Important Notes

WARNING: There are no schema changes from 2.9.4, but when upgrading from an existing site that was initialized with Gerrit version 2.6 to version 2.9.1 the primary key column order will be updated for some tables. It is therefore important to upgrade the site with the init program, rather than only copying the .war file over the existing one.

It is recommended to run the init program in interactive mode. Warnings will be suppressed in batch mode.

  java -jar gerrit.war init -d site_path

Bug Fixes

  • Issue 10262: Fix validation of wants in git-upload-pack for protocol v0 stateless transports.

    See the following section for details.

  • Upgrade JGit to 4.5.5.201812240535-r.

    This upgrade includes several major versions since 3.4.2 used in Gerrit version 2.9.4. Important fixes are summarized below. Please refer to the corresponding JGit release notes for full details.

    • JGit 4.5.5: Issue 10262: Fix validation of wants in git-upload-pack for protocol v0 stateless transports.

      AdvertiseRefsHook was not called for git-upload-pack in protocol v0 stateless transports, meaning that wants were not validated and a user could fetch anything that is pointed to by any ref (using fetch-by-sha1), as long as they could guess the object name.

    • JGit 4.5.4: Fix LockFile semantics when running on NFS.

      Honor trustFolderStats also when reading packed-refs.

    • JGit 4.5.3: Fix exception handling for opening bitmap index files.

    • JGit 4.5.2: Fix pack marked as corrupted even if it isn’t.

    • JGit 4.5.1: Don’t remove Pack when FileNotFoundException is transient.

    • JGit 4.1.0: Handle stale NFS file handles on packed-refs file.

      Use java.io.File instead of NIO to check existence of loose objects in ObjectDirectory to speed up inserting of loose objects. Reduce memory consumption when creating bitmaps during writing pack files.

    • JGit 3.7.1: Fix massive performance problem in Gerrit caused by ObjectWalk.markUninteresting marking the root tree as uninteresting.

    • JGit 3.7.0: Provide more details in exceptions thrown when packfile is invalid.

    • JGit 3.6.2: Issue 3094: Don’t remove pack from pack list for problems which could be transient.

      Log reason for ignoring pack when IOException occurred.

    • JGit 3.5.3: Fix for vulnerability CVE-2014-9390.

  • Fix resource exhaustion due to unclosed LDAP connection.

    When auth.type is set to LDAP (not LDAP_BIND), two LDAP connections are made, but one was not being closed. This eventually caused resource exhaustion and LDAP authentications failed.