Google Git
Sign in
apache / allura-site / refs/heads/asf-site / . / posts / 2024-allura-1.17.0.html
blob: c817e6a70290deb8e606480b4ce89067e00803b0 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title> Apache Allura 1.17.0 released, including critical security fix
</title>
<meta charset="utf-8">
<meta name="description" content="Allura is an open source implementation of a software forge, a site that manages source code repositories, bug reports, discussions, and more for projects.">
<meta name="keywords" content="">
<meta name="author" content="">
<link rel="canonical" href="//allura.apache.org">
<!-- Facebook Meta Info-->
<meta property="og:url" content="//allura.apache.org">
<meta property="og:image" content="//allura.apache.org/theme/img/logo-asf-apache.png">
<meta property="og:description" content="Allura is an open source implementation of a software forge, a site that manages source code repositories, bug reports, discussions, and more for projects.">
<meta property="og:title" content="Apache Allura">
<meta property="og:site_name" content="Apache Allura">
<meta property="og:see_also" content="//allura.apache.org">
<!-- Twitter Meta Info-->
<meta name="twitter:card" content="Allura is an open source implementation of a software forge, a site that manages source code repositories, bug reports, discussions, and more for projects.">
<meta name="twitter:url" content="//allura.apache.org">
<meta name="twitter:title" content="Apache Allura">
<meta name="twitter:description" content="Allura is an open source implementation of a software forge, a site that manages source code repositories, bug reports, discussions, and more for projects.">
<meta name="twitter:image" content="//allura.apache.org/theme/img/logo-asf-apache.png">
<!-- Google+ Meta Info-->
<meta itemprop="name" content="Apache Allura">
<meta itemprop="description" content="Allura is an open source implementation of a software forge, a site that manages source code repositories, bug reports, discussions, and more for projects.">
<meta itemprop="image" content="//allura.apache.org/theme/img/logo-asf-apache.png">
<link rel="stylesheet" type="text/css" href="//allura.apache.org/theme/css/flex.min.css">
<link rel="stylesheet" type="text/css" href="//allura.apache.org/theme/css/style.css">
<link rel="stylesheet" type="text/css" href="//allura.apache.org/theme/css/article.css">
</head>
<body cz-shortcut-listen="true" class="pg-">
<section id="content_wrapper" class="mobile-desktop row">
<div id="header" class="row ">
<header id="login_header" class="row">
<div class="bg-shadow pad-vert-md">
<span><h1 class="text-center"><a href="//allura.apache.org">Apache <img src="//allura.apache.org/theme/img/logo_white.png" width="94"> Allura<span class="tm"></span></a></h1></span>
<span></span>
<h6 class="text-center">Open source project hosting platform</h6>
</div>
</header>
</div>
<div class="article-content">
<div class="row bg-white pad-vert-lg">
<div class="row">
<h3 class="text-black text-center">Apache Allura 1.17.0 released, including critical security fix</h3>
</div>
<div class="post-info text-center">
Published:
<abbr class="published" title="2024-06-10T00:00:00+00:00">
Mon 10 June 2024
</abbr>
<br>
Tagged:
<a href="//allura.apache.org/tag/release.html">release</a>
</div>
<div class="row">
<div class="col-20 no-float auto-margin">
<div class="row">
<div class="pad-md text-black"><h4>What's New?</h4>
<p>Apache Allura 1.17.0 has been released. It includes a critical security fix, adds OAuth2 support, and more.</p>
<p>For full details of all the changes and fixes, see the <a href="https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES">CHANGES file</a>. </p>
<h4>Critical Security Fix</h4>
<p>CVE-2024-36471 sensitive information exposure via DNS rebinding</p>
<p>Severity: Critical<br>
Versions Affected: 1.0.1 through 1.16.0</p>
<p><strong>Description:</strong><br>
Import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL. Project administrators can run these imports, which could cause Allura to read from internal services and expose them.</p>
<p><strong>Mitigation:</strong><br>
Users of Allura should upgrade to Allura 1.17.0.</p>
<p>If you are unable to upgrade, set this in your .ini config file:</p>
<div class="highlight"><pre><span></span><code>disable_entry_points.allura.importers = forge-tracker, forge-discussion
</code></pre></div>
<p>That same .ini setting is also recommend for users who want maximum security on their Allura instance and don't need those importers available.</p>
<p><strong>Credit:</strong><br>
This issue was discovered by <a href="https://x.com/truffzor">truff</a></p>
<h4>OAuth2 Support</h4>
<p>To enable OAuth 2 with an existing .ini file, add:</p>
<div class="highlight"><pre><span></span><code>auth.oauth2.enabled = true
</code></pre></div>
<p>Then users can create and use OAuth2 client apps within their user setting pages.</p>
<h4>New Session Storage</h4>
<p>New session cookie handling is available and more secure and safe. If you have an existing Allura instance, you can enable it with the following steps:</p>
<ul>
<li>add <code>session.jwt_secret_keys</code> to your .ini file, with a value generated by <code>python -c 'import secrets; print(secrets.token_hex());'</code></li>
<li><code>session.type = cookie</code> is no longer used and can be removed</li>
<li>optionally <code>session.read_original_format = true</code> and rename <code>session.validate_key</code> to <code>session.original_format_validate_key</code> for backwards compatibility. Remove after a transition period.</li>
<li>optionally <code>session.write_original_format = true</code> if it takes a while to deploy all your code to multiple hosts/procs. Then remove once all processes have new code.</li>
</ul>
<h4>Breaking Changes for Custom Extensions</h4>
<p><a href="https://forge-allura.apache.org/p/allura/tickets/8556/">#8556</a> deprecates the <code>has_access(..)()</code> syntax. Custom extensions using this syntax will need to remove the second <code>()</code> so that it is just <code>has_access(..)</code>. Next releases will remove support for the old syntax entirely.</p>
<h4>Upgrade Instructions</h4>
<p>To install updated dependencies, run: <code>pip install -r requirements.txt --no-deps --upgrade --upgrade-strategy=only-if-needed</code></p>
<p>Run: <code>paster ensure_index development.ini</code> in the Allura dir</p>
<p>If using docker, rebuild the allura image and restart containers.</p>
<p>Also, see the sections above about OAuth2 and New Session Storage.</p>
<p>Feel free to ask any questions on the <a href="https://lists.apache.org/list.html?dev@allura.apache.org">dev mailing list</a>.</p>
<h4>Get 1.17.0</h4>
<p><a href="//allura.apache.org/download.html">Download Allura</a> and <a href="https://forge-allura.apache.org/docs/getting_started/installation.html">install it</a> today.</p></div>
</div>
</div>
</div>
</div>
</div>
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
<p class="copy pad-top-sm text-center">Copyright © 2024 The Apache Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html">the Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura, and the Apache feather logo are trademarks of The Apache Software Foundation.</p>
</footer>
</div>
</section>
<script type="application/javascript" src="//allura.apache.org/theme/js/jquery-1.11.2.min.js"></script>
<script type="application/javascript" src="//allura.apache.org/theme/js/frontend.js"></script>
<script type="application/javascript" src="//allura.apache.org/theme/js/article.js"></script>
<!-- Credits
Logo Design: Will Leonard
http://willleonard.org
Site design: Perry Merrity
https://perrymerrity.com/
bg-header-forge.jpg
Photo by: Stefan Schmitz
https://creativecommons.org/licenses/by-nd/2.0
bg-developers-fire.jpg
Photo by: Frédéric Bisson
https://creativecommons.org/licenses/by-nd/2.0
-->
</body>
</html>