RhodeCode Enterprise 3.1.1 Security Release

Published on March 31, 2015, by Sebastian

Today we release the minor upgrade 3.1.1 which fixes a potential security vulnerability of a 3rd party library. We recommend all users to upgrade to RhodeCode Enterprise 3.1.1 as soon as possible.

Vulnerability Details

The Google Security Team discovered a vulnerability in the 3rd party library Dulwich which could cause a buffer overflow in the C implementation of the apply_delta()function. This function is used when accessing Git objects in pack files. Any Git server or client based on Dulwich that handles untrusted pack files is very likely to be vulnerable.

Vulnerability Fix

We added the latest version of the Dulwich library in today’s release RhodeCode Enterprise 3.1.1 which fixes the potential security vulnerability. An upgrade to version 3.1.1 is recommended.

For Linux, you can easily upgrade from RhodeCode Enterprise 3 to 3.1.1 by running the following commands (assuming your server instances are called vcsserver-1 and enterprise-1):

rccontrol self-update
rccontrol upgrade vcsserver-1
rccontrol upgrade enterprise-1
rccontrol restart vcsserver-1 
rccontrol restart enterprise-1

For Windows users on RhodeCode Enterprise 2.2.7, please contact us for instructions about how to upgrade your Dulwich library.

Please don’t hesitate to contact us if you have further questions or if you need further upgrade support.