[ANNOUNCE] Gerrit 3.9.0 w/ Security Fixes
337 views
Skip to first unread message
Luca Milanesio
Nov 24, 2023, 9:15:42 PM11/24/23
to Repo and Gerrit Discussion, Luca Milanesio
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Gerrit version 3.9.0 is now available.
Includes security fixes for a well-known DoS on Jetty with HTTP/2
(see CVE-2023-36478 and CVE-2023-44487).
Please see the release notes for details.
Please note that Gerrit v3.6.x is now EOL, see more details at:
https://www.gerritcodereview.com/support.html#supported-versions
Release Notes:
https://www.gerritcodereview.com/3.9.html#390
Documentation:
http://gerrit-documentation.storage.googleapis.com/Documentation/3.9.0/index.html
Download:
https://gerrit-releases.storage.googleapis.com/gerrit-3.9.0.war
SHA1:
01658add4925b00c4345b14efa346352918fee81
SHA256:
d6372b8dd374e0896934497bc59366c7d8e1777ef32c76c483f2051cefe0cebc
MD5:
caf1e76ee4554a8ad56f89a2e6bb1320
Maintainers' public keys:
https://www.gerritcodereview.com/releases/public-keys.md
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEmCU49QQ43XtIE8giC0731aK2mH4FAmVhWIEACgkQC0731aK2
mH6vbw/7BKmpGyit/QJ1iJv0ONbvPe4uY4MUbOIpAqvgHc1RTdLOW65EsYEH6rLQ
nj/5ksEonme6Q8HWWJvUR/oMGgIO3oqwx4bPaMOy2KoKtjfEaqD+DHlp4ywr5Mqr
in5d+rRvZlPVl/PGCipDgNPV3K5uKAzN1cU5VJ02YgV0v2o/9ZFDyk609hY7ZIGc
W2oqyKxLI+B3AuSgSmm0qEeilkD2xFR91uBEcYendJawx+U4xZAGmlntwk1mYNaC
3wH5Kn7Hba5zsm1WXo/feb6WRJWXxpqmzakAEYQ2wisiPhRffpVuK1/RUaUdMItj
Hu3g4hAoj5XINjagB9uYjjjWZDMnqbbPnGtC25b100KFOioF5MiexrHUN1f8z1P1
ZEV/9lX1ci7hGxG3GJqLhcjICFBZytegNkEZvbqOqCIn2hVKYUYDA8JTSgDbQ7e9
g8Qv8iuovyZ0I1bSo3Ac+0ZbL+JQftcOyzB8dTRfhdiUkfwxupntZp+7UhoaTmD6
rXj1hgL3sCHCJdoPR3MCaOGitMsxvX768gate/afkZGRvRUwLrMPWWXG18wF0tKt
YAqQBIn96a9UmihLNjxq9YvPxfzybSbpIYZT6LYdAxOMsD/rbExIE222kz78rmAy
YiXHekt//4pZeDxKBbwooOEfo2N68dkEpByNmRGOiDvaeLG2jlo=
=6edZ
-----END PGP SIGNATURE-----
Hash: SHA256
Gerrit version 3.9.0 is now available.
Includes security fixes for a well-known DoS on Jetty with HTTP/2
(see CVE-2023-36478 and CVE-2023-44487).
Please see the release notes for details.
Please note that Gerrit v3.6.x is now EOL, see more details at:
https://www.gerritcodereview.com/support.html#supported-versions
Release Notes:
https://www.gerritcodereview.com/3.9.html#390
Documentation:
http://gerrit-documentation.storage.googleapis.com/Documentation/3.9.0/index.html
Download:
https://gerrit-releases.storage.googleapis.com/gerrit-3.9.0.war
SHA1:
01658add4925b00c4345b14efa346352918fee81
SHA256:
d6372b8dd374e0896934497bc59366c7d8e1777ef32c76c483f2051cefe0cebc
MD5:
caf1e76ee4554a8ad56f89a2e6bb1320
Maintainers' public keys:
https://www.gerritcodereview.com/releases/public-keys.md
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEmCU49QQ43XtIE8giC0731aK2mH4FAmVhWIEACgkQC0731aK2
mH6vbw/7BKmpGyit/QJ1iJv0ONbvPe4uY4MUbOIpAqvgHc1RTdLOW65EsYEH6rLQ
nj/5ksEonme6Q8HWWJvUR/oMGgIO3oqwx4bPaMOy2KoKtjfEaqD+DHlp4ywr5Mqr
in5d+rRvZlPVl/PGCipDgNPV3K5uKAzN1cU5VJ02YgV0v2o/9ZFDyk609hY7ZIGc
W2oqyKxLI+B3AuSgSmm0qEeilkD2xFR91uBEcYendJawx+U4xZAGmlntwk1mYNaC
3wH5Kn7Hba5zsm1WXo/feb6WRJWXxpqmzakAEYQ2wisiPhRffpVuK1/RUaUdMItj
Hu3g4hAoj5XINjagB9uYjjjWZDMnqbbPnGtC25b100KFOioF5MiexrHUN1f8z1P1
ZEV/9lX1ci7hGxG3GJqLhcjICFBZytegNkEZvbqOqCIn2hVKYUYDA8JTSgDbQ7e9
g8Qv8iuovyZ0I1bSo3Ac+0ZbL+JQftcOyzB8dTRfhdiUkfwxupntZp+7UhoaTmD6
rXj1hgL3sCHCJdoPR3MCaOGitMsxvX768gate/afkZGRvRUwLrMPWWXG18wF0tKt
YAqQBIn96a9UmihLNjxq9YvPxfzybSbpIYZT6LYdAxOMsD/rbExIE222kz78rmAy
YiXHekt//4pZeDxKBbwooOEfo2N68dkEpByNmRGOiDvaeLG2jlo=
=6edZ
-----END PGP SIGNATURE-----
Luca Milanesio
Nov 24, 2023, 9:27:52 PM11/24/23
to Repo and Gerrit Discussion, Luca Milanesio
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Binary packages (Deb / Rpm) of Gerrit version 3.9.0 have been released
Hash: SHA256
=========================================================================
How to install/upgrade: 3.9.0
*****************************
If you have a previous version of Gerrit 3.x installed via native packages:
(on Debian / Ubuntu)
apt-get update && apt-get install gerrit=3.9.0-1
(on AlmaLinux / RedHat)
yum clean all && yum install gerrit-3.9.0-1
(on Fedora)
dnf clean all && dnf install gerrit-3.9.0-1
If it is a new installation and you don't have the GerritForge repositories
configured, or if you are upgrading to ARM-64, please follow the instructions at:
https://gitenterprise.me/2022/11/23/arm-64-welcomes-gerrit-code-review/
Docker images
*************
Gerrit is distributed on DockerHub at:
https://hub.docker.com/r/gerritcodereview/gerrit/
The following tags have been published for amd64 and arm64:
latest => 3.9.0
3.9.0 => 3.9.0-almalinux9
3.9.0-almalinux9
3.9.0-ubuntu22
More information on how to use Gerrit Docker image for testing, staging, and production at:
https://gerrit.googlesource.com/docker-gerrit
MacOS native package
********************
MacOS Gerrit native installer is available for download at:
https://gerritforge.com/gerrit/mac/gerrit-installer-3.9.0.pkg
SHA1:
b6c8324a5ce637778d83cd76ee94d415ff726fed
SHA256:
0467556ce7b6bbf073ecf2dc10c17b7ba2e7c982f783e70ce22b639703cbcebd
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEmCU49QQ43XtIE8giC0731aK2mH4FAmVhW10ACgkQC0731aK2
mH73bQ/9EgfWyDVTF6QK8Wjd3Z1lqqpVM/QPJAMJPDmIlHiVzxbOeHBQ3wN8A55v
ZxO+pN2zIr1X7/SiTRURK+GYADH7p+lgUOEmdiPtcPpBGMEugsitJFtAwr6IPLBl
1pR8diE+hYtpX2Xc9UCHJvG8NHSpWommAdIw9nRNGhYN9opu0lIHQTKiEqblmL2o
gRooA7GPqJhHNciFuqtmZlRx/qGDXYRJSjPaJPtn8W+de3QLoe+TCq41qhZyX8bu
UjPW1qbnfjp678QIYg+SrXuSLHjmFLkJZaxSRAMDEDLPDSIMeY0zy37i5Y8tDhx1
CXTYtgNt15Qd0lu9M66gwFV8meJZ9lLBKj4PmVAHmgXPEcWJ9br3W/AK0g2KOPxa
SLY1+7qKi5bEnynjd+si6/kckVqv/1CNBt/1f8zmc4Ww5VqgSv5uYWp/zVcREaxd
zkgEWNvW6LrcHRmd6VrbiZWtlunModbaQjACcFdC9THC/O0mfuO9VcMjikLMM3ns
LReGoPcH1zxQSmxEU9LMxJ9lS8Ba4DVp8zA88OAtew7ooGvrr5nNgjfjX6QprSQ1
PGkXSodssDJiFcFRIZoNAbZbMNGB6v0XddWZg3iSX/MJMKNawXCkb9BnBEsmKzut
KnFlbY1zRAx/2HYpbh48gpdcBwJnOqRlwNURubebfafVw8hATTI=
=JeTQ
-----END PGP SIGNATURE-----
lucamilanesio
Nov 27, 2023, 5:06:49 PM11/27/23
to Repo and Gerrit Discussion
*DO NOT UPGRADE YET* to Gerrit v3.9.0; we have found an issue with the merge of Change 394445 [1].
*IF YOU HAVE UPGRADED ALREADY* to Gerrit v3.9.0, please join our discussion at [2] or follow up on this thread.
Q: What happened?
A: The change was included the *day before* the release because it was simply adding JavaDoc to existing files. However, it caused the merge of master into stable-3.9, adding a series of *unwanted* changes, including the bump to Lucene v9.
Q: How are we planning to rectify the situation?
A: We are currently discussing the options on Discord [2]; you can either join the discussion or wait for more instructions.
Q: If you have upgraded already, do you have to downgrade?
A: No, we are setting up an organised action plan for your next steps.
*IF YOU HAVE UPGRADED ALREADY* to Gerrit v3.9.0, please join our discussion at [2] or follow up on this thread.
Q: What happened?
A: The change was included the *day before* the release because it was simply adding JavaDoc to existing files. However, it caused the merge of master into stable-3.9, adding a series of *unwanted* changes, including the bump to Lucene v9.
Q: How are we planning to rectify the situation?
A: We are currently discussing the options on Discord [2]; you can either join the discussion or wait for more instructions.
Q: If you have upgraded already, do you have to downgrade?
A: No, we are setting up an organised action plan for your next steps.
Apologies for the inconvenience.
Luca.
Sven Selberg
Nov 28, 2023, 4:03:31 AM11/28/23
to Repo and Gerrit Discussion
On Monday, November 27, 2023 at 11:06:49 PM UTC+1 lucamilanesio wrote:
*DO NOT UPGRADE YET* to Gerrit v3.9.0; we have found an issue with the merge of Change 394445 [1].
*IF YOU HAVE UPGRADED ALREADY* to Gerrit v3.9.0, please join our discussion at [2] or follow up on this thread.
Q: What happened?
A: The change was included the *day before* the release because it was simply adding JavaDoc to existing files. However, it caused the merge of master into stable-3.9, adding a series of *unwanted* changes, including the bump to Lucene v9.
David Ostrovsky
Nov 28, 2023, 2:45:57 PM11/28/23
to Repo and Gerrit Discussion
lucamilanesio schrieb am Montag, 27. November 2023 um 23:06:49 UTC+1:
*DO NOT UPGRADE YET* to Gerrit v3.9.0; we have found an issue with the merge of Change 394445 [1].
*IF YOU HAVE UPGRADED ALREADY* to Gerrit v3.9.0, please join our discussion at [2] or follow up on this thread.
Q: What happened?
A: The change was included the *day before* the release because it was simply adding JavaDoc to existing files. However, it caused the merge of master into stable-3.9, adding a series of *unwanted* changes, including the bump to Lucene v9.
Q: How are we planning to rectify the situation?
A: We are currently discussing the options on Discord [2]; you can either join the discussion or wait for more instructions
We had a similar situation a couple of times already.
What we have done earlier, is to force push to restore
the original commit. To be able to do that, we temporarily
enabled force push ACL, e.g.: [1], perform force push operation,
and then revert the ACL again, e.g.: [2].
lucamilanesio
Nov 28, 2023, 5:09:32 PM11/28/23
to Repo and Gerrit Discussion
On Tuesday, November 28, 2023 at 7:45:57 PM UTC David Ostrovsky wrote:
lucamilanesio schrieb am Montag, 27. November 2023 um 23:06:49 UTC+1:*DO NOT UPGRADE YET* to Gerrit v3.9.0; we have found an issue with the merge of Change 394445 [1].
*IF YOU HAVE UPGRADED ALREADY* to Gerrit v3.9.0, please join our discussion at [2] or follow up on this thread.
Q: What happened?
A: The change was included the *day before* the release because it was simply adding JavaDoc to existing files. However, it caused the merge of master into stable-3.9, adding a series of *unwanted* changes, including the bump to Lucene v9.
Q: How are we planning to rectify the situation?
A: We are currently discussing the options on Discord [2]; you can either join the discussion or wait for more instructionsWe had a similar situation a couple of times already.What we have done earlier, is to force push to restorethe original commit. To be able to do that, we temporarilyenabled force push ACL, e.g.: [1], perform force push operation,and then revert the ACL again, e.g.: [2].
Q: If you have upgraded already, do you have to downgrade?
A: No, we are setting up an organised action plan for your next steps.
Gerrit v3.9.0 is now declared a *DEFECTIVE RELEASE* and withdrawn.
The release plan is amended [3] and a new RC6 is now available [4].
If you have already upgraded to Gerrit v3.9.0, you can get more information on the next upgrade steps at [5].
Should you have any further question, please answer this discussion thread.
Apologies again for the inconvenience and thanks for your help in getting this problem sorted and the release back on track.
Luca.
Reply all
Reply to author
Forward
0 new messages