This page last changed on Apr 21, 2010 by ggaskell.

21 April 2010

The Atlassian JIRA team announces the release of JIRA 4.1.1. This point release is a highly recommended upgrade as it contains important fixes to security vulnerabilities in JIRA (listed below). For more information about these security vulnerabilities and patches to fix these vulnerabilities in earlier versions of JIRA, please refer to the JIRA Security Advisory 2010-04-16.

Please also refer to the JIRA 4.1.1 Upgrade Guide for important changes in JIRA, which are designed to minimise the risk of security attacks.

JIRA 4.1.1 is of course free to all customers with active JIRA software maintenance.

Don't have JIRA 4.1 yet?
Take a look at all the new features in the JIRA 4.1 Release Notes and see what you are missing out on!

Upgrading from a Previous Version of JIRA

If you are upgrading, please read the JIRA 4.1.1 Upgrade Guide.

Updates and Fixes in this Release

JIRA 4.1.1 includes the following updates and bug fixes:

JIRA Issues (16 issues)
Type Key Summary Priority Status
Improvement JRA-21003 The AJP connector should always have the URIEncoding="UTF-8" set Resolved
Improvement JRA-20782 Save gadget setting (maximized, minimized, normal) between logon sessions Closed
Bug JRA-21004 XSS and Privilege Escalation Vulnerabilities in JIRA Blocker Resolved
Bug JRA-20995 Privilege escalation vulnerability when administrator access is compromised Blocker Resolved
Bug JRA-20994 XSS Vulnerabilities in JIRA Blocker Resolved
Bug JRA-21038 brute force password attack protection by default Critical Resolved
Bug JRA-21024 500page.jsp contains HTTP Header XSS vulnerability Critical Resolved
Bug JRA-21023 screenshot-redirecter.jsp XSS attach via the afterURL parameter Critical Resolved
Bug JRA-21022 issuelinkssmall.jsp has an XSS hole via the URL used to access it Critical Resolved
Bug JRA-21019 runportleterror.jsp contains XSS hole Critical Resolved
Bug JRA-21018 Miscellaneous support-related JSPs contain XSS holes Critical Resolved
Bug JRA-21017 Announcement Preview banner is a vector for an XSS attack Critical Resolved
Bug JRA-20665 xss vulnerability in issuelinksmall.jsp Critical Resolved
Bug JRA-21037 Group picker popup JSP has XSS hole if group names are XSS shaped Major Resolved
Bug JRA-21150 Soap deleteProject call may try to delete an issue more than one time causing it to fail with an Exception Minor Resolved
Bug JRA-20446 Right clicking on dashboard links when there are a lot of gadgets is super slow. Minor Resolved


Document generated by Confluence on Mar 27, 2011 18:40