Update 3.3.0-rc7 with security fixes and more since rc6
Gerrit 3.3.0-rc7 includes the latest security fixes, mostly coming from
the merge of the 3.2.5(.1) release from the stable-3.2 branch.
Make some indentations consistent with these additions.
Change-Id: I9bfe3759bc47835c8b00c432b637d4bf6b3609a3
diff --git a/pages/site/releases/3.3.md b/pages/site/releases/3.3.md
index f09cca1..fbefe1d 100644
--- a/pages/site/releases/3.3.md
+++ b/pages/site/releases/3.3.md
@@ -1,14 +1,14 @@
---
-title: "Gerrit 3.3.0-rc6 release (in development)"
+title: "Gerrit 3.3.0-rc7 release (in development)"
permalink: 3.3.html
hide_sidebar: true
hide_navtoggle: true
toc: true
---
-Download: **[3.3.0-rc6](https://gerrit-releases.storage.googleapis.com/gerrit-3.3.0-rc6.war)**
+Download: **[3.3.0-rc7](https://gerrit-releases.storage.googleapis.com/gerrit-3.3.0-rc7.war)**
-Documentation: **[3.3.0-rc6](https://gerrit-documentation.storage.googleapis.com/Documentation/3.3.0/index.html)**
+Documentation: **[3.3.0-rc7](https://gerrit-documentation.storage.googleapis.com/Documentation/3.3.0/index.html)**
## Release highlights
@@ -57,6 +57,51 @@
ChangeAttributeFactory will be removed in the next release.
+## Security fixes
+
+* [Issue 13621](https://bugs.chromium.org/p/gerrit/issues/detail?id=13621);
+ [CVE-2020-8919](https://nvd.nist.gov/vuln/detail/CVE-2020-8919):
+ Make `PermissionBackend#ForRef` authoritative.
+
+ Fixes a misconception that leads to data being accessible through Gerrit
+ APIs that should be locked down.
+
+ Gerrit had two components for determining if a Git ref is visible to a
+ user: `(Default)RefFilter` and `PermissionBackend#ForRef` (e.g.,
+ `RefControl`). The former was always capable of providing correct results
+ for all refs. The latter only had logic to decide if a Git ref is visible
+ according to the Gerrit `READ` permissions. This includes all refs under
+ `refs/heads` as well as any other ref that isn't a database ref or a Git
+ tag. This component was unaware of Git tags and notedb-related refs. Hence,
+ when asked for a database reference such as `refs/changes/xx/yyyyxx/meta`,
+ the logic would allow access if the user has `READ` permissions on any of
+ the ref prefixes (such as the default "read refs/* Anonymous Users").
+
+ That was problematic, because it bypassed
+ [documented behavior](http://gerrit-documentation.storage.googleapis.com/Documentation/3.3.0/access-control.html)
+ where a user should only have access to a change if he can see the
+ destination ref. The same goes for other database references.
+
+* [Issue 13514](https://bugs.chromium.org/p/gerrit/issues/detail?id=13514);
+ [CVE-2020-8919](https://nvd.nist.gov/vuln/detail/CVE-2020-8919):
+ Work around Gitiles bug on `All-Users` visibility.
+
+ Gitiles has a special `FilteredRepository` wrapper that allows carefully
+ hiding refs based on the project's ACLs. There is however an optimization
+ that skips the filtering in case a user has `READ` permissions on every ACL
+ pattern(s). When the target repository is `All-Users`, the optimization
+ turns into a security issue because it allows seeing all personal information
+ associated with all accounts, i.e.:
+
+ * draft comments
+ * draft edits
+ * personally identifiable information (PII) of all users
+ * external ids
+
+ This fix now blocks Gitiles or any other part of Gerrit to abuse this power
+ when the target repository is `All-Users`, where nobody can be authorized
+ to skip the ACLs evaluation anyway.
+
## Native packaging
* Allow to use init as a param in docker run
@@ -188,26 +233,26 @@
* [Issue 12720](https://bugs.chromium.org/p/gerrit/issues/detail?id=12720);
Fix extensibility of replication configuration parsing
- This situation was causing a regression for plugins that extend the
- replication plugin (e.g. pull-replication) because they are expecting
- a different remote configuration class.
+ This situation was causing a regression for plugins that extend the
+ replication plugin (e.g. pull-replication) because they are expecting
+ a different remote configuration class.
* [Issue 12769](https://bugs.chromium.org/p/gerrit/issues/detail?id=12769);
Fix synopsis in replication start cmd documentation
- `--url` is usable with `--all` or projects and on its own.
- Updated the usage to reflect this.
+ `--url` is usable with `--all` or projects and on its own.
+ Updated the usage to reflect this.
* [Issue 12769](https://bugs.chromium.org/p/gerrit/issues/detail?id=12769);
Don't wait for pending events to process on startup
- Previously, on large Gerrit installations with many projects and/or many
- replication destinations, the replication plugin could take very long
- periods of time to startup. This was particularly a problem if the
- pending (persisted) event count was large as they all were rescheduled
- before the plugin finished initializing. Change this behavior so that
- startup merely begins the process of scheduling the pending events, but
- does not wait for them to complete.
+ Previously, on large Gerrit installations with many projects and/or many
+ replication destinations, the replication plugin could take very long
+ periods of time to startup. This was particularly a problem if the
+ pending (persisted) event count was large as they all were rescheduled
+ before the plugin finished initializing. Change this behavior so that
+ startup merely begins the process of scheduling the pending events, but
+ does not wait for them to complete.
* [Issue 13480](https://bugs.chromium.org/p/gerrit/issues/detail?id=13480);
Don't output directories during task walk
@@ -292,12 +337,14 @@
## JGit changes
-* [Issue 13481](https://bugs.chromium.org/p/gerrit/issues/detail?id=13481);
- Update jgit to v5.9.0.202009080501-r
+* [Issue 13694](https://bugs.chromium.org/p/gerrit/issues/detail?id=13694);
+ Update jgit to e2663a8b8.
+
+ This JGit update is needed to fix the git wire protocol v2 issue on JDK 15.
## Elasticsearch changes
-* ElasticContainer: Upgrade V6_8 to elasticsearch 6.8.12
+* ElasticContainer: Upgrade V6_8 to elasticsearch 6.8.13
* ElasticContainer: Upgrade V7_8 to elasticsearch 7.8.1
@@ -314,6 +361,9 @@
* Upgrade soy to 2020-08-24
+* [Issue 13474](https://bugs.chromium.org/p/gerrit/issues/detail?id=13474);
+ Upgrade testcontainers to 1.15.0
+
## Other core changes
* Limit graceful shutdown to SSH sessions serving git requests