From b4a63aad7f56486c164a15ae2477bcd251b0bb1b Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Tue, 18 Mar 2014 21:10:48 -0400
Subject: [PATCH] Fix authentication security hole with external providers

---
 releases.moxie |   43 +++++++++++++++++++++++++++++++++++++------
 1 files changed, 37 insertions(+), 6 deletions(-)

diff --git a/releases.moxie b/releases.moxie
index 7c24524..462a3b9 100644
--- a/releases.moxie
+++ b/releases.moxie
@@ -1,16 +1,47 @@
 #
 # ${project.version} release
 #
-r20: {
+r21: {
     title: ${project.name} ${project.version} released
     id: ${project.version}
     date: ${project.buildDate}
+    note: ~
+    html: ~
+    text: ~
+    security: ~
+    fixes:
+    - Disable Ticket review functions in read-only repositories (mirror, frozen, etc)
+    - Fix incorrect git fetch instructions in Ticket email notifications
+    - Fix Ticket email notification recipients to include repository owners
+    - Fix Ticket propose instructions to branch from origin/{integrationBranch}
+    changes: ~
+    additions: ~
+    dependencyChanges: ~
+    contributors:
+    - James Moger
+    - David Ostrovsky
+    - Liyu Wang
+}
+
+#
+# 1.4.0 release
+#
+r20: {
+    title: Gitblit 1.4.0 released
+    id: 1.4.0
+    date: 2014-03-09
     note: "The default access restriction has been elevated from NONE to PUSH and anonymous push access has been disabled by default."
     html: ~
     text: ''
-          This is a major release.
+          This is a MAJOR release.
           
-          The entire core has been refactored to be more modular.  Authentication providers have all been refactored to be simpler.  Both of these were precursor requirements for future planned improvements.  Markup rendering has been improved and expanded to several additional formats.  A repository mirroring service  has been added.  Commit pages now indicate diffstat information. And many bug fixes and smaller features have been introduced.''
+          The entire core has been refactored to be more modular.  Authentication providers have all been refactored to be simpler.  Both of these were precursor requirements for landing the Tickets feature -- issue tracker & branch-based pull requests.
+          
+          Markup rendering has been improved and expanded to several additional formats.  A repository mirroring service  has been added to allow you to automatically track public repositories.  Commit pages now indicate diffstat information and many bug fixes and smaller features have been introduced.
+          
+          The groundwork has also been laid for SSH support which will be in the focal point for the next major release (ticket-6).
+          
+          Due to the enormity of these changes, please make a backup copy of users.conf before updating.''
     security:
 	- issue-361: Cookies were not reset on administrative password change of a user account. This allowed accounts with changed passwords to continue authenticating. Cookies are now reset on password changes, they are validated on each page request, AND they will now expire 7 days after generation.
     fixes:
@@ -1137,6 +1168,6 @@
 	- James Moger
 }
 
-snapshot: &r20
-release: &r19
-releases: &r[1..19]
+snapshot: &r21
+release: &r20
+releases: &r[1..20]

--
Gitblit v1.9.1