Change Details

On 17/11/2020 00:43, Luca Milanesio wrote: > Dear Gerrit Administrator, > > This is an early warning of a recent security problem discovered on Gerrit Code Review and documented at [1]. > > You have been selected to receive very early notification about the problem because at least one of your Gerrit setups are available to the general public on the internet. > We want to give you a few days before the general public is informed so that you can put in place the mitigation procedure before anyone can exploit it against your site. > > Please respect the confidentiality of this early notification, according to the embargo process documented at [2]. > > We have also released a security fix for all the most recent versions of Gerrit impacted. See below the corresponding downloadable links: > v2.15.21 [3] (SHA256=0ef970a4aec3c40e85d8fe806974967fc728e61697175fc3cf48d20777ae9040) > v2.16.25 [4] (SHA256=15e0eb6fca0f64b909fc3cf732712c498fcdfa40c9338378ea7f582012899d05) > v3.0.15 [5] (SHA256=9579a076b718f362c1c41bd7e8746ac9304e7bc54ccca09b37c04ae18d8af185) > v3.1.10 [6] (SHA256=36e43b73de21b275b3991f4245a8155db83d0a4d33b98fa49eb80be4c6c9fc41) > v3.2.5 [7] (SHA256=34f0205f556bffe9f770b7c3fe65bad4e5781c543ccc0f9d0aabb0ecf6e66dd9) > > Gerrit v2.14 is also impacted, but it hasn't been possible to develop a software fix yet. You can still mitigate the problem by adjusting the Gerrit ACLs, as documented at [1]. > > Note: Gerrit can be protected against this security issue by adjusting the ACLs. The upgrade is therefore not mandatory but strongly recommended. We do always suggest to go through a careful analysis of the release notes and a testing phase in staging, before applying any upgrade. > > The issue is going to be published officially by Tuesday the 17th of November, together with releases announcements and release notes. > > Please let us know in case of any questions on this matter. > > Gerrit Code Review Maintainers. > > --- * --- > > References: > [1] https://bugs.chromium.org/p/gerrit/issues/detail?id=13621 > [2] https://gerrit-review.googlesource.com/Documentation/dev-processes.html#embargo > [3] https://gerrit-releases.storage.googleapis.com/gerrit-2.15.21.war > [4] https://gerrit-releases.storage.googleapis.com/gerrit-2.16.25.war > [5] https://gerrit-releases.storage.googleapis.com/gerrit-3.0.15.war > [6] https://gerrit-releases.storage.googleapis.com/gerrit-3.1.10.war > [7] https://gerrit-releases.storage.googleapis.com/gerrit-3.2.5.war > >

On 17/11/2020 00:43, Luca Milanesio wrote: > Dear Gerrit Administrator, > > This is an early warning of a recent security problem discovered on Gerrit Code Review and documented at [1]. > > You have been selected to receive very early notification about the problem because at least one of your Gerrit setups are available to the general public on the internet. > We want to give you a few days before the general public is informed so that you can put in place the mitigation procedure before anyone can exploit it against your site. > > Please respect the confidentiality of this early notification, according to the embargo process documented at [2]. > > We have also released a security fix for all the most recent versions of Gerrit impacted. See below the corresponding downloadable links: > v2.15.21 [3] (SHA256=0ef970a4aec3c40e85d8fe806974967fc728e61697175fc3cf48d20777ae9040) > v2.16.25 [4] (SHA256=15e0eb6fca0f64b909fc3cf732712c498fcdfa40c9338378ea7f582012899d05) > v3.0.15 [5] (SHA256=9579a076b718f362c1c41bd7e8746ac9304e7bc54ccca09b37c04ae18d8af185) > v3.1.10 [6] (SHA256=36e43b73de21b275b3991f4245a8155db83d0a4d33b98fa49eb80be4c6c9fc41) > v3.2.5 [7] (SHA256=34f0205f556bffe9f770b7c3fe65bad4e5781c543ccc0f9d0aabb0ecf6e66dd9) > > Gerrit v2.14 is also impacted, but it hasn't been possible to develop a software fix yet. You can still mitigate the problem by adjusting the Gerrit ACLs, as documented at [1]. > > Note: Gerrit can be protected against this security issue by adjusting the ACLs. The upgrade is therefore not mandatory but strongly recommended. We do always suggest to go through a careful analysis of the release notes and a testing phase in staging, before applying any upgrade. > > The issue is going to be published officially by Tuesday the 17th of November, together with releases announcements and release notes. > > Please let us know in case of any questions on this matter. > > Gerrit Code Review Maintainers. > > --- * --- > > References: > [1] https://bugs.chromium.org/p/gerrit/issues/detail?id=13621 > [2] https://gerrit-review.googlesource.com/Documentation/dev-processes.html#embargo > [3] https://gerrit-releases.storage.googleapis.com/gerrit-2.15.21.war > [4] https://gerrit-releases.storage.googleapis.com/gerrit-2.16.25.war > [5] https://gerrit-releases.storage.googleapis.com/gerrit-3.0.15.war > [6] https://gerrit-releases.storage.googleapis.com/gerrit-3.1.10.war > [7] https://gerrit-releases.storage.googleapis.com/gerrit-3.2.5.war

On 17/11/2020 00:43, Luca Milanesio wrote: > Dear Gerrit Administrator, > > This is an early warning of a recent security problem discovered on Gerrit Code Review and documented at [1]. > > You have been selected to receive very early notification about the problem because at least one of your Gerrit setups are available to the general public on the internet. > We want to give you a few days before the general public is informed so that you can put in place the mitigation procedure before anyone can exploit it against your site. > > Please respect the confidentiality of this early notification, according to the embargo process documented at [2]. > > We have also released a security fix for all the most recent versions of Gerrit impacted. See below the corresponding downloadable links: > v2.15.21 [3] (SHA256=0ef970a4aec3c40e85d8fe806974967fc728e61697175fc3cf48d20777ae9040) > v2.16.25 [4] (SHA256=15e0eb6fca0f64b909fc3cf732712c498fcdfa40c9338378ea7f582012899d05) > v3.0.15 [5] (SHA256=9579a076b718f362c1c41bd7e8746ac9304e7bc54ccca09b37c04ae18d8af185) > v3.1.10 [6] (SHA256=36e43b73de21b275b3991f4245a8155db83d0a4d33b98fa49eb80be4c6c9fc41) > v3.2.5 [7] (SHA256=34f0205f556bffe9f770b7c3fe65bad4e5781c543ccc0f9d0aabb0ecf6e66dd9) > > Gerrit v2.14 is also impacted, but it hasn't been possible to develop a software fix yet. You can still mitigate the problem by adjusting the Gerrit ACLs, as documented at [1]. > > Note: Gerrit can be protected against this security issue by adjusting the ACLs. The upgrade is therefore not mandatory but strongly recommended. We do always suggest to go through a careful analysis of the release notes and a testing phase in staging, before applying any upgrade. > > The issue is going to be published officially by Tuesday the 17th of November, together with releases announcements and release notes. > > Please let us know in case of any questions on this matter. > > Gerrit Code Review Maintainers. > > --- * --- > > References: > [1] https://bugs.chromium.org/p/gerrit/issues/detail?id=13621 > [2] https://gerrit-review.googlesource.com/Documentation/dev-processes.html#embargo > [3] https://gerrit-releases.storage.googleapis.com/gerrit-2.15.21.war > [4] https://gerrit-releases.storage.googleapis.com/gerrit-2.16.25.war > [5] https://gerrit-releases.storage.googleapis.com/gerrit-3.0.15.war > [6] https://gerrit-releases.storage.googleapis.com/gerrit-3.1.10.war > [7] https://gerrit-releases.storage.googleapis.com/gerrit-3.2.5.war > >