Home > Blog > RhodeCode Enterprise 3.3.2 Security Release

RhodeCode Enterprise 3.3.2 Security Release

Published on June 09, 2015, by Brian

As part of the on-going efforts to keep our software stable and secure, we put a lot of resources into testing it and finding holes that users should not encounter. This is important to us because we depend on our customers having positive experiences with RhodeCode Enterprise, and we also use our own tools daily so any mistakes hit us first.

This is all part of evolving an open-source project into a viable company that has enough resources to continue improving and securing the software that it ships.

Recently, RhodeCode Enterprise was audited by a security researcher who specializes in cyber security and application penetration testing. The application was put through its paces and checked for potential exploits. Once testing was completed, the finding were immediately rolled into sprint planning and the fixes are now in the latest version released today.

RhodeCode Enterprise Security Improvements

Thankfully the security audit did not return any major problems, and addressing the concerns raised was a mixture of adding some new backend functionality, improving best practice documentation, and shipping the product with a more secure default configuration. As a result, RhodeCode Enterprise has been hardened against the following kinds of potential security holes:

  • Stored XSS attempts on user login fields, and other text input fields.
  • DOM Based XSS attempts, where the attack is executed as a result of modifying the DOM environment in the target’s browser.
  • HTML Injection.
  • Cross frame scripting (XFS), where an attacker aims to exploit a specific bug in a web browser to access private data on a third-party website.
  • Concurrent sessions across multiple tabs and browsers will now be invalidated on password change.
  • Downgrading of HTTPS connections prevented by enforcing HTTP Strict Transport Security (HSTS).

Performance Improvements

VCS Server memory usage has been optimized to improve cache management functionality.

How to upgrade

The fixes for these issues are in the RhodeCode Enterprise 3.3.2 release. To upgrade your current installation, see the RhodeCode Control upgrade section.

Continued Security Commitment

We have implemented a bounty programme to reward those who find and report any issues with our products. If you've found something, contact us at security@rhodecode.com.

Back to Article List