This page last changed on Oct 13, 2008 by smaddox.

14 October 2008
The Atlassian Crowd team is delighted to present Crowd 1.5.1.

Crowd 1.5.1 is a recommended upgrade which fixes a parameter injection vulnerability and other issues. Please refer to the security advisory for details of the security vulnerability, risk assessment and mitigation strategies.

When using Crowd for single sign-on (SSO), you can now specify that the 'secure' flag is set on the SSO cookie. This will enforce a secured connection, such as SSL, for all SSO requests. Note that if you set this flag, any applications not using a secure connection will not be able to participate in SSO. Potentially, this may make it impossible to log in to Crowd.

When generating session tokens, Crowd now includes a very large random number as part of the hash value. This makes it more difficult for a malicious third party to impersonate a legitimate Crowd user.

This release also brings a number of improvements to search functionality, particularly for LDAP directories and for Confluence instances integrated with Crowd.

Don't have Crowd 1.5 yet?
Take a look at the new features and other highlights in the Crowd 1.5 Release Notes.

Complete List of Fixes in Crowd 1.5.1

JIRA Issues (22 issues)
Key Summary Priority Status
CWD-1276 Create how-to documentation for language JARs for Crowd Major Resolved
CWD-1268 Make XWork ParametersInterceptor safe from parameter injection attacks Blocker Resolved
CWD-1254 Latest version of Appfuse not working with Crowd's Acegi/Appfuse Tutorial Major Resolved
CWD-1251 On startup Crowd displays an EHCache error about duplicate disk store paths & no configuration for Property Major Resolved
CWD-1249 Updating a RemotePrincipal does not add new attributes to LDAP Major Resolved
CWD-1245 Full name searches return all users if the underlying Crowd directory is LDAP-based Major Resolved
CWD-1244 crowd-ehcache.xml in Crowd's client directory does not contain defaultCache value Major Resolved
CWD-1242 Crowd dependency check on startup Major Resolved
CWD-1201 Group search requires exact case Major Resolved
CWD-1199 In-memory token storage will not permit expiration of user session, throws exception Major Resolved
CWD-1190 OS User fullname and email updates are not reflected in cache Major Resolved
CWD-1156 Crowd Search API currently allows searches for PRINCIPAL_FULLNAME on Crowd internal directories, not LDAP Major Resolved
CWD-1134 Removing user from Crowd does not remove tokens from TOKEN table for this user. Major Resolved
CWD-1110 CrowdEntityQueryParser doesn't search groups by wildcards Major Resolved
CWD-1040 Crowd session tokens need to be random and unique to avoid Session Hijacking!!! Blocker Resolved
CWD-1039 Change Hibernate dialect for Oracle 9i/10g to use Oracle9iDialect Major Closed
CWD-994 Multiple field query in Confluence user manager throws exception Major Resolved
CWD-960 Increase ATTRIBUTEVALUES.VALUE size from 255 for more complex object filters Major Resolved
CWD-912 Internal Directory and LDAP searches behave differently Major Resolved
CWD-893 Option to set secure flag on SSO cookie Minor Resolved
CWD-701 Need to ensure that special characters are escaped properly for UTF-8 in XML backup. Major Closed
CWD-156 When adding a user from a Crowded Confluence, the email address and full name are missed Major Resolved

Document generated by Confluence on Nov 30, 2010 23:53