title: “Gerrit 2.11 Release” permalink: 2.11.html hide_sidebar: true hide_navtoggle: true toc: true
Download: 2.11.12 | 2.11.11 | 2.11.10 | 2.11.9 | 2.11.8 | 2.11.7 | 2.11.6 | 2.11.5 | 2.11.4 | 2.11.3 | 2.11.2 | 2.11.1 | 2.11
Documentation: 2.11.12 | 2.11.11 | 2.11.10 | 2.11.9 | 2.11.8 | 2.11.7 | 2.11.6 | 2.11.5 | 2.11.4 | 2.11.3 | 2.11.2 | 2.11.1 | 2.11
Release Highlights
- Issue 505: Changes can be created and edited directly in the browser.
- Many improvements in the new change screen.
- The old change screen is removed.
- For full details please refer to the release notes on the old site.
Bugfix Releases
2.11.12
Issue 10262: Fix validation of wants
in git-upload-pack
for protocol v0 stateless transports.
See the following section for details.
Upgrade JGit to 4.5.5.201812240535-r.
This upgrade includes several major versions since 4.0.1 used in Gerrit version 2.11.11. Important fixes are summarized below. Please refer to the corresponding JGit release notes for full details.
JGit 4.5.5:
Issue 10262: Fix validation of wants
in git-upload-pack
for protocol v0 stateless transports.
AdvertiseRefsHook was not called for git-upload-pack
in protocol v0 stateless transports, meaning that wants
were not validated and a user could fetch anything that is pointed to by any ref (using fetch-by-sha1), as long as they could guess the object name.
JGit 4.5.4:
- Fix LockFile semantics when running on NFS.
- Honor trustFolderStats also when reading packed-refs.
JGit 4.5.3:
- Fix exception handling for opening bitmap index files.
JGit 4.5.2:
- Fix pack marked as corrupted even if it isn't.
JGit 4.5.1:
- Don't remove Pack when FileNotFoundException is transient.
JGit 4.1.0:
- Handle stale NFS file handles on packed-refs file.
- Use java.io.File instead of NIO to check existence of loose objects in ObjectDirectory to speed up inserting of loose objects.
- Reduce memory consumption when creating bitmaps during writing pack files.
2.11.11
Upgrade jsch from 0.1.51 to 0.1.54 to get security fixes:
- CVE-2015-4000: Weak Diffie-Hellman vulnerability, AKA “Logjam”. The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS connections to 512-bit export-grade cryptography. This allows the attacker to read and modify any data passed over the connection. On February 22, 2018, Github removed support for weak cryptographic standards. As a result of this, replication to Github over SSH no longer works with diffie-hellman-group1-sha1 or diffie-hellman-group14-sha1 SSH keys.
- CVE-2016-5725: Directory traversal vulnerability. Versions of jsch prior to 0.1.54 have a directory traversal vulnerability on Windows. When the mode is
ChannelSftp.OVERWRITE
, it allows remote SFTP servers to write to arbitrary files via a ..\
(dot dot backslash) in a response to a recursive GET
command. For other fixes in jsch since 0.1.51, please refer to the jsch change log.