This minor release fixes/mitigates two security vulnerabilities and fixes some minor bugs. We advise all users to upgrade as soon as possible.
This release fixes a cross-site scripting (XSS)
vulnerability in Kallithea
itself, and mitigates a server-side request forgery (SSRF)
git. Please refer to our Security section for more details.
Thanks to stypr of Flatt Security for reporting both vulnerabilities.
In addition to the aforementioned security issues, this release also fixes some other bugs and adds some additional robustness in certain areas. See 'Changes' below for a list of changes most relevant to users.
Please refer to the documentation for upgrade instructions.
There are no specific attention points when upgrading from 0.6.2 to 0.6.3.
If you are upgrading from a version before 0.6.0, do generate a new configuration file and update your database via alembic (see the upgrade instructions for details).
Below are the most relevant changes between 0.6.2 and 0.6.3. Note that it is not a complete list: some changes are purely internal refactoring. Please refer to the source repository if you are interested in full details.
Configuration file (ini)
- change template to use celery 4 setting name
User interface functionality
binpath for node commands instead of
Repositories and Repository Groups
- fix HTML markup of repository group descriptions cs, security info
- extra escape of names when used in select drop-downs cs
- fix select of parent group when adding repository group cs
- extra HTML escaping of repository and repository group names shown in DataTables cs
Version control systems support
- fix interaction with certain git clients cs, thread
- consistently block git URLs with
- disallow odd characters in path of
git://URLs cs, security info
We would like to thank everyone that contributed to the Kallithea repository since release 0.6.2 (the numbers are the amount of commits)...
9 Mads Kiilerich 2 Thomas De Schampheleire
... as well as everyone contributing in other ways, e.g. by testing, reporting issues, discussing via mail or IRC, etc.
Again, a special thanks to stypr of Flatt Security for reporting the security issue.