This is an automated email from the ASF dual-hosted git repository.
brondsem pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/allura-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 77ceca6 publish 1.17.0 with security notice
77ceca6 is described below
commit 77ceca6f39e58a4546738224ab30ffc89ef270af
Author: Dave Brondsema <[email protected]>
AuthorDate: Mon Jun 10 11:57:13 2024 -0400
publish 1.17.0 with security notice
---
_src/content/2024-allura-1.17.0.md | 74 ++++++++++++++++++++++
_src/pelicanconf.py | 6 +-
download.html | 10 +--
feeds/all.atom.xml | 43 ++++++++++++-
feeds/tag.release.atom.xml | 43 ++++++++++++-
index.html | 10 +--
news.html | 13 +++-
posts/2015-allura-1.3.1-release.html | 2 +-
posts/2015-allura-1.3.2.html | 2 +-
posts/2015-cors.html | 2 +-
posts/2015-markdown-editor.html | 2 +-
posts/2015-rest-api-docs.html | 2 +-
posts/2015-updated-icons.html | 2 +-
posts/2016-admin-toolbar.html | 2 +-
posts/2016-allura-1.4.0.html | 2 +-
posts/2016-allura-1.5.0.html | 2 +-
posts/2016-allura-1.6.0.html | 2 +-
posts/2016-gsoc-16.html | 2 +-
posts/2016-two-factor-auth.html | 2 +-
posts/2017-allura-1.7.0.html | 2 +-
posts/2018-allura-1.10.0.html | 2 +-
posts/2018-allura-1.8.0.html | 2 +-
posts/2018-allura-1.8.1.html | 2 +-
posts/2018-allura-1.9.0.html | 2 +-
posts/2019-allura-1.11.0.html | 2 +-
posts/2019-allura-1.11.1.html | 2 +-
posts/2019-allura-1.12.0.html | 2 +-
posts/2021-allura-1.13.0.html | 2 +-
posts/2022-allura-1.14.0.html | 2 +-
posts/2023-allura-1.15.0.html | 2 +-
posts/2023-allura-1.16.0.html | 2 +-
...-allura-1.16.0.html => 2024-allura-1.17.0.html} | 47 +++++++++-----
tag/feature.html | 2 +-
tag/gsoc.html | 2 +-
tag/release.html | 13 +++-
35 files changed, 251 insertions(+), 60 deletions(-)
diff --git a/_src/content/2024-allura-1.17.0.md
b/_src/content/2024-allura-1.17.0.md
new file mode 100644
index 0000000..19ecc93
--- /dev/null
+++ b/_src/content/2024-allura-1.17.0.md
@@ -0,0 +1,74 @@
+Title: Apache Allura 1.17.0 released, including critical security fix
+Date: 2024-06-10
+Tags: release
+Slug: allura-1.17.0
+Summary: Version 1.17.0 of Allura released, including a critical security fix
+
+#### What's New?
+
+Apache Allura 1.17.0 has been released. It includes a critical security fix,
adds OAuth2 support, and more.
+
+For full details of all the changes and fixes, see the [CHANGES
file](https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES).
+
+#### Critical Security Fix
+
+CVE-2024-36471 sensitive information exposure via DNS rebinding
+
+Severity: Critical<br>
+Versions Affected: 1.0.1 through 1.16.0
+
+**Description:**<br>
+Import functionality is vulnerable to DNS rebinding attacks between
verification and processing of the URL. Project administrators can run these
imports, which could cause Allura to read from internal services and expose
them.
+
+**Mitigation:**<br>
+Users of Allura should upgrade to Allura 1.17.0.
+
+If you are unable to upgrade, set this in your .ini config file:
+
+```
+disable_entry_points.allura.importers = forge-tracker, forge-discussion
+```
+
+That same .ini setting is also recommend for users who want maximum security
on their Allura instance and don't need those importers available.
+
+**Credit:**<br>
+This issue was discovered by [truff](https://x.com/truffzor)
+
+#### OAuth2 Support
+
+To enable OAuth 2 with an existing .ini file, add:
+
+```
+auth.oauth2.enabled = true
+```
+
+Then users can create and use OAuth2 client apps within their user setting
pages.
+
+#### New Session Storage
+
+New session cookie handling is available and more secure and safe. If you
have an existing Allura instance, you can enable it with the following steps:
+
+- add `session.jwt_secret_keys` to your .ini file, with a value generated by
`python -c 'import secrets; print(secrets.token_hex());'`
+- `session.type = cookie` is no longer used and can be removed
+- optionally `session.read_original_format = true` and rename
`session.validate_key` to `session.original_format_validate_key` for backwards
compatibility. Remove after a transition period.
+- optionally `session.write_original_format = true` if it takes a while to
deploy all your code to multiple hosts/procs. Then remove once all processes
have new code.
+
+#### Breaking Changes for Custom Extensions
+
+[#8556](https://forge-allura.apache.org/p/allura/tickets/8556/) deprecates the
`has_access(..)()` syntax. Custom extensions using this syntax will need to
remove the second `()` so that it is just `has_access(..)`. Next releases will
remove support for the old syntax entirely.
+
+#### Upgrade Instructions
+
+To install updated dependencies, run: `pip install -r requirements.txt
--no-deps --upgrade --upgrade-strategy=only-if-needed`
+
+Run: `paster ensure_index development.ini` in the Allura dir
+
+If using docker, rebuild the allura image and restart containers.
+
+Also, see the sections above about OAuth2 and New Session Storage.
+
+Feel free to ask any questions on the [dev mailing
list](https://lists.apache.org/[email protected]).
+
+#### Get 1.17.0
+
+[Download Allura](//allura.apache.org/download.html) and [install
it](https://forge-allura.apache.org/docs/getting_started/installation.html)
today.
diff --git a/_src/pelicanconf.py b/_src/pelicanconf.py
index c7265bb..eb0feff 100644
--- a/_src/pelicanconf.py
+++ b/_src/pelicanconf.py
@@ -45,9 +45,9 @@ TAG_FEED_ATOM = 'feeds/tag.{slug}.atom.xml'
CURRENT_YEAR = dt.date.today().year
-RELEASE_VERSION = '1.16.0'
-RELEASE_DATE = 'Nov 2023'
-RELEASE_NEWS = 'posts/2023-allura-1.16.0.html'
+RELEASE_VERSION = '1.17.0'
+RELEASE_DATE = 'June 2024'
+RELEASE_NEWS = 'posts/2024-allura-1.17.0.html'
DIST_URL = 'https://downloads.apache.org/allura/'
FORGE_ALLURA_URL = 'https://forge-allura.apache.org/'
diff --git a/download.html b/download.html
index 91dabd8..dc683e8 100644
--- a/download.html
+++ b/download.html
@@ -54,15 +54,15 @@
<div class="col-20 no-float auto-margin">
<div class="row">
<p class="pad-md">
- <a
href="https://www.apache.org/dyn/closer.cgi/allura/allura-1.16.0.tar.gz";>Download
Allura v1.16.0</a>. This is the latest release of Apache Allura, released Nov
2023.
- <a href="posts/2023-allura-1.16.0.html">Read what's new.</a>
+ <a
href="https://www.apache.org/dyn/closer.cgi/allura/allura-1.17.0.tar.gz";>Download
Allura v1.17.0</a>. This is the latest release of Apache Allura, released
June 2024.
+ <a href="posts/2024-allura-1.17.0.html">Read what's new.</a>
</p>
<p>
Verify the download:
</p>
<ul>
- <li><a
href="https://downloads.apache.org/allura/allura-1.16.0.tar.gz.sha512";>SHA-512</a>
checksum</li>
- <li>PGP <a
href="https://downloads.apache.org/allura/allura-1.16.0.tar.gz.asc";>signature</a>
& <a href="https://downloads.apache.org/allura/KEYS";>keys</a></li>
+ <li><a
href="https://downloads.apache.org/allura/allura-1.17.0.tar.gz.sha512";>SHA-512</a>
checksum</li>
+ <li>PGP <a
href="https://downloads.apache.org/allura/allura-1.17.0.tar.gz.asc";>signature</a>
& <a href="https://downloads.apache.org/allura/KEYS";>keys</a></li>
</ul>
<p>
<a
href="https://www.apache.org/info/verification.html";>Instructions for how to
verify a download using these files.</a>
@@ -139,7 +139,7 @@
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/feeds/all.atom.xml b/feeds/all.atom.xml
index 250cc25..ebeecde 100644
--- a/feeds/all.atom.xml
+++ b/feeds/all.atom.xml
@@ -1,5 +1,46 @@
<?xml version="1.0" encoding="utf-8"?>
-<feed xmlns="http://www.w3.org/2005/Atom";><title>Apache Allura</title><link
href="//allura.apache.org/" rel="alternate"></link><link
href="//allura.apache.org/feeds/all.atom.xml"
rel="self"></link><id>//allura.apache.org/</id><updated>2023-11-06T00:00:00+00:00</updated><entry><title>Apache
Allura 1.16.0 released with critical security fix</title><link
href="//allura.apache.org/posts/2023-allura-1.16.0.html"
rel="alternate"></link><published>2023-11-06T00:00:00+00:00</published><updated>2
[...]
+<feed xmlns="http://www.w3.org/2005/Atom";><title>Apache Allura</title><link
href="//allura.apache.org/" rel="alternate"></link><link
href="//allura.apache.org/feeds/all.atom.xml"
rel="self"></link><id>//allura.apache.org/</id><updated>2024-06-10T00:00:00+00:00</updated><entry><title>Apache
Allura 1.17.0 released, including critical security fix</title><link
href="//allura.apache.org/posts/2024-allura-1.17.0.html"
rel="alternate"></link><published>2024-06-10T00:00:00+00:00</published><upd
[...]
+<p>Apache Allura 1.17.0 has been released. It includes a critical
security fix, adds OAuth2 support, and more.</p>
+<p>For full details of all the changes and fixes, see the <a
href="https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES">CHANGES
file</a>. </p>
+<h4>Critical Security Fix</h4>
+<p>CVE-2024-36471 sensitive information exposure via DNS
rebinding</p>
+<p>Severity: Critical<br>
+Versions Affected: 1.0.1 through 1.16.0</p>
+<p><strong>Description:</strong><br>
+Import functionality is vulnerable to DNS rebinding attacks between
verification and processing of the URL. Project administrators can run these
imports, which could cause Allura to read from internal services and expose
them.</p>
+<p><strong>Mitigation:</strong><br>
+Users of Allura should upgrade to Allura 1.17.0.</p>
+<p>If you are unable to upgrade, set this in your .ini config
file:</p>
+<div
class="highlight"><pre><span></span><code>disable_entry_points.allura.importers
= forge-tracker, forge-discussion
+</code></pre></div>
+
+<p>That same .ini setting is also recommend for users who want maximum
security on their Allura instance and don't need those importers
available.</p>
+<p><strong>Credit:</strong><br>
+This issue was discovered by <a
href="https://x.com/truffzor">truff</a></p>
+<h4>OAuth2 Support</h4>
+<p>To enable OAuth 2 with an existing .ini file, add:</p>
+<div
class="highlight"><pre><span></span><code>auth.oauth2.enabled
= true
+</code></pre></div>
+
+<p>Then users can create and use OAuth2 client apps within their user
setting pages.</p>
+<h4>New Session Storage</h4>
+<p>New session cookie handling is available and more secure and safe.
If you have an existing Allura instance, you can enable it with the following
steps:</p>
+<ul>
+<li>add <code>session.jwt_secret_keys</code> to your .ini
file, with a value generated by <code>python -c 'import secrets;
print(secrets.token_hex());'</code></li>
+<li><code>session.type = cookie</code> is no longer used and
can be removed</li>
+<li>optionally <code>session.read_original_format =
true</code> and rename <code>session.validate_key</code> to
<code>session.original_format_validate_key</code> for backwards
compatibility. Remove after a transition period.</li>
+<li>optionally <code>session.write_original_format =
true</code> if it takes a while to deploy all your code to multiple
hosts/procs. Then remove once all processes have new code.</li>
+</ul>
+<h4>Breaking Changes for Custom Extensions</h4>
+<p><a
href="https://forge-allura.apache.org/p/allura/tickets/8556/">#8556</a>
deprecates the <code>has_access(..)()</code> syntax. Custom
extensions using this syntax will need to remove the second
<code>()</code> so that it is just
<code>has_access(..)</code>. Next releases will remove support for
the old syntax entirely.</p>
+<h4>Upgrade Instructions</h4>
+<p>To install updated dependencies, run: <code>pip install -r
requirements.txt --no-deps --upgrade
--upgrade-strategy=only-if-needed</code></p>
+<p>Run: <code>paster ensure_index development.ini</code> in
the Allura dir</p>
+<p>If using docker, rebuild the allura image and restart
containers.</p>
+<p>Also, see the sections above about OAuth2 and New Session
Storage.</p>
+<p>Feel free to ask any questions on the <a
href="https://lists.apache.org/[email protected]">dev mailing
list</a>.</p>
+<h4>Get 1.17.0</h4>
+<p><a href="//allura.apache.org/download.html">Download
Allura</a> and <a
href="https://forge-allura.apache.org/docs/getting_started/installation.html">install
it</a> today.</p></content><category
term="misc"></category><category
term="release"></category></entry><entry><title>Apache Allura 1.16.0 released
with critical security fix</title><link
href="//allura.apache.org/posts/2023-allura-1.16.0.html"
rel="alternate"></link><published>2023-11-06T00:00: [...]
<p>Apache Allura 1.16.0 has been released. It has a critical security
fix and also drops Python 3.7 support.</p>
<p>For full details of all the changes and fixes, see the <a
href="https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES">CHANGES
file</a>. </p>
<h4>Critical Security Fix</h4>
diff --git a/feeds/tag.release.atom.xml b/feeds/tag.release.atom.xml
index 2b7e98c..2c96076 100644
--- a/feeds/tag.release.atom.xml
+++ b/feeds/tag.release.atom.xml
@@ -1,5 +1,46 @@
<?xml version="1.0" encoding="utf-8"?>
-<feed xmlns="http://www.w3.org/2005/Atom";><title>Apache Allura -
release</title><link href="//allura.apache.org/" rel="alternate"></link><link
href="//allura.apache.org/feeds/tag.release.atom.xml"
rel="self"></link><id>//allura.apache.org/</id><updated>2023-11-06T00:00:00+00:00</updated><entry><title>Apache
Allura 1.16.0 released with critical security fix</title><link
href="//allura.apache.org/posts/2023-allura-1.16.0.html"
rel="alternate"></link><published>2023-11-06T00:00:00+00:00</pu [...]
+<feed xmlns="http://www.w3.org/2005/Atom";><title>Apache Allura -
release</title><link href="//allura.apache.org/" rel="alternate"></link><link
href="//allura.apache.org/feeds/tag.release.atom.xml"
rel="self"></link><id>//allura.apache.org/</id><updated>2024-06-10T00:00:00+00:00</updated><entry><title>Apache
Allura 1.17.0 released, including critical security fix</title><link
href="//allura.apache.org/posts/2024-allura-1.17.0.html"
rel="alternate"></link><published>2024-06-10T00:00:00+00: [...]
+<p>Apache Allura 1.17.0 has been released. It includes a critical
security fix, adds OAuth2 support, and more.</p>
+<p>For full details of all the changes and fixes, see the <a
href="https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES">CHANGES
file</a>. </p>
+<h4>Critical Security Fix</h4>
+<p>CVE-2024-36471 sensitive information exposure via DNS
rebinding</p>
+<p>Severity: Critical<br>
+Versions Affected: 1.0.1 through 1.16.0</p>
+<p><strong>Description:</strong><br>
+Import functionality is vulnerable to DNS rebinding attacks between
verification and processing of the URL. Project administrators can run these
imports, which could cause Allura to read from internal services and expose
them.</p>
+<p><strong>Mitigation:</strong><br>
+Users of Allura should upgrade to Allura 1.17.0.</p>
+<p>If you are unable to upgrade, set this in your .ini config
file:</p>
+<div
class="highlight"><pre><span></span><code>disable_entry_points.allura.importers
= forge-tracker, forge-discussion
+</code></pre></div>
+
+<p>That same .ini setting is also recommend for users who want maximum
security on their Allura instance and don't need those importers
available.</p>
+<p><strong>Credit:</strong><br>
+This issue was discovered by <a
href="https://x.com/truffzor">truff</a></p>
+<h4>OAuth2 Support</h4>
+<p>To enable OAuth 2 with an existing .ini file, add:</p>
+<div
class="highlight"><pre><span></span><code>auth.oauth2.enabled
= true
+</code></pre></div>
+
+<p>Then users can create and use OAuth2 client apps within their user
setting pages.</p>
+<h4>New Session Storage</h4>
+<p>New session cookie handling is available and more secure and safe.
If you have an existing Allura instance, you can enable it with the following
steps:</p>
+<ul>
+<li>add <code>session.jwt_secret_keys</code> to your .ini
file, with a value generated by <code>python -c 'import secrets;
print(secrets.token_hex());'</code></li>
+<li><code>session.type = cookie</code> is no longer used and
can be removed</li>
+<li>optionally <code>session.read_original_format =
true</code> and rename <code>session.validate_key</code> to
<code>session.original_format_validate_key</code> for backwards
compatibility. Remove after a transition period.</li>
+<li>optionally <code>session.write_original_format =
true</code> if it takes a while to deploy all your code to multiple
hosts/procs. Then remove once all processes have new code.</li>
+</ul>
+<h4>Breaking Changes for Custom Extensions</h4>
+<p><a
href="https://forge-allura.apache.org/p/allura/tickets/8556/">#8556</a>
deprecates the <code>has_access(..)()</code> syntax. Custom
extensions using this syntax will need to remove the second
<code>()</code> so that it is just
<code>has_access(..)</code>. Next releases will remove support for
the old syntax entirely.</p>
+<h4>Upgrade Instructions</h4>
+<p>To install updated dependencies, run: <code>pip install -r
requirements.txt --no-deps --upgrade
--upgrade-strategy=only-if-needed</code></p>
+<p>Run: <code>paster ensure_index development.ini</code> in
the Allura dir</p>
+<p>If using docker, rebuild the allura image and restart
containers.</p>
+<p>Also, see the sections above about OAuth2 and New Session
Storage.</p>
+<p>Feel free to ask any questions on the <a
href="https://lists.apache.org/[email protected]">dev mailing
list</a>.</p>
+<h4>Get 1.17.0</h4>
+<p><a href="//allura.apache.org/download.html">Download
Allura</a> and <a
href="https://forge-allura.apache.org/docs/getting_started/installation.html">install
it</a> today.</p></content><category
term="misc"></category><category
term="release"></category></entry><entry><title>Apache Allura 1.16.0 released
with critical security fix</title><link
href="//allura.apache.org/posts/2023-allura-1.16.0.html"
rel="alternate"></link><published>2023-11-06T00:00: [...]
<p>Apache Allura 1.16.0 has been released. It has a critical security
fix and also drops Python 3.7 support.</p>
<p>For full details of all the changes and fixes, see the <a
href="https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES">CHANGES
file</a>. </p>
<h4>Critical Security Fix</h4>
diff --git a/index.html b/index.html
index 61f6e85..6accd22 100644
--- a/index.html
+++ b/index.html
@@ -84,18 +84,18 @@
<h3 class="text-center">Get the Latest Version of Allura</h3>
<div class="row pad-vert-md">
<div id="release" class="col-12 auto-margin pad-vert-xs text-center">
- <a href="//allura.apache.org/download.html"><button
class="auto-margin">Download v1.16.0</button></a>
- <span class="text-white">Nov 2023 —</span>
- <a href="posts/2023-allura-1.16.0.html">What's New</a>
+ <a href="//allura.apache.org/download.html"><button
class="auto-margin">Download v1.17.0</button></a>
+ <span class="text-white">June 2024 —</span>
+ <a href="posts/2024-allura-1.17.0.html">What's New</a>
</div>
<div id="news" class="col-12 auto-margin pad-vert-xs text-center">
<h5>News</h5>
<ul>
+ <li><a
href="//allura.apache.org/posts/2024-allura-1.17.0.html">Apache Allura 1.17.0
released, including critical security fix</a></li>
<li><a
href="//allura.apache.org/posts/2023-allura-1.16.0.html">Apache Allura 1.16.0
released with critical security fix</a></li>
<li><a
href="//allura.apache.org/posts/2023-allura-1.15.0.html">Apache Allura 1.15.0
released</a></li>
<li><a
href="//allura.apache.org/posts/2022-allura-1.14.0.html">Apache Allura 1.14.0
released</a></li>
<li><a
href="//allura.apache.org/posts/2021-allura-1.13.0.html">Apache Allura 1.13.0
released</a></li>
- <li><a
href="//allura.apache.org/posts/2019-allura-1.12.0.html">Apache Allura 1.12.0
released</a></li>
<li><a href="//allura.apache.org/news.html">All News
→</a></li>
</ul>
</div>
@@ -200,7 +200,7 @@
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/news.html b/news.html
index 1b18538..d6af8ac 100644
--- a/news.html
+++ b/news.html
@@ -52,6 +52,17 @@
<h2>All News</h2>
<div class="row bg-white pad-bot-md text-center">
+ <div class="row pad-top-md">
+ <h3><a class="text-black"
href="//allura.apache.org/posts/2024-allura-1.17.0.html">Apache Allura 1.17.0
released, including critical security fix</a></h3>
+ </div>
+
+ <div class="post-info">
+ Published:
+ <abbr class="published" title="2024-06-10T00:00:00+00:00">
+ Mon 10 June 2024
+ </abbr>
+ </div>
+ <div class="entry-content"> <p>Version 1.17.0 of Allura released, including
a critical security fix</p> </div>
<div class="row pad-top-md">
<h3><a class="text-black"
href="//allura.apache.org/posts/2023-allura-1.16.0.html">Apache Allura 1.16.0
released with critical security fix</a></h3>
</div>
@@ -323,7 +334,7 @@
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2015-allura-1.3.1-release.html
b/posts/2015-allura-1.3.1-release.html
index 05f94fc..b7f9049 100644
--- a/posts/2015-allura-1.3.1-release.html
+++ b/posts/2015-allura-1.3.1-release.html
@@ -86,7 +86,7 @@ new features are:</p>
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2015-allura-1.3.2.html b/posts/2015-allura-1.3.2.html
index e69736e..ca94c6c 100644
--- a/posts/2015-allura-1.3.2.html
+++ b/posts/2015-allura-1.3.2.html
@@ -90,7 +90,7 @@ new features are:</p>
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2015-cors.html b/posts/2015-cors.html
index 24b789b..4afcf3c 100644
--- a/posts/2015-cors.html
+++ b/posts/2015-cors.html
@@ -83,7 +83,7 @@ cookies cannot be used - so nobody could be tricked into
doing something acciden
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2015-markdown-editor.html b/posts/2015-markdown-editor.html
index 505f401..1cb8826 100644
--- a/posts/2015-markdown-editor.html
+++ b/posts/2015-markdown-editor.html
@@ -87,7 +87,7 @@ reference page.</p></div>
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2015-rest-api-docs.html b/posts/2015-rest-api-docs.html
index 85961cd..b344ef6 100644
--- a/posts/2015-rest-api-docs.html
+++ b/posts/2015-rest-api-docs.html
@@ -80,7 +80,7 @@ This portal also lets you try the API live, so you can see
exactly what each API
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2015-updated-icons.html b/posts/2015-updated-icons.html
index 6753129..1bc1a28 100644
--- a/posts/2015-updated-icons.html
+++ b/posts/2015-updated-icons.html
@@ -91,7 +91,7 @@ screens:</p>
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2016-admin-toolbar.html b/posts/2016-admin-toolbar.html
index 8ee6517..4d14862 100644
--- a/posts/2016-admin-toolbar.html
+++ b/posts/2016-admin-toolbar.html
@@ -93,7 +93,7 @@
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2016-allura-1.4.0.html b/posts/2016-allura-1.4.0.html
index c0aa92a..dfede64 100644
--- a/posts/2016-allura-1.4.0.html
+++ b/posts/2016-allura-1.4.0.html
@@ -91,7 +91,7 @@ It also works to nest code block notation, and specify the
formatting language i
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2016-allura-1.5.0.html b/posts/2016-allura-1.5.0.html
index 4008d45..e14125f 100644
--- a/posts/2016-allura-1.5.0.html
+++ b/posts/2016-allura-1.5.0.html
@@ -89,7 +89,7 @@ of the changes came from work done during Google Summer of
Code.</p>
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2016-allura-1.6.0.html b/posts/2016-allura-1.6.0.html
index 1ad5876..16a59ed 100644
--- a/posts/2016-allura-1.6.0.html
+++ b/posts/2016-allura-1.6.0.html
@@ -82,7 +82,7 @@
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2016-gsoc-16.html b/posts/2016-gsoc-16.html
index e792557..e56dd6f 100644
--- a/posts/2016-gsoc-16.html
+++ b/posts/2016-gsoc-16.html
@@ -160,7 +160,7 @@ clone the repository using <code>git clone
https://[email protected]
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2016-two-factor-auth.html b/posts/2016-two-factor-auth.html
index 2362b75..a298f29 100644
--- a/posts/2016-two-factor-auth.html
+++ b/posts/2016-two-factor-auth.html
@@ -90,7 +90,7 @@
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2017-allura-1.7.0.html b/posts/2017-allura-1.7.0.html
index 576f522..752f430 100644
--- a/posts/2017-allura-1.7.0.html
+++ b/posts/2017-allura-1.7.0.html
@@ -81,7 +81,7 @@
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2018-allura-1.10.0.html b/posts/2018-allura-1.10.0.html
index 96efff8..ed064cb 100644
--- a/posts/2018-allura-1.10.0.html
+++ b/posts/2018-allura-1.10.0.html
@@ -88,7 +88,7 @@
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2018-allura-1.8.0.html b/posts/2018-allura-1.8.0.html
index 07540d5..6b9873f 100644
--- a/posts/2018-allura-1.8.0.html
+++ b/posts/2018-allura-1.8.0.html
@@ -95,7 +95,7 @@ This issue was discovered by Everardo Padilla Saca</p>
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2018-allura-1.8.1.html b/posts/2018-allura-1.8.1.html
index f70c9b1..c4d157e 100644
--- a/posts/2018-allura-1.8.1.html
+++ b/posts/2018-allura-1.8.1.html
@@ -93,7 +93,7 @@ This issue was discovered by Everardo Padilla Saca</p>
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2018-allura-1.9.0.html b/posts/2018-allura-1.9.0.html
index 61bbc84..dc23f9d 100644
--- a/posts/2018-allura-1.9.0.html
+++ b/posts/2018-allura-1.9.0.html
@@ -87,7 +87,7 @@ Of course there are also smaller improvements, fixes, and
performances improveme
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2019-allura-1.11.0.html b/posts/2019-allura-1.11.0.html
index a73da69..c128753 100644
--- a/posts/2019-allura-1.11.0.html
+++ b/posts/2019-allura-1.11.0.html
@@ -108,7 +108,7 @@ This issue was discovered by Bob "Wombat" Hogg</p>
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2019-allura-1.11.1.html b/posts/2019-allura-1.11.1.html
index 2312c70..0bf7680 100644
--- a/posts/2019-allura-1.11.1.html
+++ b/posts/2019-allura-1.11.1.html
@@ -86,7 +86,7 @@ Users of Allura should upgrade to Allura 1.11.1</p>
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2019-allura-1.12.0.html b/posts/2019-allura-1.12.0.html
index 353797d..89700f4 100644
--- a/posts/2019-allura-1.12.0.html
+++ b/posts/2019-allura-1.12.0.html
@@ -89,7 +89,7 @@ Users of Allura should upgrade to Allura 1.12.0</p>
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2021-allura-1.13.0.html b/posts/2021-allura-1.13.0.html
index ec58668..3f56f34 100644
--- a/posts/2021-allura-1.13.0.html
+++ b/posts/2021-allura-1.13.0.html
@@ -96,7 +96,7 @@ outlined.</p>
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2022-allura-1.14.0.html b/posts/2022-allura-1.14.0.html
index 8e93223..dfc045f 100644
--- a/posts/2022-allura-1.14.0.html
+++ b/posts/2022-allura-1.14.0.html
@@ -97,7 +97,7 @@ to the previous release 1.13.0 first, following its upgrade
instructions, and th
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2023-allura-1.15.0.html b/posts/2023-allura-1.15.0.html
index d8f7bc0..84d9e2b 100644
--- a/posts/2023-allura-1.15.0.html
+++ b/posts/2023-allura-1.15.0.html
@@ -91,7 +91,7 @@ and run <code>pip install ...</code> in it, and then use it
to run Allura.</p>
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2023-allura-1.16.0.html b/posts/2023-allura-1.16.0.html
index e76bc7e..168bbd4 100644
--- a/posts/2023-allura-1.16.0.html
+++ b/posts/2023-allura-1.16.0.html
@@ -105,7 +105,7 @@ and run <code>pip install ...</code> in it, and then use it
to run Allura.</p>
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/posts/2023-allura-1.16.0.html b/posts/2024-allura-1.17.0.html
similarity index 68%
copy from posts/2023-allura-1.16.0.html
copy to posts/2024-allura-1.17.0.html
index e76bc7e..c817e6a 100644
--- a/posts/2023-allura-1.16.0.html
+++ b/posts/2024-allura-1.17.0.html
@@ -2,7 +2,7 @@
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
- <title> Apache Allura 1.16.0 released with critical security fix
+ <title> Apache Allura 1.17.0 released, including critical security fix
</title>
<meta charset="utf-8">
<meta name="description" content="Allura is an open source implementation of
a software forge, a site that manages source code repositories, bug reports,
discussions, and more for projects.">
@@ -52,13 +52,13 @@
<div class="article-content">
<div class="row bg-white pad-vert-lg">
<div class="row">
- <h3 class="text-black text-center">Apache Allura 1.16.0 released with
critical security fix</h3>
+ <h3 class="text-black text-center">Apache Allura 1.17.0 released,
including critical security fix</h3>
</div>
<div class="post-info text-center">
Published:
- <abbr class="published" title="2023-11-06T00:00:00+00:00">
- Mon 06 November 2023
+ <abbr class="published" title="2024-06-10T00:00:00+00:00">
+ Mon 10 June 2024
</abbr>
<br>
Tagged:
@@ -69,33 +69,46 @@
<div class="col-20 no-float auto-margin">
<div class="row">
<div class="pad-md text-black"><h4>What's New?</h4>
-<p>Apache Allura 1.16.0 has been released. It has a critical security fix and
also drops Python 3.7 support.</p>
+<p>Apache Allura 1.17.0 has been released. It includes a critical security
fix, adds OAuth2 support, and more.</p>
<p>For full details of all the changes and fixes, see the <a
href="https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES";>CHANGES
file</a>. </p>
<h4>Critical Security Fix</h4>
-<p>CVE-2023-46851 sensitive information exposure via import </p>
+<p>CVE-2024-36471 sensitive information exposure via DNS rebinding</p>
<p>Severity: Critical<br>
-Versions Affected: 1.0.1 through 1.15.0</p>
+Versions Affected: 1.0.1 through 1.16.0</p>
<p><strong>Description:</strong><br>
-Allura Discussion and Allura Forum importing does not restrict URL values
specified in attachments. Project administrators can run these imports, which
could cause Allura to read local files and expose them. Exposing internal
files then can lead to other exploits, like session hijacking, or remote code
execution.</p>
+Import functionality is vulnerable to DNS rebinding attacks between
verification and processing of the URL. Project administrators can run these
imports, which could cause Allura to read from internal services and expose
them.</p>
<p><strong>Mitigation:</strong><br>
-Users of Allura should upgrade to Allura 1.16.0 immediately.</p>
+Users of Allura should upgrade to Allura 1.17.0.</p>
<p>If you are unable to upgrade, set this in your .ini config file:</p>
<div
class="highlight"><pre><span></span><code>disable_entry_points.allura.importers
= forge-tracker, forge-discussion
</code></pre></div>
<p>That same .ini setting is also recommend for users who want maximum
security on their Allura instance and don't need those importers available.</p>
<p><strong>Credit:</strong><br>
-This issue was discovered by Stefan Schiller (Sonar)</p>
-<h4>Python 3.8 through 3.11 supported</h4>
-<p>This release drops support for Python 3.7 and supports Python 3.8 through
Python 3.11</p>
+This issue was discovered by <a href="https://x.com/truffzor";>truff</a></p>
+<h4>OAuth2 Support</h4>
+<p>To enable OAuth 2 with an existing .ini file, add:</p>
+<div class="highlight"><pre><span></span><code>auth.oauth2.enabled = true
+</code></pre></div>
+
+<p>Then users can create and use OAuth2 client apps within their user setting
pages.</p>
+<h4>New Session Storage</h4>
+<p>New session cookie handling is available and more secure and safe. If you
have an existing Allura instance, you can enable it with the following
steps:</p>
+<ul>
+<li>add <code>session.jwt_secret_keys</code> to your .ini file, with a value
generated by <code>python -c 'import secrets;
print(secrets.token_hex());'</code></li>
+<li><code>session.type = cookie</code> is no longer used and can be
removed</li>
+<li>optionally <code>session.read_original_format = true</code> and rename
<code>session.validate_key</code> to
<code>session.original_format_validate_key</code> for backwards compatibility.
Remove after a transition period.</li>
+<li>optionally <code>session.write_original_format = true</code> if it takes a
while to deploy all your code to multiple hosts/procs. Then remove once all
processes have new code.</li>
+</ul>
+<h4>Breaking Changes for Custom Extensions</h4>
+<p><a href="https://forge-allura.apache.org/p/allura/tickets/8556/";>#8556</a>
deprecates the <code>has_access(..)()</code> syntax. Custom extensions using
this syntax will need to remove the second <code>()</code> so that it is just
<code>has_access(..)</code>. Next releases will remove support for the old
syntax entirely.</p>
<h4>Upgrade Instructions</h4>
<p>To install updated dependencies, run: <code>pip install -r requirements.txt
--no-deps --upgrade --upgrade-strategy=only-if-needed</code></p>
-<p>Run: <code>paster ensure_index development.ini</code> in Allura dir</p>
-<p>If switching to a new version of Python, you will need to make a completely
new python virtual environment,
-and run <code>pip install ...</code> in it, and then use it to run Allura.</p>
+<p>Run: <code>paster ensure_index development.ini</code> in the Allura dir</p>
<p>If using docker, rebuild the allura image and restart containers.</p>
+<p>Also, see the sections above about OAuth2 and New Session Storage.</p>
<p>Feel free to ask any questions on the <a
href="https://lists.apache.org/[email protected]";>dev mailing
list</a>.</p>
-<h4>Get 1.16.0</h4>
+<h4>Get 1.17.0</h4>
<p><a href="//allura.apache.org/download.html">Download Allura</a> and <a
href="https://forge-allura.apache.org/docs/getting_started/installation.html";>install
it</a> today.</p></div>
</div>
</div>
@@ -105,7 +118,7 @@ and run <code>pip install ...</code> in it, and then use it
to run Allura.</p>
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/tag/feature.html b/tag/feature.html
index 5836e43..035ef12 100644
--- a/tag/feature.html
+++ b/tag/feature.html
@@ -114,7 +114,7 @@
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/tag/gsoc.html b/tag/gsoc.html
index ac022ac..34a6ed3 100644
--- a/tag/gsoc.html
+++ b/tag/gsoc.html
@@ -70,7 +70,7 @@
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
diff --git a/tag/release.html b/tag/release.html
index 6e630f1..66a5a49 100644
--- a/tag/release.html
+++ b/tag/release.html
@@ -52,6 +52,17 @@
<h2>Articles tagged 'release'</h2>
<div class="row bg-white pad-bot-md text-center">
+ <div class="row pad-top-md">
+ <h3><a class="text-black"
href="//allura.apache.org/posts/2024-allura-1.17.0.html">Apache Allura 1.17.0
released, including critical security fix</a></h3>
+ </div>
+
+ <div class="post-info">
+ Published:
+ <abbr class="published" title="2024-06-10T00:00:00+00:00">
+ Mon 10 June 2024
+ </abbr>
+ </div>
+ <div class="entry-content"> <p>Version 1.17.0 of Allura released, including
a critical security fix</p> </div>
<div class="row pad-top-md">
<h3><a class="text-black"
href="//allura.apache.org/posts/2023-allura-1.16.0.html">Apache Allura 1.16.0
released with critical security fix</a></h3>
</div>
@@ -246,7 +257,7 @@
<div class="row">
<footer id="footer" class="bg-black text-white col-24">
- <p class="copy pad-top-sm text-center">Copyright © 2023 The Apache
Software Foundation, Licensed under
+ <p class="copy pad-top-sm text-center">Copyright © 2024 The Apache
Software Foundation, Licensed under
<a href="http://www.apache.org/licenses/LICENSE-2.0.html";>the
Apache License, Version 2.0.</a></p>
<p class="copy pad-bot-sm text-center">Apache, Allura, Apache Allura,
and the Apache feather logo are trademarks of The Apache Software
Foundation.</p>
</footer>
