Download Latest Version
1.10.0 source code.tar.gz (8.0 MB)
Get an email when there's a new version of Gitblit
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| manager-1.10.0.zip | 2025-06-14 | 5.7 MB | |
| fedclient-1.10.0.zip | 2025-06-14 | 14.7 MB | |
| gbapi-1.10.0.zip | 2025-06-14 | 2.0 MB | |
| gitblit-1.10.0.tar.gz | 2025-06-14 | 53.2 MB | |
| gitblit-1.10.0.war | 2025-06-14 | 51.1 MB | |
| gitblit-1.10.0.zip | 2025-06-14 | 53.5 MB | |
| 1.10.0 source code.tar.gz | 2025-06-14 | 8.0 MB | |
| 1.10.0 source code.zip | 2025-06-14 | 8.7 MB | |
| README.md | 2025-06-14 | 5.1 kB | |
| Totals: 9 Items | 196.9 MB | 17 | |
Update Note
This release fixes a vulnerability allowing an attacker to circumvent authentication on the SSH transport. Users are urged to update to this version.
Should you have disabled the Flash-based copy-to-clipboard function because it wasn't working anymore (web.allowFlashCopyToClipboard = false), you may want to rethink this and enable it again. The configuration property has the same name, but the mechanism was exchanged. Flash is gone, and a modern JavaScript solution is now used to copy text directly to the clipboard (via clipboard.js).
The setting server.requireClientCertificates now has three values: required, optional and none. While required is synonymous to the old true value, and optional is synonymous to the old false value, the new none value results in the server never asking the client to present any client certificate at all. The old values true and false can still be used and keep their meaning.
From 1.10.0 on Gitblit requires Java 8 as minimal Java version.
Highlights:
CONTRIBUTING.md HOME.md LICENSE NOTICE README.markdown build.moxie build.xml gitblit.iml release.template releases.moxie src Support for ECDSA and Ed25519 SSH keys CONTRIBUTING.md HOME.md LICENSE NOTICE README.markdown build.moxie build.xml gitblit.iml release.template releases.moxie src Fix vulnerability that allowed SSH authentication to be circumvented CONTRIBUTING.md HOME.md LICENSE NOTICE README.markdown build.moxie build.xml gitblit.iml release.template releases.moxie src Explicitly disable requesting optional client TLS certificates CONTRIBUTING.md HOME.md LICENSE NOTICE README.markdown build.moxie build.xml gitblit.iml release.template releases.moxie src Copy-to-clipboard button is back and working CONTRIBUTING.md HOME.md LICENSE NOTICE README.markdown build.moxie build.xml gitblit.iml release.template releases.moxie src Minimal required Java version is Java 8
While old DSA SSH host keys can still be used, a new Gitblit installation will no longer generate a DSA host key. The default set of host keys is now RSA, ECDSA and Ed25519.
Snapshot builds of the current master branch are now available as Docker containers on Docker Hub under the "Nightly" tag.
Security
- Fix path traversal vulnerability which allowed access to "/resources//../WEB-INF/". (CVE-2022-31268) This was fixed by updating Jetty. (issue [#1409])
- Fix exploit circumventing SSH authentication. Many thanks to András Veres-Szentkirályi (silentsignal.eu) for the report. (CVE-2024-28080)
- Fix vulnerability exposing user password hashes to administrators when an administrator edits a user's properties. Many thanks to Gerhard Klostermeier (syss.de) for the report.
Fixes
### Fixes - Fix crash in Gitblit Authority when users were deleted from Gitblit but still had entries (certificates) in the Authority. (issue [#1359], PR [#1435]) - Fix tab-to-space conversion to work like tabs. (PR [#1065] by @QuentinC) - Fix user effective permission display when user is in multiple groups with different permissions. (PR [#1100] by @felazuris) - Fix issue in pt under Python 3. (PR [#1428] by @urkle) - Fix null pointer exception which could occur during debug logging. (PR [#1433]) - Fix Bugtraq to fallback to UTF-8 if the commit encoding is unsupported. - Fix errors in Bugtraq preventing display of commit completely. - Fix misaligned images in primary repository URL display. (issue [#1437]) - Fix incorrect text being copied by copy button on tickets page - Fix broken language files. - Fix problems with single quotes in message texts. (PR [#1455] by @losiki)Changes
### Changes - Minimum Java required increased to Java 8. (PR [#1218] by @paladox) - Added feedback on invalid keys to SSH key form. (issue [#984], PR [#1239] by @martinspielmann) - Replaced old Flash-based Clippy copy-paste buttons to copy repository URLs and other text to the clipboard with a modern JavaScript-based approach via clipboard.js. (issue [#1241], issue [#965], PR [#1438] by @flaix) - Updated various dependencies that had known CVEs. - Updated Git clients list on empty repository page. - Improved Chinese translation of "fork". - Switched logging library from Log4j1 to reload4j. - Updating the BouncyCastle version required to switch from bc*-jdk15on to bc*-jdk18onAdditions
### Additions - Option to explicitly disable optional client TLS certificates. (issue [#1137], PR [#1138] by @oddeirik) - Support for ECDSA and Ed25519 (EdDSA) user keys. (PR [#1427], PR [#1272]) - New ECDSA and EdDSA host key types. (issue [#1354], PR [#1429] by @flaix) - French version of empty repository page. (by @piradix) - Add support for Jenkins access token. Use setting `groovy.jenkinsToken`. (issue [#1423], PR [#1425] by @TDesjardins)Full release notes on [gitblit.com](http://www.gitblit.com/releases.html#1