[ANNOUNCE] Gerrit 3.9.1 w/ Security Fixes
161 views
Skip to first unread message
Luca Milanesio
Dec 1, 2023, 5:16:18 PM12/1/23
to Repo and Gerrit Discussion, Luca Milanesio
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Gerrit version 3.9.1 is now available.
Includes security fixes for a well-known DoS on Jetty with HTTP/2
(see CVE-2023-36478 and CVE-2023-44487).
Please see the release notes for details.
The release of Gerrit v3.9.0 has been declared defective and
withdrawn. The bad merge of Change 394445 impacted it due to the
“implicit merge on moved changes issue” that has pulled 64 unwanted
commits from the master branch. See more details at:
https://www.gerritcodereview.com/3.9.html#upgrade-from-gerrit-v390-defective-release
Please note that Gerrit v3.6.x is now EOL, see more details at:
https://www.gerritcodereview.com/support.html#supported-versions
Release Notes:
https://www.gerritcodereview.com/3.9.html
Documentation:
http://gerrit-documentation.storage.googleapis.com/Documentation/3.9.1/index.html
Download:
https://gerrit-releases.storage.googleapis.com/gerrit-3.9.1.war
SHA1:
291dd300983aef0374f769672dc2dd1a1f021a94
SHA256:
5908f393290ab6b5df90d49670cf465b2f0b3ccc3126949b9d68e99ac94fd070
MD5:
5aab7a35959c4fb363c6cb3bd132eaed
Maintainers' public keys:
https://www.gerritcodereview.com/releases/public-keys.md
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEmCU49QQ43XtIE8giC0731aK2mH4FAmVqWuEACgkQC0731aK2
mH56Rg//XN5NGdYlKww4ydFJ50f9e1mef3nvrtkbD877HAtRCkm+ZFgY6+c7SoE5
m3Af9ccLZSP+tidKKKUw3ks6iXPIOJvoMtA0Wr9NMbs/CKn/CbpA2CPqv3h43syk
DjqIIpzi+W5KRQqcUIn6nVBpC9+2JgksL0aETB7X5ISbJFXKEoemNnmGUwOMXCKK
ViF9oKjU2zxaUFFEhenKBwsGbyQI2MnFDJn3DE2vPW7Q4Tg+fpxybWDoB5TO7a/l
wtwHKESLT96pvgW4ednxhazAs15OLyV4R7K24sT2S8uFk8PVLy5XMQBkPzGPjykw
7/6q7UFe5h6IF23hb9HL/L0RuYt/UU5bUkMjeFoHK7ZKo7AXEbZaMITbhJoBXIAq
qvG1Oul1unGKQ7XzQ1pD9plm5NuF+66TmdDqAPX7zIIUJdyNlH4v86r+xBzMXuVG
iWYDP/Hv7c/bP0usu70Rxy+DpaF1wdRbbQBBPlbNp383R6NfU5Cui8pCuHA6gdai
tDTCLVlA63SUY6yPx2umGBysX+g2cJud4imWR6XvaRUBWmZg7R3qZ66pWx/NhEQF
VTDeRpQXmxdbZZVegueVtTHy6TrBI5HWpSIql54JoenT9N8p+H5zIKYj1PqIcIuX
/PO7p7Zdfs+6TSVUmdR/OoGQksZoGa9aju2TLhXk2Wqwh4dCIL4=
=5Y01
-----END PGP SIGNATURE-----
Hash: SHA256
Gerrit version 3.9.1 is now available.
Includes security fixes for a well-known DoS on Jetty with HTTP/2
(see CVE-2023-36478 and CVE-2023-44487).
Please see the release notes for details.
The release of Gerrit v3.9.0 has been declared defective and
withdrawn. The bad merge of Change 394445 impacted it due to the
“implicit merge on moved changes issue” that has pulled 64 unwanted
commits from the master branch. See more details at:
https://www.gerritcodereview.com/3.9.html#upgrade-from-gerrit-v390-defective-release
Please note that Gerrit v3.6.x is now EOL, see more details at:
https://www.gerritcodereview.com/support.html#supported-versions
Release Notes:
https://www.gerritcodereview.com/3.9.html
Documentation:
http://gerrit-documentation.storage.googleapis.com/Documentation/3.9.1/index.html
Download:
https://gerrit-releases.storage.googleapis.com/gerrit-3.9.1.war
SHA1:
291dd300983aef0374f769672dc2dd1a1f021a94
SHA256:
5908f393290ab6b5df90d49670cf465b2f0b3ccc3126949b9d68e99ac94fd070
MD5:
5aab7a35959c4fb363c6cb3bd132eaed
Maintainers' public keys:
https://www.gerritcodereview.com/releases/public-keys.md
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEmCU49QQ43XtIE8giC0731aK2mH4FAmVqWuEACgkQC0731aK2
mH56Rg//XN5NGdYlKww4ydFJ50f9e1mef3nvrtkbD877HAtRCkm+ZFgY6+c7SoE5
m3Af9ccLZSP+tidKKKUw3ks6iXPIOJvoMtA0Wr9NMbs/CKn/CbpA2CPqv3h43syk
DjqIIpzi+W5KRQqcUIn6nVBpC9+2JgksL0aETB7X5ISbJFXKEoemNnmGUwOMXCKK
ViF9oKjU2zxaUFFEhenKBwsGbyQI2MnFDJn3DE2vPW7Q4Tg+fpxybWDoB5TO7a/l
wtwHKESLT96pvgW4ednxhazAs15OLyV4R7K24sT2S8uFk8PVLy5XMQBkPzGPjykw
7/6q7UFe5h6IF23hb9HL/L0RuYt/UU5bUkMjeFoHK7ZKo7AXEbZaMITbhJoBXIAq
qvG1Oul1unGKQ7XzQ1pD9plm5NuF+66TmdDqAPX7zIIUJdyNlH4v86r+xBzMXuVG
iWYDP/Hv7c/bP0usu70Rxy+DpaF1wdRbbQBBPlbNp383R6NfU5Cui8pCuHA6gdai
tDTCLVlA63SUY6yPx2umGBysX+g2cJud4imWR6XvaRUBWmZg7R3qZ66pWx/NhEQF
VTDeRpQXmxdbZZVegueVtTHy6TrBI5HWpSIql54JoenT9N8p+H5zIKYj1PqIcIuX
/PO7p7Zdfs+6TSVUmdR/OoGQksZoGa9aju2TLhXk2Wqwh4dCIL4=
=5Y01
-----END PGP SIGNATURE-----
Luca Milanesio
Dec 1, 2023, 5:57:32 PM12/1/23
to Repo and Gerrit Discussion, Luca Milanesio
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Binary packages (Deb / Rpm) of Gerrit version 3.9.1 have been released
Hash: SHA256
=========================================================================
How to install/upgrade: 3.9.1
*****************************
If you have a previous version of Gerrit 3.x installed via native packages:
(on Debian / Ubuntu)
apt-get update && apt-get install gerrit=3.9.1-1
(on AlmaLinux / RedHat)
yum clean all && yum install gerrit-3.9.1-1
(on Fedora)
dnf clean all && dnf install gerrit-3.9.1-1
If it is a new installation and you don't have the GerritForge repositories
configured, or if you are upgrading to ARM-64, please follow the instructions at:
https://gitenterprise.me/2022/11/23/arm-64-welcomes-gerrit-code-review/
Docker images
*************
Gerrit is distributed on DockerHub at:
https://hub.docker.com/r/gerritcodereview/gerrit/
The following tags have been published for amd64 and arm64:
latest => 3.9.1
3.9.1 => 3.9.1-almalinux9
3.9.1-almalinux9
3.9.1-ubuntu22
More information on how to use Gerrit Docker image for testing, staging, and production at:
https://gerrit.googlesource.com/docker-gerrit
MacOS native package
********************
MacOS Gerrit native installer is available for download at:
https://gerritforge.com/gerrit/mac/gerrit-installer-3.9.1.pkg
SHA1:
c8d16491eb7338282b5cc13d3eb45c4e42ebe4b3
SHA256:
09a682189edcf824a495eec33baf4d3b986d7dc320b40c98eba08f7998534c8d
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEmCU49QQ43XtIE8giC0731aK2mH4FAmVqZJQACgkQC0731aK2
mH6r4A/+IBodVPCF0HgKs9lS/vg4BObQytNHPVdf5BkvaQrlntcA7gVGVrNVXdQd
7BM94bjICbap2f3StXgZch24gTUxgdQZwjSKRcHvg1pXrQo2VCv7U82N7w8j3aYe
BTdzpq+wdh+9cPPwT/umn2MUvEHKqeXtz+s+KNmDgX0xMqks667NvYDo7Xz2sAeE
ZPqL4P5Qd5bcS9CHauSBfNa4WZ8iMWtO0UAegGNRmGssJrE5CS/iIjmxWsIHcqv1
0YN+CiMntF9vADWxe4j7swO7crMU77X1g4AemKErl95LKMWRhZZUU7+b7aSN6c54
ydaX7aG7TrZdvqguVP3Xs4y3LoTTF3RoJXvjMLYq/KrtbsV5fdVsY/UjTnT3kCTH
3ARuMnygWhLmUI59yTWwsY3VDWpVtXtIKavSyaR+icOdzLDgGD/8/b91aEbEkLRs
+X6AUJCvojNFOyOLKzI0sot5ZhQk1jVuiFdBRQPt9DWLAw7hJNg8EGpB798CuMLL
aS3PJfcLiccEPii7Zp2Kzu4LsLaxeIzVEy282WNTsIA+PYI7dd5u/ljNKFJPlSQU
ohnFdHUAZEUQF/k9W2GgV50dC/FkDDKnveQiRTVewt77sNDkWkhIkC5rI58SOfiH
kmNH2NrStG8506tIAczv4lJ28VCFFyMFna7qfEXS8vyKzXu5hlQ=
=uyzD
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages