RhodeCode Enterprise 4.9.1 Release Notes¶

Release Date¶

security(critical): repo-forks: fix issue when forging fork_repo_id parameter could allow reading other people forks.
security(high): auth: don’t expose full set of permissions into channelstream payload. Forged requests could return list of private repositories in the system.
security(medium): general-security: limit the maximum password input length to 72 characters.
security(medium): select2: always escape .text attributes to prevent XSS via branches or tags names.

user-groups: fix potential problem with ldap group sync in external auth plugins.

This release changes the maximum allowed input password to 72 characters. This prevent resource consumption attack. If you need longer password than 72 characters please contact our team.