diff options
author | Saša Živkov <zivkov@gmail.com> | 2012-12-12 02:11:14 -0800 |
---|---|---|
committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2012-12-12 02:11:14 -0800 |
commit | 98a6f5e2eb23b747749412f581e1ee393df8d8ff (patch) | |
tree | 27ace1635f27d0d831539b7871f444609e822056 | |
parent | 3c89d5cce45e6ce8a836a90d12aba2cfee299e66 (diff) | |
parent | dd5d96df653ca06f665736bb4b779a7b40df2df9 (diff) |
Merge "Add release notes for Gerrit 2.5.1" into stable-2.5
-rw-r--r-- | ReleaseNotes/ReleaseNotes-2.5.1.txt | 94 | ||||
-rw-r--r-- | ReleaseNotes/index.txt | 1 |
2 files changed, 95 insertions, 0 deletions
diff --git a/ReleaseNotes/ReleaseNotes-2.5.1.txt b/ReleaseNotes/ReleaseNotes-2.5.1.txt new file mode 100644 index 0000000000..d6ad1fdd4a --- /dev/null +++ b/ReleaseNotes/ReleaseNotes-2.5.1.txt @@ -0,0 +1,94 @@ +Release notes for Gerrit 2.5.1 +============================== + +Gerrit 2.5.1 is now available: + +link:http://code.google.com/p/gerrit/downloads/detail?name=gerrit-full-2.5.1.war[http://code.google.com/p/gerrit/downloads/detail?name=gerrit-full-2.5.1.war] + +There are no schema changes from 2.5, or 2.5.1. + +However, if upgrading from anything earlier version, follow the upgrade +procedure in the 2.5 link:ReleaseNotes-2.5.html[Release Notes]. + +Security Fixes +-------------- +* Correctly identify Git-over-HTTP operations ++ +Git operations over HTTP should be classified as using AccessPath.GIT +and not WEB_UI. This ensures RefControl will correctly test for Create, +Push or Delete access on a reference instead of Owner. ++ +E.g. without this fix project owners are able to force push commits +via HTTP that are already in the history of the target branch, even +without having any Push access right assigned. + +* Make sure only Gerrit admins can change the parent of a project ++ +Only Gerrit administrators should be able to change the parent of a +project because by changing the parent project access rights and BLOCK +rules which are configured on a parent project can be avoided. ++ +The `set-project-parent` SSH command already verifies that the caller +is a Gerrit administrator, however project owners can change the parent +project by modifying the `project.config` file and pushing to the +`refs/meta/config` branch. ++ +This fix ensures that changes to the `project.config` file that change +the parent project can only be pushed/submitted by Gerrit +administrators. ++ +In addition it is now not possible anymore to +- set a non-existing project as parent (as this would make the project + be orphaned) +- set a parent project for the `All-Projects` root project (the root + project by definition has no parent) +by pushing changes of the `project.config` file to `refs/meta/config`. + +Bug Fixes +--------- +* Fix RequestCleanup bug with Git over HTTP ++ +Decide if a continuation is going to be used early, before the filter +that will attempt to cleanup a RequestCleanup. If so don't allow +entering the RequestCleanup part of the system until the request is +actually going to be processed. ++ +This fixes the IllegalStateException `Request has already been cleaned +up` that occurred when running on Jetty and pushing over HTTP for URLs +where the path starts with `/p/`. + +* Match all git fetch/clone/push commands to the command executor ++ +Route not just `/p/` but any Git access to the same thread pool as the +SSH server is using, allowing all requests to compete fairly for +resources. + +* Fix auto closing of changes on direct push ++ +When a commit is directly pushed into a repository (bypassing code +review) and this commit has a Change-Id in its commit message then the +corresponding change is automatically closed if it is open. + +* Allow assigning `Push` for `refs/meta/config` on `All-Projects` ++ +The `refs/meta/config` branch of the `All-Projects project` should only +be modified by Gerrit administrators because being able to do +modifications on this branch means that the user could assign himself +administrator permissions. ++ +In addition to being administrator we already require that the +administrator has the `Push` access right for `refs/meta/config` in +order to be able to modify it (just as with all other branches +administrators do not have edit permissions by default). ++ +The problem was that assigning the `Push` access right for +`refs/meta/config` on the `All-Projects` project was not allowed. ++ +Having the `Push` access right for `refs/meta/config` on the +`All-Projects` project without being administrator already has no +effect. ++ +Prohibiting to assign the Push access right for `refs/meta/config` on +the `All-Project` project was anyway pointless since it was e.g. +possible to assign the `Push` access right on `refs/meta/*`. + diff --git a/ReleaseNotes/index.txt b/ReleaseNotes/index.txt index 452057c2ac..02c1a2cc06 100644 --- a/ReleaseNotes/index.txt +++ b/ReleaseNotes/index.txt @@ -4,6 +4,7 @@ Gerrit Code Review - Release Notes [[2_5]] Version 2.5.x ------------- +* link:ReleaseNotes-2.5.1.html[2.5.1] * link:ReleaseNotes-2.5.html[2.5] [[2_4]] |