pages/site/releases/2.9.md - homepage - Git at Google

 ---
 title: "Gerrit 2.9 Release"
 permalink: 2.9.html
 hide_sidebar: true
 hide_navtoggle: true
 toc: true
 ---
 Download: **[2.9.5](https://gerrit-releases.storage.googleapis.com/gerrit-2.9.5.war)**
 | [2.9.4](https://gerrit-releases.storage.googleapis.com/gerrit-2.9.4.war)
 | [2.9.3](https://gerrit-releases.storage.googleapis.com/gerrit-2.9.3.war)
 | [2.9.2](https://gerrit-releases.storage.googleapis.com/gerrit-2.9.2.war)
 | [2.9.1](https://gerrit-releases.storage.googleapis.com/gerrit-2.9.1.war)
 | [2.9](https://gerrit-releases.storage.googleapis.com/gerrit-2.9.war)

 Documentation: **[2.9.5](https://gerrit-documentation.storage.googleapis.com/Documentation/2.9.5/index.html)**
 | [2.9.4](https://gerrit-documentation.storage.googleapis.com/Documentation/2.9.4/index.html)
 | [2.9.3](https://gerrit-documentation.storage.googleapis.com/Documentation/2.9.3/index.html)
 | [2.9.2](https://gerrit-documentation.storage.googleapis.com/Documentation/2.9.2/index.html)
 | [2.9.1](https://gerrit-documentation.storage.googleapis.com/Documentation/2.9.1/index.html)
 | [2.9](https://gerrit-documentation.storage.googleapis.com/Documentation/2.9/index.html)


 ## Release Highlights
 * [Issue 2065](http://code.google.com/p/gerrit/issues/detail?id=2065):
 The new change screen is now the default change screen.

   The [documentation of the new review UI](https://gerrit-documentation.storage.googleapis.com/Documentation/2.9/user-review-ui.html)
   describes the new screens in detail and highlights the important functionality with
   screenshots.

   Users that are accessing the new change screen for the first time are informed about
   the new change screen by a welcome popup. The welcome popup links to the review UI
   documentation and allows users to go back to the old change screen.

 * For full details please refer to the [release notes on the old site](http://gerrit-documentation.storage.googleapis.com/ReleaseNotes/ReleaseNotes-2.9.html).

 ## Bugfix Releases

 ### 2.9.5

 * [Issue 10262](https://bugs.chromium.org/p/gerrit/issues/detail?id=10262):
 Fix validation of `wants` in `git-upload-pack` for protocol v0 stateless transports.

   See the following section for details.

 * Upgrade JGit to 4.5.5.201812240535-r.

   This upgrade includes several major versions since 3.4.2 used in Gerrit
   version 2.9.4. Important fixes are summarized below. Please refer to the
   corresponding JGit release notes for full details.

   * [JGit 4.5.5](https://projects.eclipse.org/projects/technology.jgit/releases/4.5.5):

     * [Issue 10262](https://bugs.chromium.org/p/gerrit/issues/detail?id=10262):
     Fix validation of `wants` in `git-upload-pack` for protocol v0 stateless transports.

       AdvertiseRefsHook was not called for `git-upload-pack` in protocol v0
       stateless transports, meaning that `wants` were not validated and
       a user could fetch anything that is pointed to by any ref (using fetch-by-sha1),
       as long as they could guess the object name.

   * [JGit 4.5.4](https://projects.eclipse.org/projects/technology.jgit/releases/4.5.4):

     * Fix LockFile semantics when running on NFS.
     * Honor trustFolderStats also when reading packed-refs.

   * [JGit 4.5.3](https://projects.eclipse.org/projects/technology.jgit/releases/4.5.3):

     * Fix exception handling for opening bitmap index files.

   * [JGit 4.5.2](https://projects.eclipse.org/projects/technology.jgit/releases/4.5.2):

     * Fix pack marked as corrupted even if it isn't.

   * [JGit 4.5.1](https://projects.eclipse.org/projects/technology.jgit/releases/4.5.2):

     * Don't remove Pack when FileNotFoundException is transient.

   * [JGit 4.1.0](https://projects.eclipse.org/projects/technology.jgit/releases/4.1.0):

     * Handle stale NFS file handles on packed-refs file.
     * Use java.io.File instead of NIO to check existence of loose objects in
     ObjectDirectory to speed up inserting of loose objects.
     * Reduce memory consumption when creating bitmaps during writing pack files.

   * [JGit 3.7.1](https://projects.eclipse.org/projects/technology.jgit/releases/3.7.1):

     * Fix massive performance problem in Gerrit caused by ObjectWalk.markUninteresting
     marking the root tree as uninteresting.

   * [JGit 3.7.0](https://projects.eclipse.org/projects/technology.jgit/releases/3.7.0):

     * Provide more details in exceptions thrown when packfile is invalid.

   * [JGit 3.6.2](https://projects.eclipse.org/projects/technology.jgit/releases/3.6.2):

     * [Issue 3094](https://bugs.chromium.org/p/gerrit/issues/detail?id=3094):
     Don't remove pack from pack list for problems which could be transient.

     * Log reason for ignoring pack when IOException occurred.

   * [JGit 3.5.3](https://projects.eclipse.org/projects/technology.jgit/releases/3.5.3):

     * Fix for vulnerability CVE-2014-9390.

 * Fix resource exhaustion due to unclosed LDAP connection.

   When `auth.type` is set to `LDAP` (not `LDAP_BIND`), two LDAP connections
   are made, but one was not being closed. This eventually caused resource
   exhaustion and LDAP authentications failed.
	---
	title: "Gerrit 2.9 Release"
	permalink: 2.9.html
	hide_sidebar: true
	hide_navtoggle: true
	toc: true
	---
	Download: [2.9.5](https://gerrit-releases.storage.googleapis.com/gerrit-2.9.5.war)
	\| [2.9.4](https://gerrit-releases.storage.googleapis.com/gerrit-2.9.4.war)
	\| [2.9.3](https://gerrit-releases.storage.googleapis.com/gerrit-2.9.3.war)
	\| [2.9.2](https://gerrit-releases.storage.googleapis.com/gerrit-2.9.2.war)
	\| [2.9.1](https://gerrit-releases.storage.googleapis.com/gerrit-2.9.1.war)
	\| [2.9](https://gerrit-releases.storage.googleapis.com/gerrit-2.9.war)

	Documentation: [2.9.5](https://gerrit-documentation.storage.googleapis.com/Documentation/2.9.5/index.html)
	\| [2.9.4](https://gerrit-documentation.storage.googleapis.com/Documentation/2.9.4/index.html)
	\| [2.9.3](https://gerrit-documentation.storage.googleapis.com/Documentation/2.9.3/index.html)
	\| [2.9.2](https://gerrit-documentation.storage.googleapis.com/Documentation/2.9.2/index.html)
	\| [2.9.1](https://gerrit-documentation.storage.googleapis.com/Documentation/2.9.1/index.html)
	\| [2.9](https://gerrit-documentation.storage.googleapis.com/Documentation/2.9/index.html)


	## Release Highlights
	* [Issue 2065](http://code.google.com/p/gerrit/issues/detail?id=2065):
	The new change screen is now the default change screen.

	The [documentation of the new review UI](https://gerrit-documentation.storage.googleapis.com/Documentation/2.9/user-review-ui.html)
	describes the new screens in detail and highlights the important functionality with
	screenshots.

	Users that are accessing the new change screen for the first time are informed about
	the new change screen by a welcome popup. The welcome popup links to the review UI
	documentation and allows users to go back to the old change screen.

	* For full details please refer to the [release notes on the old site](http://gerrit-documentation.storage.googleapis.com/ReleaseNotes/ReleaseNotes-2.9.html).

	## Bugfix Releases

	### 2.9.5

	* [Issue 10262](https://bugs.chromium.org/p/gerrit/issues/detail?id=10262):
	Fix validation of `wants` in `git-upload-pack` for protocol v0 stateless transports.

	See the following section for details.

	* Upgrade JGit to 4.5.5.201812240535-r.

	This upgrade includes several major versions since 3.4.2 used in Gerrit
	version 2.9.4. Important fixes are summarized below. Please refer to the
	corresponding JGit release notes for full details.

	* [JGit 4.5.5](https://projects.eclipse.org/projects/technology.jgit/releases/4.5.5):

	* [Issue 10262](https://bugs.chromium.org/p/gerrit/issues/detail?id=10262):
	Fix validation of `wants` in `git-upload-pack` for protocol v0 stateless transports.

	AdvertiseRefsHook was not called for `git-upload-pack` in protocol v0
	stateless transports, meaning that `wants` were not validated and
	a user could fetch anything that is pointed to by any ref (using fetch-by-sha1),
	as long as they could guess the object name.

	* [JGit 4.5.4](https://projects.eclipse.org/projects/technology.jgit/releases/4.5.4):

	* Fix LockFile semantics when running on NFS.
	* Honor trustFolderStats also when reading packed-refs.

	* [JGit 4.5.3](https://projects.eclipse.org/projects/technology.jgit/releases/4.5.3):

	* Fix exception handling for opening bitmap index files.

	* [JGit 4.5.2](https://projects.eclipse.org/projects/technology.jgit/releases/4.5.2):

	* Fix pack marked as corrupted even if it isn't.

	* [JGit 4.5.1](https://projects.eclipse.org/projects/technology.jgit/releases/4.5.2):

	* Don't remove Pack when FileNotFoundException is transient.

	* [JGit 4.1.0](https://projects.eclipse.org/projects/technology.jgit/releases/4.1.0):

	* Handle stale NFS file handles on packed-refs file.
	* Use java.io.File instead of NIO to check existence of loose objects in
	ObjectDirectory to speed up inserting of loose objects.
	* Reduce memory consumption when creating bitmaps during writing pack files.

	* [JGit 3.7.1](https://projects.eclipse.org/projects/technology.jgit/releases/3.7.1):

	* Fix massive performance problem in Gerrit caused by ObjectWalk.markUninteresting
	marking the root tree as uninteresting.

	* [JGit 3.7.0](https://projects.eclipse.org/projects/technology.jgit/releases/3.7.0):

	* Provide more details in exceptions thrown when packfile is invalid.

	* [JGit 3.6.2](https://projects.eclipse.org/projects/technology.jgit/releases/3.6.2):

	* [Issue 3094](https://bugs.chromium.org/p/gerrit/issues/detail?id=3094):
	Don't remove pack from pack list for problems which could be transient.

	* Log reason for ignoring pack when IOException occurred.

	* [JGit 3.5.3](https://projects.eclipse.org/projects/technology.jgit/releases/3.5.3):

	* Fix for vulnerability CVE-2014-9390.

	* Fix resource exhaustion due to unclosed LDAP connection.

	When `auth.type` is set to `LDAP` (not `LDAP_BIND`), two LDAP connections
	are made, but one was not being closed. This eventually caused resource
	exhaustion and LDAP authentications failed.