Google Git
Sign in
gerrit / homepage / HEAD / . / pages / site / releases / 2.11.md
blob: 72e6a3189b1861111be00dceba4601716a7209e1 [file] [log] [blame] [view]
---
title: "Gerrit 2.11 Release"
permalink: 2.11.html
hide_sidebar: true
hide_navtoggle: true
toc: true
---
Download: **[2.11.12](https://gerrit-releases.storage.googleapis.com/gerrit-2.11.12.war)**
| [2.11.11](https://gerrit-releases.storage.googleapis.com/gerrit-2.11.11.war)
| [2.11.10](https://gerrit-releases.storage.googleapis.com/gerrit-2.11.10.war)
| [2.11.9](https://gerrit-releases.storage.googleapis.com/gerrit-2.11.9.war)
| [2.11.8](https://gerrit-releases.storage.googleapis.com/gerrit-2.11.8.war)
| [2.11.7](https://gerrit-releases.storage.googleapis.com/gerrit-2.11.7.war)
| [2.11.6](https://gerrit-releases.storage.googleapis.com/gerrit-2.11.6.war)
| [2.11.5](https://gerrit-releases.storage.googleapis.com/gerrit-2.11.5.war)
| [2.11.4](https://gerrit-releases.storage.googleapis.com/gerrit-2.11.4.war)
| [2.11.3](https://gerrit-releases.storage.googleapis.com/gerrit-2.11.3.war)
| [2.11.2](https://gerrit-releases.storage.googleapis.com/gerrit-2.11.2.war)
| [2.11.1](https://gerrit-releases.storage.googleapis.com/gerrit-2.11.1.war)
| [2.11](https://gerrit-releases.storage.googleapis.com/gerrit-2.11.war)
Documentation: **[2.11.12](https://gerrit-documentation.storage.googleapis.com/Documentation/2.11.12/index.html)**
| [2.11.11](https://gerrit-documentation.storage.googleapis.com/Documentation/2.11.11/index.html)
| [2.11.10](https://gerrit-documentation.storage.googleapis.com/Documentation/2.11.10/index.html)
| [2.11.9](https://gerrit-documentation.storage.googleapis.com/Documentation/2.11.9/index.html)
| [2.11.8](https://gerrit-documentation.storage.googleapis.com/Documentation/2.11.8/index.html)
| [2.11.7](https://gerrit-documentation.storage.googleapis.com/Documentation/2.11.7/index.html)
| [2.11.6](https://gerrit-documentation.storage.googleapis.com/Documentation/2.11.6/index.html)
| [2.11.5](https://gerrit-documentation.storage.googleapis.com/Documentation/2.11.5/index.html)
| [2.11.4](https://gerrit-documentation.storage.googleapis.com/Documentation/2.11.4/index.html)
| [2.11.3](https://gerrit-documentation.storage.googleapis.com/Documentation/2.11.3/index.html)
| [2.11.2](https://gerrit-documentation.storage.googleapis.com/Documentation/2.11.2/index.html)
| [2.11.1](https://gerrit-documentation.storage.googleapis.com/Documentation/2.11.1/index.html)
| [2.11](https://gerrit-documentation.storage.googleapis.com/Documentation/2.11/index.html)
## Release Highlights
* [Issue 505](https://bugs.chromium.org/p/gerrit/issues/detail?id=505):
Changes can be created and edited directly in the browser.
* Many improvements in the new change screen.
* The old change screen is removed.
* For full details please refer to the [release notes on the old site](http://gerrit-documentation.storage.googleapis.com/ReleaseNotes/ReleaseNotes-2.11.html).
## Bugfix Releases
### 2.11.12
* [Issue 10262](https://bugs.chromium.org/p/gerrit/issues/detail?id=10262):
Fix validation of `wants` in `git-upload-pack` for protocol v0 stateless transports.
See the following section for details.
* Upgrade JGit to 4.5.5.201812240535-r.
This upgrade includes several major versions since 4.0.1 used in Gerrit
version 2.11.11. Important fixes are summarized below. Please refer to the
corresponding JGit release notes for full details.
* [JGit 4.5.5](https://projects.eclipse.org/projects/technology.jgit/releases/4.5.5):
* [Issue 10262](https://bugs.chromium.org/p/gerrit/issues/detail?id=10262):
Fix validation of `wants` in `git-upload-pack` for protocol v0 stateless transports.
AdvertiseRefsHook was not called for `git-upload-pack` in protocol v0
stateless transports, meaning that `wants` were not validated and
a user could fetch anything that is pointed to by any ref (using fetch-by-sha1),
as long as they could guess the object name.
* [JGit 4.5.4](https://projects.eclipse.org/projects/technology.jgit/releases/4.5.4):
* Fix LockFile semantics when running on NFS.
* Honor trustFolderStats also when reading packed-refs.
* [JGit 4.5.3](https://projects.eclipse.org/projects/technology.jgit/releases/4.5.3):
* Fix exception handling for opening bitmap index files.
* [JGit 4.5.2](https://projects.eclipse.org/projects/technology.jgit/releases/4.5.2):
* Fix pack marked as corrupted even if it isn't.
* [JGit 4.5.1](https://projects.eclipse.org/projects/technology.jgit/releases/4.5.2):
* Don't remove Pack when FileNotFoundException is transient.
* [JGit 4.1.0](https://projects.eclipse.org/projects/technology.jgit/releases/4.1.0):
* Handle stale NFS file handles on packed-refs file.
* Use java.io.File instead of NIO to check existence of loose objects in
ObjectDirectory to speed up inserting of loose objects.
* Reduce memory consumption when creating bitmaps during writing pack files.
### 2.11.11
Upgrade jsch from 0.1.51 to 0.1.54 to get security fixes:
* [CVE-2015-4000](https://nvd.nist.gov/vuln/detail/CVE-2015-4000): Weak Diffie-Hellman
vulnerability, AKA "Logjam".
The Logjam attack allows a man-in-the-middle attacker to downgrade vulnerable TLS
connections to 512-bit export-grade cryptography. This allows the attacker to read
and modify any data passed over the connection.
On February 22, 2018, Github [removed support for weak cryptographic standards](https://githubengineering.com/crypto-removal-notice/).
As a result of this, replication to Github over SSH no longer works with
diffie-hellman-group1-sha1 or diffie-hellman-group14-sha1 SSH keys.
* [CVE-2016-5725](https://nvd.nist.gov/vuln/detail/CVE-2016-5725): Directory traversal
vulnerability.
Versions of jsch prior to 0.1.54 have a directory traversal vulnerability
on Windows. When the mode is `ChannelSftp.OVERWRITE`, it allows remote SFTP
servers to write to arbitrary files via a `..\` (dot dot backslash) in a
response to a recursive `GET` command.
For other fixes in jsch since 0.1.51, please refer to the
[jsch change log](http://www.jcraft.com/jsch/ChangeLog).