This page last changed on May 20, 2010 by smaddox.
This release fixes some security flaws. Please refer to the security advisory for details of the security vulnerabilities, risk assessment and mitigation strategies.

4 May 2010

The Atlassian Crowd team is delighted to present Crowd 2.0.4. This release is a recommended upgrade which fixes some security flaws and other bugs, as well as introducing a couple of nice improvements.

The main new feature in this release is the in-place migration of Crowd data on upgrade, available for PostgreSQL and MySQL database servers. It is no longer necessary to export your Crowd database to XML and then re-import it. Instead, you can simply point your new Crowd installation at your existing home directory. The upgrade procedure will upgrade your database for you. See the upgrade guide.

When configuring trusted proxy servers, you can now specify a wildcard IP range using CIDR notation. Before this release, you had to specify each IP address individually.

For added security, we have locked down the location of the backup file. When you request a Crowd backup, you can specify a file name for the XML backup file, but the path is no longer configurable. Crowd will create the file in the in the /backups directory under your Crowd Home directory.

Please note: When you upgrade to Crowd 2.0.4, users with expired passwords will no longer be able to log in to Crowd-connected applications. For the Crowd internal directory, password expiry is determined by the field 'Maximum Unchanged Password Days'. (See Configuring an Internal Directory.) Up to this release, users were able to log in to the applications even if they had not changed their passwords within the specified number of days. We have now fixed this bug (CWD-1724). Please be aware that on upgrading you may find a number of people unable to log in to the applications until their passwords are reset, due to expired passwords. To prevent this, you can either ask users to check and change their passwords if necessary, or you can set the value of 'Maximum Unchanged Password Days' to zero, which means that there is no expiry period.

Don't have Crowd 2.0 yet?
Take a look at the new features and other highlights in the Crowd 2.0 Release Notes.

Complete List of Fixes in This Release

JIRA Issues (19 issues)
Key Summary Priority Status
CWD-1954 Using CrowdAuth in Apache for DAV svn with anonymous access Major Closed
CWD-1900 crowd-plugin-test-resources 2.0.4 is broken Minor Resolved
CWD-1889 XSS vulnerability in Crowd error page Blocker Resolved
CWD-1888 XSS vulnerabilities in Crowd Administration Console Blocker Resolved
CWD-1877 Force backups to be in the home directory Minor Resolved
CWD-1874 Make Crowd token cookies httponly Minor Resolved
CWD-1864 Sal Properties data is inaccessible after migration Blocker Resolved
CWD-1862 PluginPropertyManageGeneric creates property keys incorrectly Minor Resolved
CWD-1856 Make permissionManager available to plugins - needed for Studio Minor Resolved
CWD-1849 Google Apps SAML complains that not enough space was allocated to hold decompressed data Minor Resolved
CWD-1827 IE8 can present an IE7 User-Agent string causing users to appear logged out Minor Resolved
CWD-1821 Cannot set cookie domain to wildcard version of exact host Minor Resolved
CWD-1810 Support wildcards in the trusted proxy server configuration Minor Resolved
CWD-1795 Users created using the Integration Library have details set to the default value of "-" Minor Resolved
CWD-1793 Allow Crowd to be upgraded from 1.X to 2.X without an XML Backup Minor Resolved
CWD-1786 The Crowd Console currently allows a user to restore XML data from a 'newer' version of Crowd into an older version Minor Resolved
CWD-1784 Distribution setenv.bat files are mising MaxPermSize setting. Minor Resolved
CWD-1781 Search for username with Crowd Integration fails Major Resolved
CWD-1724 Maximum Unchanged Password Days configuration is not respected by the Applications Minor Resolved

Document generated by Confluence on Nov 30, 2010 23:53