Crowd 2.6 : Crowd 2.2.9 Release Notes

This release fixes a security flaw. Please refer to the security advisory for details of the security vulnerability, risk assessment and mitigation strategies.

17 May 2012

The Atlassian Crowd team presents Crowd 2.2.9.

This is a security release to fix a critical vulnerability in Crowd that may allow unauthorised access to data. The scale we use (published as Security Levels for Security Issues) allows us to rank the severity as critical, high, moderate or low.

This is an independent assessment and you should evaluate its applicability to your own IT environment.

The vulnerability allows an attacker to

  • execute denial of service attacks against the Crowd server, or
  • read all local files readable to the system user under which Crowd runs

We recommend that all customers upgrade. Please refer to the security advisory for details of the security vulnerability, risk assessment and mitigation strategies.

(info) Crowd 2.2.8 was an internal release.

Upgrading to Crowd 2.2.9

You can download Crowd from the Atlassian website. If upgrading from a previous version, please read the Crowd 2.2 Upgrade Notes.

Complete List of Improvements and Fixes

JIRA Issues (11 issues)

Key Summary Priority Status
CWD-2797 XML Vulnerability in Crowd Critical Resolved
CWD-2525 UpgradeTask 453 never gets executed since it's not declared in Spring context Minor Resolved
CWD-2459 Crowd removes the last occurrence of "/services" from the application URL Major Resolved
CWD-2449 HTTP connection pool leak in the Crowd REST client Minor Closed
CWD-2447 Improve performance for retrieving all group memberships Minor Resolved
CWD-2427 Report on performance of the old and new implementations Major Resolved
CWD-2425 Create an implementation of the Atlassian User API around the cached data Major Resolved
CWD-2413 Cache in the Atlassian User REST implementation Major Resolved
CWD-2353 Sub-packages of dom4j are not exported to the OSGi container Minor Closed
CWD-2075 Search terms only used when active field set to all. Major Resolved
CWD-1096 Add ability to ignore PartialResultExceptions Major Closed