Gitblit v1.9.1 Release Notes

Release Date: 2020-04-05 // about 4 years ago
  • โšก๏ธ Update Note

    ๐Ÿง When you have Gitblit installed as a service under Linux or Windows, you may need to edit your service script/definition. The command line to start Gitblit needs to be different, the classpath and class are speficied now.

    ๐Ÿš€ See notes for release 1.9.0.

          There is a severe bug in version 1.9.0, which can lock users out from their accounts.
          When updating from a previous version to 1.9.0, existing stored passwords are rehashed
          with a more secure password hash mechanism when a user first logs in after the update.
          This happens when the password hashing mechanism was left at default and not specifically
          set in the configuration. An error in the implementation will destroy the stored password
          instead and the user can no longer log in.
          Only certain circumstances will lead to this wrong behaviour. It will most likely
          affect users of the Gitblit Docker container. If you did not encounter any problems,
          update to 1.9.1 to be on the safe side. If you were hit by this bug, we are deeply sorry.
          There is no way to fix the affected accounts other than to set a new password.
          This is fixed in 1.9.1. Updates of existing installations should be made to 1.9.1, not 1.9.0.

    ๐Ÿ›  Fixes

    ๐Ÿ›  Fixes

    • ๐Ÿ›  Fixed broken password hash upgrade destroying existing stored passwords on update.
    • ๐Ÿ›  Fixed Linux service scripts to use -cp parameter instead of -jar.

    ๐Ÿš€ Full release notes on

Previous changes from v1.9.0

  • โšก๏ธ Update Note

    ๐Ÿ‘ Gitblit uses Servlet 3.0 and thus drops support for Tomcat 6. Run on Tomcat 6 at your own risk.

    โšก๏ธ With the update to Lucene 5.5.2 reindexing of the tickets is necessary. This is done automatically during the first server start after an upgrade. Depending on the amount of tickets you have, this could take a little while. The old index is kept, so that a downgrade is still possible without losing information. The old index can be deleted, when a downgrade is no longer required.

    ๐Ÿ‘€ The interface for the ITicketService changed. If you have your own derived implementation, rename start to onStart. (see commit 63dbdfd)

    ๐Ÿ‘€ To support Java 9+, Gitblit can no longer load JARs from the 'ext' folder by itself. In order to include the folder, it needs to be added to the classpath explicitly by changing the command line. Check the new start scripts to see the new required command line.

    ๐Ÿ‘ The 1.9 minor version will be the last to support Java 7. From 1.10 on Gitblit will require Java 8.

    When the realm.ldap.bindpattern property is set, GitBlit will only bind as the user to LDAP, not to a manager account or anonymously.

    ๐Ÿ”Š Older password storage mechanisms are deprecated, PBKDF2 is the new default. When you switch from plaintext to a hashed scheme, or from the older hashed to the new PBKDF2 scheme, the stored password of a user will be rehashed with the more secure mechanism when the user logs in.

          * Collapsible and nested repository groups on the repositories page
          * Runs on Java 11
          * Retrieve SSH keys from LDAP
          * User language preference
          * Option to merge ticket branches fast-forward or with merge commit

    ๐Ÿ”’ Security

    • ๐Ÿ”„ Change authentication cookie to use random value instead of user information (issue #1063, PR #1116)
    • ๐Ÿ”’ Increase cookie security (PR #1167) ๐Ÿ›  Fixes

      ๐Ÿ›  Fixes

    • ๐Ÿ›  Fixed wrong HTML entity (&rt;) in HTML emails (PR #1105)

    • ๐Ÿ›  Fixed Dutch translation (PR #1130)

    • ๐Ÿ”„ Changed LDAP binding strategies, to correctly find team membership (issue #833, issue #920, PR #247, PR #1149)

    • ๐Ÿ›  Fixed disabled links in the PagerPanel to really be disabled (PR #1147)

    • Set "can admin" permission on LDAP users and teams correctly (PR #1152)

    • ๐Ÿ›  Fixed user mentions in tickets (issue #985)

    • ๐Ÿ›  Fixed JEE Servlet 3.0 definition (issue #1132, PR #1178)

    • ๐Ÿ›  Fixed proxy setup documentation (PR #1183)

    • ๐Ÿ›  Fixed bug with reverse proxy when using a non-standard HTTPS port (issue #1114, PR #1201)

    • ๐Ÿ›  Fixed wrapping of last column in tree page (PR #1202)

    • ๐Ÿ›  Fixed NPE with unsupported transport URL protocol (PR #1238)

    • ๐Ÿ›  Fixed unit tests by providing zipped local versions of external git repositories used for tests (issue #1275, PR #1309)

    • ๐Ÿ›  Fixed NPE for symbolic links to repositories (issue #837, issue #891)

    • ๐Ÿ›  Fixed NPE for ticket milestones without due date (PR #1278)

    • ๐Ÿ›  Fixed NPE with special characters in repository names (issue #999, PR #1194)

    • ๐Ÿ›  Fixed NPE when stopping GitBlit

    • ๐Ÿ›  Fixed exception due to MAC error on SSH connections (issue #1282)

    • ๐Ÿ›  Fixed link to LDAP sample LDIF file in documentation

    • ๐Ÿ›  Fixed NPE on unknown git commands. (issue #1092)

    • ๐Ÿ›  Fixed NPE for URLs to non-existing documents (PR #1324) ๐Ÿ”„ Changes

      ๐Ÿ”„ Changes

    • โšก๏ธ Updated traditional Chinese translation (PR #1110)

    • Load commit cache in the background to improve start-up time (PR #1140)

    • ๐Ÿ‘Œ Improved logging when sending emails fails, to assist in analysis (PR #1144)

    • ๐Ÿ‘Œ Support customized IUserService that can access application settings (PR #1171)

    • โž• Added feedback for invalid input on user SSH key form (PR #1239)

    • Encode email sender's name with UTF-8 (PR #1206)

    • Made Gitblit run on Java 9+ (issue #1262, issue #1294, PR #1266)

    • The JRE version is reported upon starting

    • โž• Add the ext directory to the classpath on the command-line to start Gitblit and related programs.

    • ๐Ÿ‘ฏ Report back that git command clone.bundle is unsupported instead of simply failing โž• Additions

      โž• Additions

    • โž• Added option to merge a ticket branch to the integration branch fast-forward or with a merge commit (PR #1142)

    • โž• Added SSH key manager that retrieves keys from LDAP directory (PR #1160)

    • โšก๏ธ Updated Korean translation (PR #1176)

    • ๐Ÿ”ง The list of SSH authentication methods accepted by the server was made configurable (PR #1159)

    • ๐Ÿ‘‰ User language preference setting (PR #1198)

    • Gitblit Authority sends user certificate email based on user preferred language (PR #1198)

    • List branches over RPC for a given repository (PR #1192)

    • โž• Added Czech translation (PR #1200)

    • โž• Added setting to set HTTP idle timeout to prevent timeouts when cloning large repositories over HTTP(S) (PR #1243)

    • Made the repository groups on the repositories page collapsible (issue #527, PR #1224)

    • Made the repository groups on the repositories page nested (issue #725, PR #1267)

    • โž• Added PBKDF2 as password hashing algorithm. Other password storage choices are deprecated (issue #1166, PR #1172)

    ๐Ÿš€ Full release notes on