Apache Allura™

What's New?

Apache Allura 1.17.1 has been released. It includes a security fix.

For full details of all the changes and fixes, see the CHANGES file.

Security Fix

CVE-2024-38379 Stored authenticated XSS

Severity: Moderate
Versions Affected: 1.4.0 through 1.17.0

Description:
Apache Allura's neighborhood settings are vulnerable to a stored XSS attack. Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted.

Mitigation:
Users of Allura should upgrade to Allura 1.17.1.

If you are unable to upgrade, review your neighborhood admins and ensure they are all fully trusted users.

Credit:
This issue was discovered by Ömer "WASP" Akincir.

Breaking Changes for Custom Extensions

#8556 deprecated the has_access(..)() syntax in 1.17.0, and support for it is now removed. Custom extensions using this syntax will need to remove the second () so that it is just has_access(..).

Upgrade Instructions

If using docker, rebuild the allura image and restart containers.

Feel free to ask any questions on the dev mailing list.

Get 1.17.1

Download Allura and install it today.