Posted on 2024-07-08 by Thomas Zerr
Dear SCM-Manager Community,
today we released the new version of the SCM-Manager 3.3.0. This release focuses primarily on an important vulnerability bugfix, that prevents users from escalating their privileges in a namespace of repositories. Additionally, some new features and…
Posted in scm-manager, release, security
Posted on 2022-02-02 by Eduard Heimbuch
Hey SCM-Manager Community,
Maybe you have heard about a new vulnerability regarding Expat which is likely as dangerous as Log4Shell.
The SCM-Manager is only affected if you have the PlantUML-Plugin installed. We highly recommend uninstalling this plugin until we can provide a fixed version. If your SCM-Manager is running inside the Cloudogu Ecosystem you also need to take down the PlantUML Dogu…
Posted in scm-manager, security
Posted on 2022-01-24 by Eduard Heimbuch
Hey SCM-Manager Community,
you may have read our last blog post warning you about a Path Traversal vulnerability in SCM-Manager. If you haven't already, please update your instance to the latest SCM-Manager version as soon as possible to fix this issue.
We have already…
Posted in scm-manager, release, security
Posted on 2022-01-17 by René Pfeuffer
Hey SCM-Manager Community,
thanks to an attentive user, we got notice of a path traversal vulnerability in SCM-Manager. Affected are all versions from 2.0.0 up to 2.29.0.
We released a hotfix 2.29.1.
Update now!
Your SCM-Manager Team
Posted in scm-manager, release, security
Posted on 2021-12-13 by René Pfeuffer
Hey SCM-Manager Community,
We're sure you've heard about the vulnerability in log4j called Log4Shell. As far as we can say, SCM-Manager is not affected by this, because log4j is not used in SCM-Manager (for logging, we use Logback).
However, if you have installed plugins from external sources, you can check whether log4j is used somewhere by running this little script using the script plugin…
Posted in scm-manager, security, release
Posted on 2014-12-23 by Sebastian Sdorra
CVE-2014-9390 affects git systems on case-insensitive filesystems, such as Windows and Mac OS. For more informations of CVE-2014-9390 please have a look at the git mailing list.
There are only two parts of SCM-Manager which are affected by CVE-2014-9390, the new import…
Posted in scm-manager, security
Posted on 2014-10-18 by Sebastian Sdorra
If you are using scm-server with a configured https connector, please be sure that you exclude the SSLv3 protocol to avoid the POODLE vulnerability.
Add the following xml elements to your https connector in your server-config.xml:
<Arg>
<New class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="excludeProtocols">
<Array type="java.lang.String">
<Item>SSLv2Hello</Item>
<Item>SSLv3</Item>
</Array>
</Set>
</New>
</Arg>The complete connector section should now be…
Posted in scm-manager, security