Gitblit

Current Release (1.10.0) this is the current stable release

2025-06-14

Highlights:

* Support for ECDSA and Ed25519 SSH keys
* Fix vulnerability that allowed SSH authentication to be circumvented
* Explicitly disable requesting optional client TLS certificates
* Copy-to-clipboard button is back and working
* Minimal required Java version is Java 8

While old DSA SSH host keys can still be used, a new Gitblit installation will no longer
generate a DSA host key. The default set of host keys is now RSA, ECDSA and Ed25519.

Snapshot builds of the current master branch are now available as Docker containers on
Docker Hub under the "Nightly" tag.

Note

This release fixes a vulnerability allowing an attacker to circumvent authentication on the SSH transport. Users are urged to update to this version.

Should you have disabled the Flash-based copy-to-clipboard function because it wasn't working anymore (`web.allowFlashCopyToClipboard = false`), you may want to rethink this and enable it again. The configuration property has the same name, but the mechanism was exchanged. Flash is gone, and a modern JavaScript solution is now used to copy text directly to the clipboard (via clipboard.js).

The setting `server.requireClientCertificates` now has three values: `required`, `optional` and `none`. While `required` is synonymous to the old `true` value, and `optional` is synonymous to the old `false` value, the new `none` value results in the server never asking the client to present any client certificate at all. The old values `true` and `false` can still be used and keep their meaning.

From 1.10.0 on Gitblit requires Java 8 as minimal Java version.

security

Fix path traversal vulnerability which allowed access to "/resources//../WEB-INF/". (CVE-2022-31268) This was fixed by updating Jetty. (issue 1409)
Fix exploit circumventing SSH authentication. Many thanks to András Veres-Szentkirályi (silentsignal.eu) for the report. (CVE-2024-28080)
Fix vulnerability exposing user password hashes to administrators when an administrator edits a user's properties. Many thanks to Gerhard Klostermeier (syss.de) for the report.

fixes

Fix crash in Gitblit Authority when users were deleted from Gitblit but still had entries (certificates) in the Authority. (issue 1359, pull request #1435)
Fix tab-to-space conversion to work like tabs. (pull request #1065 by @QuentinC)
Fix user effective permission display when user is in multiple groups with different permissions. (pull request #1100 by @felazuris)
Fix issue in pt under Python 3. (pull request #1428 by @urkle)
Fix null pointer exception which could occur during debug logging. (pull request #1433)
Fix Bugtraq to fallback to UTF-8 if the commit encoding is unsupported.
Fix errors in Bugtraq preventing display of commit completely.
Fix misaligned images in primary repository URL display. (issue 1437)
Fix incorrect text being copied by copy button on tickets page
Fix broken language files.
Fix problems with single quotes in message texts. (pull request #1455 by @losiki)

changes

Minimum Java required increased to Java 8. (pull request #1218 by @paladox)
Added feedback on invalid keys to SSH key form. (issue 984, pull request #1239 by @martinspielmann)
Replaced old Flash-based Clippy copy-paste buttons to copy repository URLs and other text to the clipboard with a modern JavaScript-based approach via clipboard.js. (issue 1241, issue 965, pull request #1438 by @flaix)
Updated various dependencies that had known CVEs.
Updated Git clients list on empty repository page.
Improved Chinese translation of "fork".
Switched logging library from Log4j1 to reload4j.
Updating the BouncyCastle version required to switch from bc*-jdk15on to bc*-jdk18on

additions

Option to explicitly disable optional client TLS certificates. (issue 1137, pull request #1138 by @oddeirik)
Support for ECDSA and Ed25519 (EdDSA) user keys. (pull request #1427, pull request #1272)
New ECDSA and EdDSA host key types. (issue 1354, pull request #1429 by @flaix)
French version of empty repository page. (by @piradix)
Add support for Jenkins access token. Use setting `groovy.jenkinsToken`. (issue 1423, pull request #1425 by @TDesjardins)

new settings

server.requireClientCertificates

optional

dependency changes

update to JavaMail 1.5.6 (pull request #1217 by @paladox)
update to Google Guice 5.1.0
update to Google Guava 32.1.3-jre
update to Google Gson 2.10
update to Apache commons-io 2.19
update to Apache commons-codec 1.9
update to Apache commons-compress 1.27.1
update to Apache Tika 1.28.5
update to libpam4j 1.11
update to MINA SSHD 1.7.0
update to MINA Core 2.0.27
update to BouncyCastle 1.81
update to Jetty 9.4.57.v20241219 (pull request #1213 by @paladox, plus more)
update to JGit 4.11.9.201909030838-r (pull request #1252 by @jvanhercke, plus more)
update to Bugtraq v0.4
update to JSoup 1.16.2
update to Groovy 2.4.21
update to Ivy 2.5.3
update to slf4j 1.7.36
replace log4j1 with reload4j
added clipboard.js, replacing Clippy
update to JUnit 4.13.1

contributors

@felazuris
@paladox
@piradix
@QuentinC
@xxcdd
@xxl-cc
András Veres-Szentkirályi
Edward Rudd
Egor Shchegolkov
Florian Zschocke
Gerhard Klostermeier
Jan Vanhercke
Martin Spielmann
Odd Eirik Nes
Tino Desjardins