Our latest release of RhodeCode 4.9 is out. This is an unscheduled release that addresses the Security vulnerabilities found in 3 version control systems RhodeCode uses.
This release highlights are:
- Updated all 3 VCS systems to versions with Security fix applied.
- Mercurial Stream fix
- Fix integration URLs
Take a few minutes to update your RhodeCode instance:
rccontrol self-update && rccontrol upgrade '*'
New to RhodeCode? Download the latest RhodeCode 4.9 Series from our website.
Keep reading for full release details.
Security
After announcement from RecurityLabs about SCM security problems found (http://blog.recurity-labs.com/2017-08-10/scm-vulns)
We decided to bump the versions of VCS shipped together with RhodeCode. Usage of SSH:// protocol internally is not allowed by RhodeCode
however there are few attack vectors that people pointed out, mostly on subrepos support. This is why we released a 4.9.0 version that
upgraded Git to 2.9.5, Mercurial to 4.2.3, and Subversion to 1.9.7
We strongly recommend our users to upgrade to this version asap. Because of short release cycle and requirement to bump Mercurial to next minor version
we also recommend checking for any problems found during upgrade to newer Mercurial version.
Performance
We backported one fix from our dev branch that fixes Mercurial streaming support. Due to a bug discovered in Webob library and specific implementation of Mercurial WSGI App streaming support of large Mercurial repositories could be broken.
The side effect was high CPU and Memory usage. Now with the fix applied cloning very large repositories should be much faster and use far fewer resources.
See the full list of changes in the release notes.
As usual, the update process is a simple one-liner type:
rccontrol self-update && rccontrol upgrade '*'
in the command line interface. Done!
Securely yours,
The RhodeCode team.