[ANNOUNCE] Apache Allura 1.16.0 released, contains critical security fix
The Apache Allura team is pleased to announce the release of Apache Allura 1.16.0 Apache Allura is an open source implementation of a software forge, a web site that manages source code repositories, bug reports, discussions, wiki pages, blogs, and more for any number of individual projects. This release contains a critical security fix for CVE-2023-46851 If you are unable to upgrade, set this in your .ini config file: disable_entry_points.allura.importers = forge-tracker, forge-discussion That same .ini setting is also recommend for users who want maximum security on their Allura instance and don't need those importers available. Also, this release drops support for Python 3.7 To see all the details and upgrade instructions, view the release changelog at https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES Download at https://allura.apache.org/download.html
CVE-2023-46851: Apache Allura: sensitive information exposure via import
Severity: critical Affected versions: - Apache Allura 1.0.1 through 1.15.0 Description: Allura Discussion and Allura Forum importing does not restrict URL values specified in attachments. Project administrators can run these imports, which could cause Allura to read local files and expose them. Exposing internal files then can lead to other exploits, like session hijacking, or remote code execution. This issue affects Apache Allura from 1.0.1 through 1.15.0. Users are recommended to upgrade to version 1.16.0, which fixes the issue. If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file. Credit: Stefan Schiller (Sonar) (finder) References: https://allura.apache.org/ https://www.cve.org/CVERecord?id=CVE-2023-46851
[ANNOUNCE] Apache Allura 1.15.0 released
The Apache Allura team is pleased to announce the release of Apache Allura 1.15.0 Apache Allura is an open source implementation of a software forge, a web site that manages source code repositories, bug reports, discussions, wiki pages, blogs, and more for any number of individual projects. 1.15.0 adds support for more Python versions (see next section) and Content-Security-Policy headers. Many other fixes and improvements are also included, they relate to SEO, performance and different parts of Allura. This release supports Python 3.7 through Python 3.11 The next release will drop support for Python 3.7 so please upgrade your Python version soon, to stay compatible with future Allura releases. To see all the details and upgrade instructions, view the release changelog at https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES Download at https://allura.apache.org/download.html
[ANNOUNCE] Apache Allura 1.14.0 released
The Apache Allura team is pleased to announce the release of Apache Allura 1.14.0 Apache Allura is an open source implementation of a software forge, a web site that manages source code repositories, bug reports, discussions, wiki pages, blogs, and more for any number of individual projects. Version 1.14.0 includes a new app/tool, SEO improvements and a huge number of small fixes and improvements. The highlights are: * Added ForgeFiles app for uploading and managing file releases. * Many SEO improvements related to links, redirects, canonical and noindex tags. For full details of all the changes and fixes, see the release notes linked below. This release drops support for Python 2.7 and 3.6, and only supports Python 3.7. To see all the details and upgrade instructions, view the release changelog at https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES Download at https://allura.apache.org/download.html
[ANNOUNCE] Apache Allura 1.13.0 released
The Apache Allura team is pleased to announce the release of Apache Allura 1.13.0 Apache Allura is an open source implementation of a software forge, a web site that manages source code repositories, bug reports, discussions, wiki pages, blogs, and more for any number of individual projects. Version 1.13.0 includes some major updates and a huge list of small fixes and improvements. Some highlights are: - Added ForgeFeedback app - textarea inputs work better on mobile devices, and use browser spellchecker - Forum importer for allura's own export format - Allow multiple site-wide notices to be active This release supports Python 2.7, 3.6, and 3.7. It is the last release planned to support Python 2. To see all the details and upgrade instructions, check out the release changelog at https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES Download at https://allura.apache.org/download.html
[ANNOUNCE] Apache Allura 1.12.0 released
The Apache Allura team is pleased to announce the release of Apache Allura 1.12.0 Allura is an open source implementation of a software forge, a web site that manages source code repositories, bug reports, discussions, wiki pages, blogs, and more for any number of individual projects. Version 1.12.0 adds username mention notifications, and smaller improvements and bugfixes. It also includes a security fix, so all users of Allura are recommended to upgrade. To see all the details and upgrade instructions, check out the release changelog at https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES Download at https://allura.apache.org/download.html
CVE-2019-10085 Apache Allura XSS vulnerability
CVE-2019-10085 Apache Allura XSS vulnerability in ticket user dropdown selector Severity: Important Versions Affected: 1.10.0 and earlier Description: A vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page. Mitigation: Users of Allura should upgrade to Allura 1.11.0 immediately. Credit: This issue was discovered by Bob "Wombat" Hogg
[ANNOUNCE] Apache Allura 1.11.0 released
The Apache Allura team is pleased to announce the release of Apache Allura 1.11.0 Allura is an open source implementation of a software forge, a web site that manages source code repositories, bug reports, discussions, wiki pages, blogs, and more for any number of individual projects. The 1.11.0 release includes the following new features: * Reaction support for comments * Option to subscribe to forums and other types of threads, when posting * @username mentions in markdown editor * Optional HaveIBeenPwned checks for password changes There are many smaller improvements and fixes as well. To see all the details and upgrade instructions, check out the release changelog at https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES Download and installation instructions are available at https://allura.apache.org/
[ANNOUNCE] Apache Allura 1.10.0 released
The Apache Allura team is pleased to announce the release of Apache Allura 1.10.0 Allura is an open source implementation of a software forge, a web site that manages source code repositories, bug reports, discussions, wiki pages, blogs, and more for any number of individual projects. The 1.10.0 release includes the following new features: * interactive checkmark lists * [x] done! * emoji shortcode support :rocket: * attachment support for blog posts, and new forum topics This release also includes a critical security fix, so upgrading is strongly encouraged. There are many smaller improvements and fixes as well. To see all the details and upgrade instructions, check out the release changelog at https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES Download and installation instructions are available at https://allura.apache.org/
[ANNOUNCE] Apache Allura 1.9.0 released
The Apache Allura team is pleased to announce the release of Apache Allura 1.9.0 Allura is an open source implementation of a software forge, a web site that manages source code repositories, bug reports, discussions, wiki pages, blogs, and more for any number of individual projects. Apache Allura 1.9.0 has been released, with a brand new personal dashboard which shows your own tickets, merge requests, projects etc. Another notable enhancement is automatic saving of content before form submission - no more lost text if you get logged out or disconnected. Support is added for display of checkbox lists from markdown, more search help, SVN snapshots of the current directory only, and bulk delete for tickets. Of course there are also smaller improvements, fixes, and performances improvements as well. To see all the details, check out the release changelog at https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES Download and installation instructions are available at https://allura.apache.org/
[SECURITY] CVE-2018-1319 Apache Allura HTTP response splitting
CVE-2018-1319 Apache Allura HTTP response splitting Severity: Important Versions Affected: All Description: Attackers may craft URLs that cause HTTP response splitting. If a victim goes to a maliciously crafted URL, unwanted results may occur including XSS or service denial for the victim's browsing session. Mitigation: Users of Allura should upgrade to Allura 1.8.1 immediately. Credit: This issue was discovered by Everardo Padilla Saca
[ANNOUNCE] Apache Allura 1.8.0 released
The Apache Allura team is pleased to announce the release of Apache Allura 1.8.0 Allura is an open source implementation of a software forge, a web site that manages source code repositories, bug reports, discussions, wiki pages, blogs, and more for any number of individual projects. Version 1.8.0 has been released, containing a Docker setup for production environments, and improved security and auditing around user logins. This release also contains a large number of fixes and smaller improvements. This includes a fix for the security advisory CVE-2018-1299. This release also contains numerous small improvements and bug fixes. To see all the details, check out the release changelog at https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES Download and installation instructions are available at https://allura.apache.org/
[ANNOUNCE] Apache Allura 1.7.0 released
The Apache Allura team is pleased to announce the release of Apache Allura 1.7.0 Allura is an open source implementation of a software forge, a web site that manages source code repositories, bug reports, discussions, wiki pages, blogs, and more for any number of individual projects. Version 1.7.0 has been released, with support for hi-res project logos, and better content control for "neighborhood" landing pages by using wiki pages. This release also contains numerous small improvements and bug fixes. To see all the details, check out the release changelog at https://forge-allura.apache.org/p/allura/git/ci/rel/1.7.0/~/tree/CHANGES Download and installation instructions are available at https://allura.apache.org/
[ANNOUNCE] Apache Allura 1.6.0 released
The Apache Allura team is pleased to announce the release of Apache Allura 1.6.0 Allura is an open source implementation of a software forge, a web site that manages source code repositories, bug reports, discussions, wiki pages, blogs, and more for any number of individual projects. Version 1.6.0 includes the introduction of multifactor authentication and recovery codes, a git-http docker container, and per-thread subscriptions in discussion forums. For more details on the changes in this release, see https://allura.apache.org/posts/2016-allura-1.6.0.html Download and installation instructions are available at https://allura.apache.org/
[ANNOUNCE] Apache Allura 1.5.0 released
The Apache Allura team is pleased to announce the release of Apache Allura 1.5.0 Allura is an open source implementation of a software forge, a web site that manages source code repositories, bug reports, discussions, wiki pages, blogs, and more for any number of individual projects. Version 1.5.0 adds a guided tour after project registration, improved design for discussions and their attachments, and various usability improvements for merge requests. Many of the changes came from work done during Google Summer of Code. See details on all those changes at: https://allura.apache.org/posts/2016-gsoc-16.html Lots more improvements and fixes are in the 1.5.0 release. See the full list of changes at: https://forge-allura.apache.org/p/allura/git/ci/rel/1.5.0/~/tree/CHANGES Download and installation instructions are available at https://allura.apache.org/
[ANNOUNCE] Apache Allura 1.4.0 released
The Apache Allura team is pleased to announce the release of Apache Allura 1.4.0 Allura is an open source implementation of a software forge, a web site that manages source code repositories, bug reports, discussions, wiki pages, blogs, and more for any number of individual projects. The biggest new feature in 1.4.0 is the Admin Nav Bar. It's a complete overhaul of how you customize the tools in your project. To see how much easier it is to access tool configurations and add new tools, see http://allura.apache.org/posts/2016-admin-toolbar.html Other significant improvements are: * Config settings to show your custom logo and navigation links in the top header. * New interface to manage sitewide notifications. You can specify custom messages to show up on certain pages or page types, or to certain types of users. * Project exports now can include file attachments from all the tickets, wiki pages, comments, etc. * Standardized fence blocks in Markdown. In addition to ~~~ to mark off code blocks, you can use the more common ```. It also works to nest code block notation, and specify the formatting language in more ways. For a complete list of changes, see: https://forge-allura.apache.org/p/allura/git/ci/rel/1.4.0/~/tree/CHANGES Download and installation instructions available at http://allura.apache.org/
[ANNOUNCE] Apache Allura 1.0.1 incubating release
The Apache Allura team is pleased to announce the release of version 1.0.1 from the Apache Incubator. This is its first release. Allura is an open source implementation of a software forge, a web site that manages source code repositories, bug reports, discussions, wiki pages, blogs and more for any number of individual projects. Download: http://www.apache.org/dyn/closer.cgi/incubator/allura/allura-incubating-1.0.1.tar.gz Changes: http://s.apache.org/8WE More info: https://forge-allura.apache.org/p/allura/ For questions, suggestions or any feedback, please join us on the allura-dev mailing list. Disclaimer: Apache Allura is an effort undergoing incubation at The Apache Software Foundation (ASF), sponsored by the Apache Incubator PMC. Incubation is required of all newly accepted projects until a further review indicates that the infrastructure, communications, and decision making process have stabilized in a manner consistent with other successful ASF projects. While incubation status is not necessarily a reflection of the completeness or stability of the code, it does indicate that the project has yet to be fully endorsed by the ASF.