This is an automated email from the ASF dual-hosted git repository.
brondsem pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/allura-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 90271ec announce 1.17.1
90271ec is described below
commit 90271ec2f4dd028d4a9c8a85ed307f89ebde1305
Author: Dave Brondsema <d...@brondsema.net>
AuthorDate: Fri Jun 21 13:21:41 2024 -0400
announce 1.17.1
---
_src/content/2024-allura-1.17.1.md | 44 +++++++++
_src/pelicanconf.py | 4 +-
download.html | 8 +-
feeds/all.atom.xml | 22 ++++-
feeds/tag.release.atom.xml | 22 ++++-
index.html | 6 +-
news.html | 11 +++
download.html => posts/2024-allura-1.17.1.html | 125 +++++++++----------------
tag/release.html | 11 +++
9 files changed, 159 insertions(+), 94 deletions(-)
diff --git a/_src/content/2024-allura-1.17.1.md
b/_src/content/2024-allura-1.17.1.md
new file mode 100644
index 0000000..4ae870a
--- /dev/null
+++ b/_src/content/2024-allura-1.17.1.md
@@ -0,0 +1,44 @@
+Title: Apache Allura 1.17.1 released, with security fix
+Date: 2024-06-21
+Tags: release
+Slug: allura-1.17.1
+Summary: Version 1.17.1 of Allura released, with security fix
+
+#### What's New?
+
+Apache Allura 1.17.1 has been released. It includes a security fix.
+
+For full details of all the changes and fixes, see the [CHANGES
file](https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES).
+
+#### Security Fix
+
+CVE-2024-38379 Stored authenticated XSS
+
+Severity: Moderate<br>
+Versions Affected: 1.4.0 through 1.17.0
+
+**Description:**<br>
+Apache Allura's neighborhood settings are vulnerable to a stored XSS attack.
Only neighborhood admins can access these settings, so the scope of risk is
limited to configurations where neighborhood admins are not fully trusted.
+
+**Mitigation:**<br>
+Users of Allura should upgrade to Allura 1.17.1.
+
+If you are unable to upgrade, review your neighborhood admins and ensure they
are all fully trusted users.
+
+**Credit:**<br>
+This issue was discovered by Ömer "WASP" Akincir.
+
+
+#### Breaking Changes for Custom Extensions
+
+[#8556](https://forge-allura.apache.org/p/allura/tickets/8556/) deprecated the
`has_access(..)()` syntax in 1.17.0, and support for it is now removed. Custom
extensions using this syntax will need to remove the second `()` so that it is
just `has_access(..)`.
+
+#### Upgrade Instructions
+
+If using docker, rebuild the allura image and restart containers.
+
+Feel free to ask any questions on the [dev mailing
list](https://lists.apache.org/list.html?d...@allura.apache.org).
+
+#### Get 1.17.1
+
+[Download Allura](//allura.apache.org/download.html) and [install
it](https://forge-allura.apache.org/docs/getting_started/installation.html)
today.
diff --git a/_src/pelicanconf.py b/_src/pelicanconf.py
index eb0feff..5555386 100644
--- a/_src/pelicanconf.py
+++ b/_src/pelicanconf.py
@@ -45,9 +45,9 @@ TAG_FEED_ATOM = 'feeds/tag.{slug}.atom.xml'
CURRENT_YEAR = dt.date.today().year
-RELEASE_VERSION = '1.17.0'
+RELEASE_VERSION = '1.17.1'
RELEASE_DATE = 'June 2024'
-RELEASE_NEWS = 'posts/2024-allura-1.17.0.html'
+RELEASE_NEWS = 'posts/2024-allura-1.17.1 .html'
DIST_URL = 'https://downloads.apache.org/allura/'
FORGE_ALLURA_URL = 'https://forge-allura.apache.org/'
diff --git a/download.html b/download.html
index dc683e8..12fd0a5 100644
--- a/download.html
+++ b/download.html
@@ -54,15 +54,15 @@
<div class="col-20 no-float auto-margin">
<div class="row">
<p class="pad-md">
- <a
href="https://www.apache.org/dyn/closer.cgi/allura/allura-1.17.0.tar.gz";>Download
Allura v1.17.0</a>. This is the latest release of Apache Allura, released
June 2024.
- <a href="posts/2024-allura-1.17.0.html">Read what's new.</a>
+ <a
href="https://www.apache.org/dyn/closer.cgi/allura/allura-1.17.1.tar.gz";>Download
Allura v1.17.1</a>. This is the latest release of Apache Allura, released
June 2024.
+ <a href="posts/2024-allura-1.17.1 .html">Read what's new.</a>
</p>
<p>
Verify the download:
</p>
<ul>
- <li><a
href="https://downloads.apache.org/allura/allura-1.17.0.tar.gz.sha512";>SHA-512</a>
checksum</li>
- <li>PGP <a
href="https://downloads.apache.org/allura/allura-1.17.0.tar.gz.asc";>signature</a>
& <a href="https://downloads.apache.org/allura/KEYS";>keys</a></li>
+ <li><a
href="https://downloads.apache.org/allura/allura-1.17.1.tar.gz.sha512";>SHA-512</a>
checksum</li>
+ <li>PGP <a
href="https://downloads.apache.org/allura/allura-1.17.1.tar.gz.asc";>signature</a>
& <a href="https://downloads.apache.org/allura/KEYS";>keys</a></li>
</ul>
<p>
<a
href="https://www.apache.org/info/verification.html";>Instructions for how to
verify a download using these files.</a>
diff --git a/feeds/all.atom.xml b/feeds/all.atom.xml
index ebeecde..c6af1c4 100644
--- a/feeds/all.atom.xml
+++ b/feeds/all.atom.xml
@@ -1,5 +1,25 @@
<?xml version="1.0" encoding="utf-8"?>
-<feed xmlns="http://www.w3.org/2005/Atom";><title>Apache Allura</title><link
href="//allura.apache.org/" rel="alternate"></link><link
href="//allura.apache.org/feeds/all.atom.xml"
rel="self"></link><id>//allura.apache.org/</id><updated>2024-06-10T00:00:00+00:00</updated><entry><title>Apache
Allura 1.17.0 released, including critical security fix</title><link
href="//allura.apache.org/posts/2024-allura-1.17.0.html"
rel="alternate"></link><published>2024-06-10T00:00:00+00:00</published><upd
[...]
+<feed xmlns="http://www.w3.org/2005/Atom";><title>Apache Allura</title><link
href="//allura.apache.org/" rel="alternate"></link><link
href="//allura.apache.org/feeds/all.atom.xml"
rel="self"></link><id>//allura.apache.org/</id><updated>2024-06-21T00:00:00+00:00</updated><entry><title>Apache
Allura 1.17.1 released, with security fix</title><link
href="//allura.apache.org/posts/2024-allura-1.17.1.html"
rel="alternate"></link><published>2024-06-21T00:00:00+00:00</published><updated>2024-06-2
[...]
+<p>Apache Allura 1.17.1 has been released. It includes a security
fix.</p>
+<p>For full details of all the changes and fixes, see the <a
href="https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES">CHANGES
file</a>. </p>
+<h4>Security Fix</h4>
+<p>CVE-2024-38379 Stored authenticated XSS</p>
+<p>Severity: Moderate<br>
+Versions Affected: 1.4.0 through 1.17.0</p>
+<p><strong>Description:</strong><br>
+Apache Allura's neighborhood settings are vulnerable to a stored XSS attack.
Only neighborhood admins can access these settings, so the scope of risk is
limited to configurations where neighborhood admins are not fully
trusted.</p>
+<p><strong>Mitigation:</strong><br>
+Users of Allura should upgrade to Allura 1.17.1.</p>
+<p>If you are unable to upgrade, review your neighborhood admins and
ensure they are all fully trusted users.</p>
+<p><strong>Credit:</strong><br>
+This issue was discovered by Ömer "WASP" Akincir.</p>
+<h4>Breaking Changes for Custom Extensions</h4>
+<p><a
href="https://forge-allura.apache.org/p/allura/tickets/8556/">#8556</a>
deprecated the <code>has_access(..)()</code> syntax in 1.17.0, and
support for it is now removed. Custom extensions using this syntax will need
to remove the second <code>()</code> so that it is just
<code>has_access(..)</code>. </p>
+<h4>Upgrade Instructions</h4>
+<p>If using docker, rebuild the allura image and restart
containers.</p>
+<p>Feel free to ask any questions on the <a
href="https://lists.apache.org/list.html?d...@allura.apache.org">dev mailing
list</a>.</p>
+<h4>Get 1.17.1</h4>
+<p><a href="//allura.apache.org/download.html">Download
Allura</a> and <a
href="https://forge-allura.apache.org/docs/getting_started/installation.html">install
it</a> today.</p></content><category
term="misc"></category><category
term="release"></category></entry><entry><title>Apache Allura 1.17.0 released,
including critical security fix</title><link
href="//allura.apache.org/posts/2024-allura-1.17.0.html"
rel="alternate"></link><published>2024-06-10T [...]
<p>Apache Allura 1.17.0 has been released. It includes a critical
security fix, adds OAuth2 support, and more.</p>
<p>For full details of all the changes and fixes, see the <a
href="https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES">CHANGES
file</a>. </p>
<h4>Critical Security Fix</h4>
diff --git a/feeds/tag.release.atom.xml b/feeds/tag.release.atom.xml
index 2c96076..5c9dda3 100644
--- a/feeds/tag.release.atom.xml
+++ b/feeds/tag.release.atom.xml
@@ -1,5 +1,25 @@
<?xml version="1.0" encoding="utf-8"?>
-<feed xmlns="http://www.w3.org/2005/Atom";><title>Apache Allura -
release</title><link href="//allura.apache.org/" rel="alternate"></link><link
href="//allura.apache.org/feeds/tag.release.atom.xml"
rel="self"></link><id>//allura.apache.org/</id><updated>2024-06-10T00:00:00+00:00</updated><entry><title>Apache
Allura 1.17.0 released, including critical security fix</title><link
href="//allura.apache.org/posts/2024-allura-1.17.0.html"
rel="alternate"></link><published>2024-06-10T00:00:00+00: [...]
+<feed xmlns="http://www.w3.org/2005/Atom";><title>Apache Allura -
release</title><link href="//allura.apache.org/" rel="alternate"></link><link
href="//allura.apache.org/feeds/tag.release.atom.xml"
rel="self"></link><id>//allura.apache.org/</id><updated>2024-06-21T00:00:00+00:00</updated><entry><title>Apache
Allura 1.17.1 released, with security fix</title><link
href="//allura.apache.org/posts/2024-allura-1.17.1.html"
rel="alternate"></link><published>2024-06-21T00:00:00+00:00</published> [...]
+<p>Apache Allura 1.17.1 has been released. It includes a security
fix.</p>
+<p>For full details of all the changes and fixes, see the <a
href="https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES">CHANGES
file</a>. </p>
+<h4>Security Fix</h4>
+<p>CVE-2024-38379 Stored authenticated XSS</p>
+<p>Severity: Moderate<br>
+Versions Affected: 1.4.0 through 1.17.0</p>
+<p><strong>Description:</strong><br>
+Apache Allura's neighborhood settings are vulnerable to a stored XSS attack.
Only neighborhood admins can access these settings, so the scope of risk is
limited to configurations where neighborhood admins are not fully
trusted.</p>
+<p><strong>Mitigation:</strong><br>
+Users of Allura should upgrade to Allura 1.17.1.</p>
+<p>If you are unable to upgrade, review your neighborhood admins and
ensure they are all fully trusted users.</p>
+<p><strong>Credit:</strong><br>
+This issue was discovered by Ömer "WASP" Akincir.</p>
+<h4>Breaking Changes for Custom Extensions</h4>
+<p><a
href="https://forge-allura.apache.org/p/allura/tickets/8556/">#8556</a>
deprecated the <code>has_access(..)()</code> syntax in 1.17.0, and
support for it is now removed. Custom extensions using this syntax will need
to remove the second <code>()</code> so that it is just
<code>has_access(..)</code>. </p>
+<h4>Upgrade Instructions</h4>
+<p>If using docker, rebuild the allura image and restart
containers.</p>
+<p>Feel free to ask any questions on the <a
href="https://lists.apache.org/list.html?d...@allura.apache.org">dev mailing
list</a>.</p>
+<h4>Get 1.17.1</h4>
+<p><a href="//allura.apache.org/download.html">Download
Allura</a> and <a
href="https://forge-allura.apache.org/docs/getting_started/installation.html">install
it</a> today.</p></content><category
term="misc"></category><category
term="release"></category></entry><entry><title>Apache Allura 1.17.0 released,
including critical security fix</title><link
href="//allura.apache.org/posts/2024-allura-1.17.0.html"
rel="alternate"></link><published>2024-06-10T [...]
<p>Apache Allura 1.17.0 has been released. It includes a critical
security fix, adds OAuth2 support, and more.</p>
<p>For full details of all the changes and fixes, see the <a
href="https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES">CHANGES
file</a>. </p>
<h4>Critical Security Fix</h4>
diff --git a/index.html b/index.html
index 077e834..656e939 100644
--- a/index.html
+++ b/index.html
@@ -84,18 +84,18 @@
<h3 class="text-center">Get the Latest Version of Allura</h3>
<div class="row pad-vert-md">
<div id="release" class="col-12 auto-margin pad-vert-xs text-center">
- <a href="//allura.apache.org/download.html"><button
class="auto-margin">Download v1.17.0</button></a>
+ <a href="//allura.apache.org/download.html"><button
class="auto-margin">Download v1.17.1</button></a>
<span class="text-white">June 2024 —</span>
- <a href="posts/2024-allura-1.17.0.html">What's New</a>
+ <a href="posts/2024-allura-1.17.1 .html">What's New</a>
</div>
<div id="news" class="col-12 auto-margin pad-vert-xs text-center">
<h5>News</h5>
<ul>
+ <li><a
href="//allura.apache.org/posts/2024-allura-1.17.1.html">Apache Allura 1.17.1
released, with security fix</a></li>
<li><a
href="//allura.apache.org/posts/2024-allura-1.17.0.html">Apache Allura 1.17.0
released, including critical security fix</a></li>
<li><a
href="//allura.apache.org/posts/2023-allura-1.16.0.html">Apache Allura 1.16.0
released with critical security fix</a></li>
<li><a
href="//allura.apache.org/posts/2023-allura-1.15.0.html">Apache Allura 1.15.0
released</a></li>
<li><a
href="//allura.apache.org/posts/2022-allura-1.14.0.html">Apache Allura 1.14.0
released</a></li>
- <li><a
href="//allura.apache.org/posts/2021-allura-1.13.0.html">Apache Allura 1.13.0
released</a></li>
<li><a href="//allura.apache.org/news.html">All News
→</a></li>
</ul>
</div>
diff --git a/news.html b/news.html
index d6af8ac..b58d54d 100644
--- a/news.html
+++ b/news.html
@@ -52,6 +52,17 @@
<h2>All News</h2>
<div class="row bg-white pad-bot-md text-center">
+ <div class="row pad-top-md">
+ <h3><a class="text-black"
href="//allura.apache.org/posts/2024-allura-1.17.1.html">Apache Allura 1.17.1
released, with security fix</a></h3>
+ </div>
+
+ <div class="post-info">
+ Published:
+ <abbr class="published" title="2024-06-21T00:00:00+00:00">
+ Fri 21 June 2024
+ </abbr>
+ </div>
+ <div class="entry-content"> <p>Version 1.17.1 of Allura released, with
security fix</p> </div>
<div class="row pad-top-md">
<h3><a class="text-black"
href="//allura.apache.org/posts/2024-allura-1.17.0.html">Apache Allura 1.17.0
released, including critical security fix</a></h3>
</div>
diff --git a/download.html b/posts/2024-allura-1.17.1.html
similarity index 54%
copy from download.html
copy to posts/2024-allura-1.17.1.html
index dc683e8..11f5959 100644
--- a/download.html
+++ b/posts/2024-allura-1.17.1.html
@@ -1,8 +1,9 @@
<!DOCTYPE html>
<html lang="en">
<head>
- <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
- <title>Apache Allura</title>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+ <title> Apache Allura 1.17.1 released, with security fix
+</title>
<meta charset="utf-8">
<meta name="description" content="Allura is an open source implementation of
a software forge, a site that manages source code repositories, bug reports,
discussions, and more for projects.">
<meta name="keywords" content="">
@@ -31,9 +32,12 @@
<link rel="stylesheet" type="text/css"
href="//allura.apache.org/theme/css/flex.min.css">
<link rel="stylesheet" type="text/css"
href="//allura.apache.org/theme/css/style.css">
+ <link rel="stylesheet" type="text/css"
href="//allura.apache.org/theme/css/article.css">
+
+
</head>
-<body cz-shortcut-listen="true" class="pg-download">
+<body cz-shortcut-listen="true" class="pg-">
<section id="content_wrapper" class="mobile-desktop row">
<div id="header" class="row ">
<header id="login_header" class="row">
@@ -45,96 +49,50 @@
</header>
</div>
-<div id="about" class="row bg-white pad-vert-xl">
+ <div class="article-content">
+<div class="row bg-white pad-vert-lg">
<div class="row">
- <h3 class="text-black text-center">Download Allura</h3>
+ <h3 class="text-black text-center">Apache Allura 1.17.1 released, with
security fix</h3>
+ </div>
+
+ <div class="post-info text-center">
+ Published:
+ <abbr class="published" title="2024-06-21T00:00:00+00:00">
+ Fri 21 June 2024
+ </abbr>
+ <br>
+ Tagged:
+ <a href="//allura.apache.org/tag/release.html">release</a>
</div>
<div class="row">
<div class="col-20 no-float auto-margin">
<div class="row">
- <p class="pad-md">
- <a
href="https://www.apache.org/dyn/closer.cgi/allura/allura-1.17.0.tar.gz";>Download
Allura v1.17.0</a>. This is the latest release of Apache Allura, released
June 2024.
- <a href="posts/2024-allura-1.17.0.html">Read what's new.</a>
- </p>
- <p>
- Verify the download:
- </p>
- <ul>
- <li><a
href="https://downloads.apache.org/allura/allura-1.17.0.tar.gz.sha512";>SHA-512</a>
checksum</li>
- <li>PGP <a
href="https://downloads.apache.org/allura/allura-1.17.0.tar.gz.asc";>signature</a>
& <a href="https://downloads.apache.org/allura/KEYS";>keys</a></li>
- </ul>
- <p>
- <a
href="https://www.apache.org/info/verification.html";>Instructions for how to
verify a download using these files.</a>
- </p>
+ <div class="pad-md text-black"><h4>What's New?</h4>
+<p>Apache Allura 1.17.1 has been released. It includes a security fix.</p>
+<p>For full details of all the changes and fixes, see the <a
href="https://forge-allura.apache.org/p/allura/git/ci/master/tree/CHANGES";>CHANGES
file</a>. </p>
+<h4>Security Fix</h4>
+<p>CVE-2024-38379 Stored authenticated XSS</p>
+<p>Severity: Moderate<br>
+Versions Affected: 1.4.0 through 1.17.0</p>
+<p><strong>Description:</strong><br>
+Apache Allura's neighborhood settings are vulnerable to a stored XSS attack.
Only neighborhood admins can access these settings, so the scope of risk is
limited to configurations where neighborhood admins are not fully trusted.</p>
+<p><strong>Mitigation:</strong><br>
+Users of Allura should upgrade to Allura 1.17.1.</p>
+<p>If you are unable to upgrade, review your neighborhood admins and ensure
they are all fully trusted users.</p>
+<p><strong>Credit:</strong><br>
+This issue was discovered by Ömer "WASP" Akincir.</p>
+<h4>Breaking Changes for Custom Extensions</h4>
+<p><a href="https://forge-allura.apache.org/p/allura/tickets/8556/";>#8556</a>
deprecated the <code>has_access(..)()</code> syntax in 1.17.0, and support for
it is now removed. Custom extensions using this syntax will need to remove the
second <code>()</code> so that it is just <code>has_access(..)</code>. </p>
+<h4>Upgrade Instructions</h4>
+<p>If using docker, rebuild the allura image and restart containers.</p>
+<p>Feel free to ask any questions on the <a
href="https://lists.apache.org/list.html?d...@allura.apache.org";>dev mailing
list</a>.</p>
+<h4>Get 1.17.1</h4>
+<p><a href="//allura.apache.org/download.html">Download Allura</a> and <a
href="https://forge-allura.apache.org/docs/getting_started/installation.html";>install
it</a> today.</p></div>
</div>
</div>
</div>
</div>
-
-<div id="latest" class="row pad-vert-xl parallax" style="background-position:
0px 0px;">
- <div class="col-16 no-float auto-margin">
- <div class="row">
- <h3 class="text-center">More about Allura</h3>
- <div class="text-center row text-white">
- <p class="pad-md">
- See the <a href="//allura.apache.org/">Allura homepage</a> for
latest news, instructions, and project information.
- </p>
- <p>
- <a href="https://archive.apache.org/dist/allura/";>Archive of
older releases</a>
- </p>
- </div>
- </div>
- </div>
-
- <div class="col-8">
- <div class="row">
- <div class="col-12 no-float auto-margin">
- </div>
- <div class="col-12 no-float auto-margin">
- </div>
- </div>
- </div>
-</div>
-
-
-<div id="apache" class="row bg-orange pad-vert-xl">
- <div class="col-20 no-float auto-margin">
- <div class="row">
- <h3 class="text-center">Apache Software Foundation</h3>
- </div>
-
- <div class="row">
- <img class="auto-margin pad-vert-md" src="theme/img/logo-asf-apache.png"
alt="apache software foundation logo">
- </div>
-
- <div class="row auto-margin button-container">
- <div class="col-8 pad-vert-sm">
- <a href="https://www.apache.org/licenses/";><button
class="auto-margin">License</button></a>
- </div>
-
- <div class="col-8 pad-vert-sm">
- <a href="https://www.apache.org/foundation/sponsorship.html";><button
class="auto-margin">Sponsorship</button></a>
- </div>
-
- <div class="col-8 pad-vert-sm">
- <a href="https://www.apache.org/foundation/thanks.html";><button
class="auto-margin">Thanks</button></a>
- </div>
- </div>
- <div class="row auto-margin button-container">
- <div class="col-8 pad-vert-sm">
- <a href="https://www.apache.org/security/";><button
class="auto-margin">Security</button></a>
- </div>
-
- <div class="col-8 pad-vert-sm">
- <a
href="https://privacy.apache.org/policies/privacy-policy-public.html";><button
class="auto-margin">Privacy Policy</button></a>
- </div>
-
- <div class="col-8 pad-vert-sm">
- <a href="https://www.apache.org/";><button
class="auto-margin">Apache™</button></a>
- </div>
- </div>
- </div>
</div>
<div class="row">
@@ -148,6 +106,7 @@
<script type="application/javascript"
src="//allura.apache.org/theme/js/jquery-1.11.2.min.js"></script>
<script type="application/javascript"
src="//allura.apache.org/theme/js/frontend.js"></script>
+ <script type="application/javascript"
src="//allura.apache.org/theme/js/article.js"></script>
<!-- Credits
Logo Design: Will Leonard
diff --git a/tag/release.html b/tag/release.html
index 66a5a49..41e124f 100644
--- a/tag/release.html
+++ b/tag/release.html
@@ -52,6 +52,17 @@
<h2>Articles tagged 'release'</h2>
<div class="row bg-white pad-bot-md text-center">
+ <div class="row pad-top-md">
+ <h3><a class="text-black"
href="//allura.apache.org/posts/2024-allura-1.17.1.html">Apache Allura 1.17.1
released, with security fix</a></h3>
+ </div>
+
+ <div class="post-info">
+ Published:
+ <abbr class="published" title="2024-06-21T00:00:00+00:00">
+ Fri 21 June 2024
+ </abbr>
+ </div>
+ <div class="entry-content"> <p>Version 1.17.1 of Allura released, with
security fix</p> </div>
<div class="row pad-top-md">
<h3><a class="text-black"
href="//allura.apache.org/posts/2024-allura-1.17.0.html">Apache Allura 1.17.0
released, including critical security fix</a></h3>
</div>
