Skip to content

centraldogma-0.84.0

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 19 Jun 08:53
· 2 commits to main since this release
centraldogma-0.84.0
09b5db8
This commit was signed with the committer’s verified signature.
armerian Kim Meri
GPG key ID: E9C34E8CAF7DE6E9
Verified
Learn about vigilant mode.

New features

  • The web UI now supports creating and viewing Central Dogma to Central Dogma mirrors using the dogma and dogma+https schemes. Previously, CD-to-CD mirrors could only be configured via the API. The mirror form conditionally hides the remote branch field when a dogma scheme is selected, since Central Dogma has no notion of branches. Additionally, gitignore patterns are now properly applied to CD-to-CD mirrors using JGit's IgnoreNode, matching the behavior of Git mirrors. #1308

⚠️ Security advisories

  • CVE-2026-11746 (Critical, CVSS 9.4) — Hard-coded ZooKeeper replication secret ch4n63m3 with silent fallback enables cluster takeover. When operators omit the replication.secret configuration, the system silently substitutes a publicly known default, allowing an attacker to read the full replication log or impersonate a peer replica. GHSA-2j95-gqxf-v3vg
  • CVE-2026-11745 (High, CVSS 8.8) — SSH host-key verification permanently disabled in SshGitMirror. The SSH client's server-key verifier returns true unconditionally, allowing an on-path attacker to intercept mirror traffic, inject arbitrary commits, or capture SSH credentials. GHSA-vjfw-cpmh-xwv3
  • CVE-2026-11748 (Moderate, CVSS 6.9) — LDAP injection in SearchFirstActiveDirectoryRealm. The findUserDn() method performs raw substitution of usernames into LDAP filter templates without RFC 4515 metacharacter escaping, enabling authentication confusion, audit log evasion, and directory enumeration. GHSA-98q5-5qh2-7w75

Improvements

  • Users and app identities can now be assigned repository roles directly without prior project-level registration. Previously, entities had to be added as project members before they could receive per-repository permissions, which made it impossible to grant access to a single repository without also granting project-wide member access. #1309 #930

Bug fixes

  • Reverted the whole-repository caching logic that cached an entire repository to increase cache hit rates, as it caused correctness issues. Per-query caching is used again instead. #1306
  • Fixed an open redirect vulnerability in SamlAuthSsoHandler where an attacker-controlled RelayState value containing backslashes or ISO control characters could bypass the existing validation and redirect the browser to an off-origin URL after a successful SAML login. Unsafe values now fall back to /. #1312
  • Fixed a ZooKeeper replication bug where a replica could silently skip a log appended by another replica, causing local data to diverge and the replica to enter read-only mode with a "mismatching replay result" error. Pending logs are now replayed contiguously within storeLog so that no revision is ever skipped, and replication progress is recorded even during shutdown. #1313 #1314
  • A mirror with an invalid or missing credential no longer prevents the rest of the project's mirrors from being loaded and scheduled. Only the problematic mirror is skipped with a warning. #1316

Dependencies

  • Apache MINA SSHD 2.17.1 → 2.18.0
  • Armeria 1.39.0 → 1.40.0
  • controlplane 1.0.52 → 1.0.53
  • gRPC-Java 1.81.0 → 1.82.0
  • Jackson 2.21.3 → 2.22.0
  • Logback 1.5.32 → 1.5.34
  • Micrometer 1.16.5 → 1.17.0
  • Nimbus JOSE+JWT 10.9 → 10.9.1
  • Prometheus Metrics 1.6.1 → 1.8.0
  • Protocol Buffers 3.25.8 → 3.25.9
  • SLF4J 2.0.17 → 2.0.18
  • Spring Boot 3 3.5.10 → 3.5.15
  • Spring Boot 4 4.0.6 → 4.1.0
  • zstd-jni 1.5.7-8 → 1.5.7-11
Assets 3
Loading