[ANNOUNCE] Gerrit 2.14.15 (!!security fixes!!)

David Pursehouse

unread,

Oct 8, 2018, 8:12:10 PM10/8/18

to repo-discuss

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

Gerrit version 2.14.15 is now available. This release includes security fixes for .gitmodules validation (CVE-2018-17456) and force push permissions, plus a couple of other fixes. Users of earlier Gerrit releases are recommended to upgrade. Please see the release notes for details.

Release Notes:

https://www.gerritcodereview.com/2.14.html#21415

Documentation:

http://gerrit-documentation.storage.googleapis.com/Documentation/2.14.15/index.html

Log of changes since 2.14.14:

https://gerrit.googlesource.com/gerrit/+log/v2.14.14..v2.14.15?no-merges

Download:

https://gerrit-releases.storage.googleapis.com/gerrit-2.14.15.war

SHA1:

6ad046b082dbb8f4fb9e984630ca3566af2c4f30

SHA256:

aa183dd99ed866bc4eff0988b9a6b19bb13f27175786a6ab94c4d56d19305259

MD5:

ea0282ceb4a39c455d9c14dbb92fede6

Maintainers' public keys:

https://www.gerritcodereview.com/releases/public-keys.md

-----BEGIN PGP SIGNATURE-----

Comment: GPGTools - https://gpgtools.org

iQIzBAEBCgAdFiEECnaesFM5uTvdiZXtDDr2ZJ/8IQIFAlu77e0ACgkQDDr2ZJ/8

IQI0pQ//XIf4yl6zdK1U/nMb0FPEZJaWFnqBGDf3A8LM4jpIehO3b6Lc1Kdp9gxT

hL5v2G2HnyMp+8RZTYUZKOyKswae2TGSpukFWrxgBoa0mxeMTQGvHpzlMoTaJZ8T

Vc8gPmPhLucq7W/K2BjHKk/YPO3HrjkR8u0HvcaAwYO51/0O/Z1miiQhOvNosRt+

TDBvCHXyCz9GZ7ISJBZAAI8Xag6vyrtv1UJgQZJb5U/LYLqTh0J+8AHXY99RHEZB

mOboHQpnQrz87E0mbAI/UN3keciZxarWroH+KI9aahu8J5AzaH+rATgr3vXzNEF5

R6P49Ro5BcFjQgku53U0E/q8WE+AB3bWx5q6RiZjBVr9evEg1yHQFo3dpjaPy3z2

IPfmN8IPLvASGMwWw0qv5zmOmHCMtfJnrwiLVURXEdPFXZNDjJbTYP/eH08anOtU

xuYN3a6l8ElOOZGBF8/+vtbpDh9jUKtAMm81/qUwKKcge+icgCLBVWZP5OXdf86s

bmomUltMo1nweZY5paf+WxlU2cifVpYuBRqjTsHli9N4nejQqgT3UELjfkNuJLMo

yRv5mZrwO5lM7Aj2dek4tapOX31b0UBSbeSBlpZnM3T0xloyLhq3B0+upAdNBBtF

WKUawEVxt9m+dHHI/VEu3S2oqkFEmaXQH2qMrLAdWybX0Ktt8rU=

=HI4w

-----END PGP SIGNATURE-----

Luca Milanesio

unread,

Oct 9, 2018, 10:29:54 AM10/9/18

to repo-discuss

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

Binary packages (Deb / Rpm) of Gerrit version 2.14.15 are now available.

=======================================================================

How to install/upgrade: 2.14.15

*******************************

If you have a previous version of Gerrit 2.1x installed via native packages:

(on Debian / Ubuntu)

apt-get update & apt-get install gerrit=2.14.15-1

(on CentOS / RedHat)

yum clean all && yum install gerrit-2.14.15-1

(on Fedora)

dnf clean all && dnf install gerrit-2.14.15-1

If it is a new installation and you don't have the GerritForge/BinTray repositories

configured, please follow the instructions at:

http://gitenterprise.me/2015/02/27/gerrit-2-10-rpm-and-debian-packages-available/

Docker images:

**************

Gerrit is distributed on DockerHub at:

https://hub.docker.com/r/gerritcodereview/gerrit/

The following tags have been published

2.14.15 => 2.14.15-centos7

2.14.15-centos7

2.14.15-ubuntu16

More information on how to use Gerrit Docker image for testing, staging, and production at:

https://gerrit.googlesource.com/docker-gerrit

MacOS native package:

*********************

MacOS Gerrit native installer is available for download at:

https://dl.bintray.com/gerrit/mac/gerrit-installer-2.14.15.pkg

https://gerritforge.com/gerrit/mac/gerrit-installer-2.14.15.pkg

SHA1:

be477297de7553e52de07e07f09d0f7cc6a75689

SHA256:

029b2a58f54ec343d1861b9bfcd59ea817435969beb0b388f570eb0a5c1e223f

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

iQEcBAEBAgAGBQJbRZbRAAoJEB//ql4Ycfd1UMAH/2E/oT1Kv8619wYwYCo2Vgdo

I0XHcPMBLrC12E0rN2wTIiCpWiTHW5xJ/ZWrBY8dB0Se1J02cSlZe/ep5ULPxn23

FcyEF+vHgQlItx3Oldo71Ji0AKyX12NxSrkpt/3yy38V0w9qJQ7+nXR7uDampdXg

wLHrfg0p/dctb5r6CFJ2kzDjdX0gCP0p3kEhVwPB8/Zvrnqw9dZKkjWjDNmpSLLR

Ze0QFaAGwnlmCHAVszny6vmRig7jl5bU0KtG9xiwq7vfXL4Y/cin6FSPAACqYYH1

3aIUe+Cgzkk/vhS0TY56x7PjEe9Hxn4qv6iUT8BK0RUMIQzSIC3K5r3d4hk0r9Q=

=WHz/

-----END PGP SIGNATURE-----

David Pursehouse

unread,

Oct 10, 2018, 6:28:38 AM10/10/18

to Eric Peterson, repo-discuss

On Tue, Oct 9, 2018 at 10:14 PM Eric Peterson <epet...@interactivebrokers.com> wrote:

Hi David,

Could the fingerprints and PGP signatures also be made available as files on the download site?

https://gerrit-releases.storage.googleapis.com/index.html

If you mean like the ones that are available on the maven central repository, then yes, in theory, this could be done.

It would cause some extra work though. Those files aren't generated by the bazel-driven release build; they get created/installed/deployed by maven, so it would be necessary to copy them out of the local repository, rename them (they don't follow the same naming pattern as the file we upload to the download site) and then upload them manually.

This is something that can probably be scripted. If anyone wants to have a go at it, the place to do it would be in the gerrit-release-tools project.

Thanks,

Eric

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward