Apache Allura 1.8.0 released

New Features

Apache Allura 1.8.0 has been released. It contains a Docker setup for production environments, and improved security and auditing around user logins. This release also contains a large number of fixes and smaller improvements. To see all the details, check out the release changelog.

Important Security Fix

CVE-2018-1299 Apache Allura directory traversal vulnerability

Versions Affected:
Apache Allura 1.7.0 and earlier

Unauthenticated attackers may retrieve arbitrary files through the Allura web application. Some webservers used with Allura, such as Nginx, Apache/mod_wsgi or paster may prevent the attack from succeeding. Others, such as gunicorn do not prevent it and leave Allura vulnerable.

Users of vulnerable webservers with Allura should upgrade to Allura 1.8.0 immediately.

This issue was discovered by Everardo Padilla Saca

Get 1.8.0

Download Allura and install it today.