Apache Allura 1.8.0 released

New Features

Apache Allura 1.8.0 has been released. It contains a Docker setup for production environments, and improved security and auditing around user logins. This release also contains a large number of fixes and smaller improvements. To see all the details, check out the release changelog.

Important Security Fix

CVE-2018-1299 Apache Allura directory traversal vulnerability

Versions Affected:
Apache Allura 1.7.0 and earlier

Description:
Unauthenticated attackers may retrieve arbitrary files through the Allura web application. Some webservers used with Allura, such as Nginx, Apache/mod_wsgi or paster may prevent the attack from succeeding. Others, such as gunicorn do not prevent it and leave Allura vulnerable.

Mitigation:
Users of vulnerable webservers with Allura should upgrade to Allura 1.8.0 immediately.

Credit:
This issue was discovered by Everardo Padilla Saca

Get 1.8.0

Download Allura and install it today.