Apache Allura 1.8.0 released
Apache Allura 1.8.0 has been released. It contains a Docker setup for production environments, and improved security and auditing around user logins. This release also contains a large number of fixes and smaller improvements. To see all the details, check out the release changelog.
Important Security Fix
CVE-2018-1299 Apache Allura directory traversal vulnerability
Apache Allura 1.7.0 and earlier
Unauthenticated attackers may retrieve arbitrary files through the Allura web application. Some webservers used with Allura, such as Nginx, Apache/mod_wsgi or paster may prevent the attack from succeeding. Others, such as gunicorn do not prevent it and leave Allura vulnerable.
Users of vulnerable webservers with Allura should upgrade to Allura 1.8.0 immediately.
This issue was discovered by Everardo Padilla Saca