This release sits in between two other way bigger releases, so this one will be short. Given that most installations won’t be updated because of this special time of the year 🎅 that shouldn’t be a big deal! Let’s see what we have to share.
Jira import is able to import Jira Server
When we released the first versions of the Jira Issue Type importer and later on the Jira Project importer, we built everything on top of Jira REST APIs. We soon discovered that Jira Server (the On Premise version), APIs were not compatible. Worse, depending on the version, the behavior of the route may vary significantly. It took a bit of time to set up the right testing infrastructure and to find testers, but we managed to make the Jira Integration compatible with both Jira Cloud and Jira Server.
Bugs and Requests
There were 48 bugs fixed and requests implemented during the 13.3 release cycle. Bugs and security fixes were already back-ported on Tuleap Enterprise builds. You will find below a selection of the most notable fixes.
Security
- SQL injection via the user settings of the CVS commits browser (CVE-2021-43806, CVSS Score 8.8, High)
- Indirect LDAP injection via the ldap_id attribute of a user when checking if it exists (CVE-2021-43782, CVSS Score 6.7, Medium)
- Indirect LDAP injection via the ldap_id attribute of a user (CVE-2021-41276, CVSS Score 6.7, Medium)
Other
Trackers
- Modification of a tracker field is slow
- A tracker report with list field with invalid selected value can prevent the proper creation of a project
- Rest artifact creation work with an empty user in a required selectbox bind on users
- Not possible to create or update artifacts with csv import when a date field is empty
- Selectbox based on users should check if default value is valid
- Instantiate editors only when needed in the artifact view to avoid unnecessary changes
- Bar charts that are not grouped generate an invalid SQL query
- Generating the content of a burndown or a burnup fails when the duration is set to 0
- Grouping a bar chart on a field with “None” values throws an error
- Widget reports shouldn’t be based on session reports
Git
- Unrecognized git reference when the repository contains hyphen or dot
- Forked repositories do not take default branch of parent into account
- Explicitly ask sudo to set HOME when calling gitolite
- Files with spaces in their names cannot be linked from rendered CommonMark files
Document
Project administration
Site administration
- Network related errors are never logged when sending webhooks
- Submitting LDAP welcome page without a timezone throws an error