Apache Allura 1.11.0 released
Apache Allura 1.11.0 has been released, with new features including:
- Reaction support for comments:
- Option to subscribe to forums and other types of threads, when posting
- @username mentions in markdown editor
- Optional HaveIBeenPwned checks for password changes
Important Security Fix
CVE-2019-10085 Apache Allura XSS vulnerability in ticket user dropdown selector
Versions Affected: 1.10.0 and earlier
A vulnerability exists for stored XSS on the user dropdown selector when creating or editing tickets. The XSS executes when a user engages with that dropdown on that page.
Users of Allura should upgrade to Allura 1.11.0 immediately.
This issue was discovered by Bob "Wombat" Hogg
There are many smaller improvements and fixes as well. To see all the details and upgrade instructions, check out the release changelog.