[ANNOUNCE] Gerrit 3.2.5 w/ Security Fixes

[Luca Milanesio]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Gerrit version 3.2.5 is now available.

This release includes two important fixes for the security issues #13514 and #13621
Please see the release notes for details.

Release Notes:
https://www.gerritcodereview.com/3.2.html#325

Documentation:
http://gerrit-documentation.storage.googleapis.com/Documentation/3.2.5/index.html

Log of changes since 3.2.3:
https://gerrit.googlesource.com/gerrit/+log/v3.2.3..v3.2.5?no-merges

Download:
https://gerrit-releases.storage.googleapis.com/gerrit-3.2.5.war

SHA1:
81ae4fb76a68c5b81824137c39a22dff9e0b5520

SHA256:
34f0205f556bffe9f770b7c3fe65bad4e5781c543ccc0f9d0aabb0ecf6e66dd9

MD5:
415df434beaed9d3c1240c4a7ec60508

Maintainers' public keys:
https://www.gerritcodereview.com/releases/public-keys.md

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEmCU49QQ43XtIE8giC0731aK2mH4FAl+10GkACgkQC0731aK2
mH7LYQ//d8DLJfVMqvWf8YJjS2G4SOoXpu0UhZ9dDP94cpuqMBwoy8luWuCuVgWP
Lux6j/4XibM749mcB9jj3uMsWldr8zaxCcysF/v70dTpX01Kxof+bzJvmjON1Urt
dhe1duZDEKDgPLM+r8yXc2zzH/fUjMsPCmrFvFUWKFAD7LhEBmE6DqqwaBUX4v0h
g3iKK4qRh0I5JvQxwGonDIzcWfdeNUARXg3Jm1Px9ROlTjteudkHQeUYo4vUW2kz
EZsYqfabm3v5vNP/f9ec0sXNX95qha0Bg2tmJIFnwDaGMYlCfaQHzkFGDIP2pkjn
ILEe9UL1NjkCDzKFl9sZUk5pLNk2ynYhp/I0csFjCtg2v7TFn1xzg+cQqPtUwx78
wo+IysqyXwaCySJUlJXXft/MnjyzdlYucyer0mL/C94iVDfuQleUbJXnbgiX0o88
KKOC3mSrtAYH9aTQ/UtrAih0ClGWNPVpmDEkc9e7+JDGOOnZfowvoT1qGVz6JiJA
WfZnM3rl472LYA2UUdYPokNe9kPb/sv+FVnVobYHzsIpvDFRPSgWUpFUuV03NO7w
lPD53agxMhraWIPMgH3gPq+TtJs55vXq1HZiWbx7KyRFTJhTBWUU2D449qY4k4Qo
g+zkr6NZxo8lyUknvI8tHCGlurf6JQL/pDNBkCopIl7l5sMJXOg=
=/+EX
-----END PGP SIGNATURE-----

[Mark Derricutt]

openjdk version "1.8.0_262"
OpenJDK Runtime Environment (build 1.8.0_262-b10)
OpenJDK 64-Bit Server VM (build 25.262-b10, mixed mode)
04:00:02 gerrit@XXXXX:~ $ java -jar gerrit-3.2.5.war init -d /data/gerrit
Exception in thread "main" java.lang.NoSuchMethodError: java.nio.ByteBuffer.mark()Ljava/nio/ByteBuffer;
    at org.eclipse.jgit.util.RawParseUtils.decodeNoFallback(RawParseUtils.java:1140)
    at org.eclipse.jgit.util.RawParseUtils.decode(RawParseUtils.java:1106)

Should 3.2.5 still work under Java 8? I thought it was 3.3.x that was moving up?

From: Luca Milanesio <luca.mi...@gmail.com>
Reply: Luca Milanesio <luca.mi...@gmail.com>
Date: 19 November 2020 at 2:55:28 PM
To: Repo and Gerrit Discussion <repo-d...@googlegroups.com>
Cc: Luca Milanesio <luca.mi...@gmail.com>
Subject:  [ANNOUNCE] Gerrit 3.2.5 w/ Security Fixes

jdk-upd...@openjdk.java.net, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/41436B4A-D0E4-4CAF-9C76-958CB1B4068E%40gmail.com.

[David Ostrovsky]

Mark Derricutt schrieb am Donnerstag, 19. November 2020 um 05:02:48 UTC+1:

openjdk version "1.8.0_262"
OpenJDK Runtime Environment (build 1.8.0_262-b10)
OpenJDK 64-Bit Server VM (build 25.262-b10, mixed mode)
04:00:02 gerrit@XXXXX:~ $ java -jar gerrit-3.2.5.war init -d /data/gerrit
Exception in thread "main" java.lang.NoSuchMethodError: java.nio.ByteBuffer.mark()Ljava/nio/ByteBuffer;
    at org.eclipse.jgit.util.RawParseUtils.decodeNoFallback(RawParseUtils.java:1140)
    at org.eclipse.jgit.util.RawParseUtils.decode(RawParseUtils.java:1106)

Should 3.2.5 still work under Java 8? I thought it was 3.3.x that was moving up?

Right. I filed this issue: [1]. Until it is fixed, you would have to build

the release yourself, or switch to using Java 11.

[1] https://crbug.com/gerrit/13698

[variainfantry155]

ส่งจากสมาร์ทโฟน vivo

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/54c50efe-78b1-43bb-9909-08cfb9eb5f91n%40googlegroups.com.

[szjo...@gmail.com]

After upgrading to 3.2.5 gerrit does not handle well the canonicalWebUrl
With the following configuration:
[gerrit]

     canonicalWebUrl = https://<some-url>/

[httpd]

      listenUrl = proxy-https://127.0.0.1:8081/

And behind a https terminating apache reverse proxy. any internal redirects now goes to:
https://<some-url>:80/
resulting in errors like this in Firefox: Error code: SSL_ERROR_RX_RECORD_TOO_LONG

This reverse proxy configuration worked well for years

[Luca Milanesio]

On 19 Nov 2020, at 08:44, szjo...@gmail.com <szjo...@gmail.com> wrote:

After upgrading to 3.2.5 gerrit does not handle well the canonicalWebUrl
With the following configuration:
[gerrit]

     canonicalWebUrl = https://<some-url>/

[httpd]

      listenUrl = proxy-https://127.0.0.1:8081/

And behind a https terminating apache reverse proxy. any internal redirects now goes to:
https://<some-url>:80/
resulting in errors like this in Firefox: Error code: SSL_ERROR_RX_RECORD_TOO_LONG

This reverse proxy configuration worked well for years

I just tested now and it works for me.

You can try that as well:

docker run -ti -p 8081:8080 -e CANONICAL_WEB_URL=http://localhost:8081/ gerritcodereview/gerrit:3.2.5

Then you go to http://localhost:8081/ and redirection works.

Can you file an issue with the exact steps to reproduce the problem?

Thanks for your feedback.

Luca.

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/94e602aa-141a-4e7c-8c61-16e80edf5bfan%40googlegroups.com.

[Luca Milanesio]

I am re-releasing it now as v3.2.5.1, apologies for the inconvenience.

I believe we need to improve the release process for testing on both Java 8 and Java 11 before releasing.

(Code-level tests are done on Java 8, but post-release tests were on Java 11 only)

Luca.

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/54c50efe-78b1-43bb-9909-08cfb9eb5f91n%40googlegroups.com.

[szjo...@gmail.com]

I don't have it under docker. It is a native install on Debian buster. I reverted it to 3.2.3 and it is working fine. I will test again with 3.2.5.1 when it will be available

[Mark Derricutt]

Cheers Luca!

+2 LGTM.

From: Luca Milanesio <luca.mi...@gmail.com>
Reply: Luca Milanesio <luca.mi...@gmail.com>
Date: 19 November 2020 at 9:53:20 PM
To: Repo and Gerrit Discussion <repo-d...@googlegroups.com>

Cc: Luca Milanesio <luca.mi...@gmail.com>, David Ostrovsky <david.o...@gmail.com>
Subject:  Re: [ANNOUNCE] Gerrit 3.2.5 w/ Security Fixes

[luca.mi...@gmail.com]

Sent from my iPhone

On 19 Nov 2020, at 09:01, szjo...@gmail.com <szjo...@gmail.com> wrote:

I don't have it under docker. It is a native install on Debian buster.

Can you file an issue with the steps to reproduce it?

Thanks.

Luca

To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/551dfa17-3c53-4cdb-a626-f13db86eed6fn%40googlegroups.com.

[szjo...@gmail.com]

Filed at: https://bugs.chromium.org/p/gerrit/issues/detail?id=13701

[mark....@diamond.ac.uk]

On Thursday, 19 November 2020 at 08:53:32 UTC lucamilanesio wrote:

I am re-releasing it now as v3.2.5.1, apologies for the inconvenience.

Thanks Luca,

Is the process of re-releasing this still in progress? If it is, will there be another announcement for v3.2.5.1, or should we monitor here?

I'm assuming the release is still in progress as the war file I just downloaded from https://gerrit-releases.storage.googleapis.com/gerrit-3.2.5.war still has this problem, and speculatively trying https://gerrit-releases.storage.googleapis.com/gerrit-3.2.5.1.war just resulted in a 404 error from wget.

I was hoping the artefacts at https://gerrit-ci.gerritforge.com/view/Gerrit/job/Gerrit-bazel-stable-3.2/ might help, but the last build there seems to be from the 5th November.

I believe we need to improve the release process for testing on both Java 8 and Java 11 before releasing.

(Code-level tests are done on Java 8, but post-release tests were on Java 11 only)

I guess this will start to resolve itself after 3.3 is released and only legacy builds have to contend with Java 8 installations.

Thanks for everyone being on top of this,

Mark..........

[Tech Advantage]

The link to 3.2.5.1.war is now OK.

[Mark Derricutt]

+2 Cheers to all for the quick response :)

From: Tech Advantage <a...@tech-advantage.com>
Reply: Tech Advantage <a...@tech-advantage.com>
Date: 20 November 2020 at 7:32:31 AM
To: Repo and Gerrit Discussion <repo-d...@googlegroups.com>

Subject:  Re: [ANNOUNCE] Gerrit 3.2.5 w/ Security Fixes

[Luca Milanesio]

On 19 Nov 2020, at 21:13, Mark Derricutt <ma...@talios.com> wrote:

+2 Cheers to all for the quick response :)

I am just waiting for the release notes to be reviewed, merged and published … and I’ll send the new announcement.

Luca.

From: Tech Advantage <a...@tech-advantage.com>
Reply: Tech Advantage <a...@tech-advantage.com>
Date: 20 November 2020 at 7:32:31 AM
To: Repo and Gerrit Discussion <repo-d...@googlegroups.com>
Subject:  Re: [ANNOUNCE] Gerrit 3.2.5 w/ Security Fixes 

The link to 3.2.5.1.war is now OK.

-- 
-- 
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

--- 
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/CALYGm1zc%2BB-5tTbO1Y3o3tK0dnogdOw5kk-cCE_DpBu%2B0W6Kww%40mail.gmail.com.