From dd5d96df653ca06f665736bb4b779a7b40df2df9 Mon Sep 17 00:00:00 2001 From: Edwin Kempin Date: Wed, 12 Dec 2012 10:17:51 +0100 Subject: Add release notes for Gerrit 2.5.1 Change-Id: I326e163f2c567d4c5aab2eb1c178cb17e60e8e56 Signed-off-by: Edwin Kempin --- ReleaseNotes/ReleaseNotes-2.5.1.txt | 94 +++++++++++++++++++++++++++++++++++++ ReleaseNotes/index.txt | 1 + 2 files changed, 95 insertions(+) create mode 100644 ReleaseNotes/ReleaseNotes-2.5.1.txt diff --git a/ReleaseNotes/ReleaseNotes-2.5.1.txt b/ReleaseNotes/ReleaseNotes-2.5.1.txt new file mode 100644 index 0000000000..d6ad1fdd4a --- /dev/null +++ b/ReleaseNotes/ReleaseNotes-2.5.1.txt @@ -0,0 +1,94 @@ +Release notes for Gerrit 2.5.1 +============================== + +Gerrit 2.5.1 is now available: + +link:http://code.google.com/p/gerrit/downloads/detail?name=gerrit-full-2.5.1.war[http://code.google.com/p/gerrit/downloads/detail?name=gerrit-full-2.5.1.war] + +There are no schema changes from 2.5, or 2.5.1. + +However, if upgrading from anything earlier version, follow the upgrade +procedure in the 2.5 link:ReleaseNotes-2.5.html[Release Notes]. + +Security Fixes +-------------- +* Correctly identify Git-over-HTTP operations ++ +Git operations over HTTP should be classified as using AccessPath.GIT +and not WEB_UI. This ensures RefControl will correctly test for Create, +Push or Delete access on a reference instead of Owner. ++ +E.g. without this fix project owners are able to force push commits +via HTTP that are already in the history of the target branch, even +without having any Push access right assigned. + +* Make sure only Gerrit admins can change the parent of a project ++ +Only Gerrit administrators should be able to change the parent of a +project because by changing the parent project access rights and BLOCK +rules which are configured on a parent project can be avoided. ++ +The `set-project-parent` SSH command already verifies that the caller +is a Gerrit administrator, however project owners can change the parent +project by modifying the `project.config` file and pushing to the +`refs/meta/config` branch. ++ +This fix ensures that changes to the `project.config` file that change +the parent project can only be pushed/submitted by Gerrit +administrators. ++ +In addition it is now not possible anymore to +- set a non-existing project as parent (as this would make the project + be orphaned) +- set a parent project for the `All-Projects` root project (the root + project by definition has no parent) +by pushing changes of the `project.config` file to `refs/meta/config`. + +Bug Fixes +--------- +* Fix RequestCleanup bug with Git over HTTP ++ +Decide if a continuation is going to be used early, before the filter +that will attempt to cleanup a RequestCleanup. If so don't allow +entering the RequestCleanup part of the system until the request is +actually going to be processed. ++ +This fixes the IllegalStateException `Request has already been cleaned +up` that occurred when running on Jetty and pushing over HTTP for URLs +where the path starts with `/p/`. + +* Match all git fetch/clone/push commands to the command executor ++ +Route not just `/p/` but any Git access to the same thread pool as the +SSH server is using, allowing all requests to compete fairly for +resources. + +* Fix auto closing of changes on direct push ++ +When a commit is directly pushed into a repository (bypassing code +review) and this commit has a Change-Id in its commit message then the +corresponding change is automatically closed if it is open. + +* Allow assigning `Push` for `refs/meta/config` on `All-Projects` ++ +The `refs/meta/config` branch of the `All-Projects project` should only +be modified by Gerrit administrators because being able to do +modifications on this branch means that the user could assign himself +administrator permissions. ++ +In addition to being administrator we already require that the +administrator has the `Push` access right for `refs/meta/config` in +order to be able to modify it (just as with all other branches +administrators do not have edit permissions by default). ++ +The problem was that assigning the `Push` access right for +`refs/meta/config` on the `All-Projects` project was not allowed. ++ +Having the `Push` access right for `refs/meta/config` on the +`All-Projects` project without being administrator already has no +effect. ++ +Prohibiting to assign the Push access right for `refs/meta/config` on +the `All-Project` project was anyway pointless since it was e.g. +possible to assign the `Push` access right on `refs/meta/*`. + diff --git a/ReleaseNotes/index.txt b/ReleaseNotes/index.txt index 452057c2ac..02c1a2cc06 100644 --- a/ReleaseNotes/index.txt +++ b/ReleaseNotes/index.txt @@ -4,6 +4,7 @@ Gerrit Code Review - Release Notes [[2_5]] Version 2.5.x ------------- +* link:ReleaseNotes-2.5.1.html[2.5.1] * link:ReleaseNotes-2.5.html[2.5] [[2_4]] -- cgit v1.2.3