Apache Allura
Open source project hosting platform

Apache Allura 1.17.0 released, including critical security fix

Published: Mon 10 June 2024
Tagged: release

What's New?

Apache Allura 1.17.0 has been released. It includes a critical security fix, adds OAuth2 support, and more.

For full details of all the changes and fixes, see the CHANGES file.

Critical Security Fix

CVE-2024-36471 sensitive information exposure via DNS rebinding

Severity: Critical
Versions Affected: 1.0.1 through 1.16.0

Description:
Import functionality is vulnerable to DNS rebinding attacks between verification and processing of the URL. Project administrators can run these imports, which could cause Allura to read from internal services and expose them.

Mitigation:
Users of Allura should upgrade to Allura 1.17.0.

If you are unable to upgrade, set this in your .ini config file:

disable_entry_points.allura.importers = forge-tracker, forge-discussion

That same .ini setting is also recommend for users who want maximum security on their Allura instance and don't need those importers available.

Credit:
This issue was discovered by truff

OAuth2 Support

To enable OAuth 2 with an existing .ini file, add:

auth.oauth2.enabled = true

Then users can create and use OAuth2 client apps within their user setting pages.

New Session Storage

New session cookie handling is available and more secure and safe. If you have an existing Allura instance, you can enable it with the following steps:

  • add session.jwt_secret_keys to your .ini file, with a value generated by python -c 'import secrets; print(secrets.token_hex());'
  • session.type = cookie is no longer used and can be removed
  • optionally session.read_original_format = true and rename session.validate_key to session.original_format_validate_key for backwards compatibility. Remove after a transition period.
  • optionally session.write_original_format = true if it takes a while to deploy all your code to multiple hosts/procs. Then remove once all processes have new code.

Breaking Changes for Custom Extensions

#8556 deprecates the has_access(..)() syntax. Custom extensions using this syntax will need to remove the second () so that it is just has_access(..). Next releases will remove support for the old syntax entirely.

Upgrade Instructions

To install updated dependencies, run: pip install -r requirements.txt --no-deps --upgrade --upgrade-strategy=only-if-needed

Run: paster ensure_index development.ini in the Allura dir

If using docker, rebuild the allura image and restart containers.

Also, see the sections above about OAuth2 and New Session Storage.

Feel free to ask any questions on the dev mailing list.

Get 1.17.0

Download Allura and install it today.