco.miller@ericsson.com>Wed Nov 18 14:25:19 2020 -0500
committerLuca Milanesio <luca.milanesio@gmail.com>Thu Nov 19 01:01:30 2020 +0000
treef735cbc337b355bbf91b534726c31d0d2e20553c
parent19604b6f8ffb8b60da8904130f3626df222ecb3a [diff]
Update 2.14 release notes with 2.14.22 security fix

Change-Id: I083b433ca673fe37819d5cd597a294f63f023a57

diff --git a/pages/site/releases/2.14.md b/pages/site/releases/2.14.md
index 41148a5..ec1d333 100644
--- a/pages/site/releases/2.14.md
+++ b/pages/site/releases/2.14.md

@@ -6,8 +6,8 @@
 toc: true
 ---
 
-
-Download: **[2.14.21](https://gerrit-releases.storage.googleapis.com/gerrit-2.14.21.war)**
+Download: **[2.14.22](https://gerrit-releases.storage.googleapis.com/gerrit-2.14.22.war)**
+| [2.14.21](https://gerrit-releases.storage.googleapis.com/gerrit-2.14.21.war)
 | [2.14.20](https://gerrit-releases.storage.googleapis.com/gerrit-2.14.20.war)
 | [2.14.19](https://gerrit-releases.storage.googleapis.com/gerrit-2.14.19.war)
 | [2.14.18](https://gerrit-releases.storage.googleapis.com/gerrit-2.14.18.war)
@@ -30,7 +30,8 @@
 | [2.14.1](https://gerrit-releases.storage.googleapis.com/gerrit-2.14.1.war)
 | [2.14](https://gerrit-releases.storage.googleapis.com/gerrit-2.14.war)
 
-Documentation: **[2.14.21](https://gerrit-documentation.storage.googleapis.com/Documentation/2.14.21/index.html)**
+Documentation: **[2.14.22](https://gerrit-documentation.storage.googleapis.com/Documentation/2.14.22/index.html)**
+| [2.14.21](https://gerrit-documentation.storage.googleapis.com/Documentation/2.14.21/index.html)
 | [2.14.20](https://gerrit-documentation.storage.googleapis.com/Documentation/2.14.20/index.html)
 | [2.14.19](https://gerrit-documentation.storage.googleapis.com/Documentation/2.14.19/index.html)
 | [2.14.18](https://gerrit-documentation.storage.googleapis.com/Documentation/2.14.18/index.html)
@@ -349,6 +350,29 @@
 
 ## Bugfix Releases
 
+### 2.14.22
+
+* Security Fixes
+
+  * [Issue 13514](https://bugs.chromium.org/p/gerrit/issues/detail?id=13514):
+  Work around Gitiles bug on `All-Users` visibility.
+
+    Gitiles has a special `FilteredRepository` wrapper that allows carefully
+    hiding refs based on the project's ACLs. There is however an optimization
+    that skips the filtering in case a user has `READ` permissions on every ACL
+    pattern(s). When the target repository is `All-Users`, the optimization
+    turns into a security issue because it allows seeing all personal information
+    associated with all accounts, i.e.:
+
+    * draft comments
+    * draft edits
+    * personally identifiable information (PII) of all users
+    * external ids
+
+    This fix now blocks Gitiles or any other part of Gerrit to abuse this power
+    when the target repository is `All-Users`, where nobody can be authorized
+    to skip the ACLs evaluation anyway.
+
 ### 2.14.21
 
 * Security Fixes