Apache Allura™

What's New?

Apache Allura 1.17.1 has been released. It includes a security fix.

For full details of all the changes and fixes, see the CHANGES file.

Security Fix

CVE-2024-38379 Stored authenticated XSS

Severity: Moderate
Versions Affected: 1.4.0 through 1.17.0

Description:
Apache Allura's neighborhood settings are vulnerable to a stored XSS attack. Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted.

Mitigation:
Users of Allura should upgrade to Allura 1.17.1.

If you are unable to upgrade, review your neighborhood admins and ensure they are all fully trusted users.

Credit:
This issue was discovered by Ömer "WASP" Akincir.

Breaking Changes for Custom Extensions

#8556 deprecated the has_access(..)() syntax in 1.17.0, and support for it is now removed. Custom extensions using this syntax will need to remove the second () so that it is just has_access(..).

Upgrade Instructions

If using docker, rebuild the allura image and restart containers.

Feel free to ask any questions on the dev mailing list.

Get 1.17.1

install it today.