Download Latest Version
1.10.0 source code.tar.gz (8.0 MB)
Get an email when there's a new version of Gitblit
| Name | Modified | Size | Downloads / Week |
|---|---|---|---|
| Parent folder | |||
| manager-1.9.3.zip | 2022-04-09 | 5.3 MB | |
| fedclient-1.9.3.zip | 2022-04-09 | 13.2 MB | |
| gbapi-1.9.3.zip | 2022-04-09 | 1.9 MB | |
| gitblit-1.9.3.tar.gz | 2022-04-09 | 43.7 MB | |
| gitblit-1.9.3.war | 2022-04-09 | 41.1 MB | |
| gitblit-1.9.3.zip | 2022-04-09 | 44.0 MB | |
| 1.9.3 source code.tar.gz | 2022-04-09 | 8.0 MB | |
| 1.9.3 source code.zip | 2022-04-09 | 8.7 MB | |
| README.md | 2022-04-09 | 1.5 kB | |
| Totals: 9 Items | 165.8 MB | 2 | |
Update Note
The 1.9 minor version is the last to support Java 7. From 1.10 on Gitblit will require Java 8.
!! IMPORTANT SECURITY FIX FOR CONFIG USER SERVICE !!
There is a security vulnerability in version 1.9.2, which allows an attacker to gain elevated access rights. This is present when the Config User Service is used as the user service, which is the default.
Version 1.9.2 introduced a new implementation to store user data in the user config file which holds user name, password, access rights etc. This was done to solve problems with very large user bases (PR [#1364]). This new implementation does not properly escape all control characters, like newline and tab. As a result, a normal user, when logged into Gitblit, can edit his profile data and enter values in e.g. the email address that are interpreted as control characters in the text file stored on disk. This allows the malicious user to give themselves e.g. elevated access rights on their account.
This is fixed in 1.9.3. Updates of existing installations should be made to 1.9.3, not 1.9.2.
Many thanks to Github user @YYHYlh for finding and reporting this issue (issue [#1410]).
Security
- Fix escaping control characters in config user service, resolving a security vulnerability. (issue [#1410])
Full release notes on [gitblit.com](http://gitblit.github.io/gitblit/releases.html#1