This release fixes some security flaws. Please refer to the security advisory for details of the security vulnerabilities, risk assessment and mitigation strategies.
4 May 2010
The Atlassian Crowd team is delighted to present Crowd 2.0.4. This release is a recommended upgrade which fixes some security flaws and other bugs, as well as introducing a couple of nice improvements.
The main new feature in this release is the in-place migration of Crowd data on upgrade, available for PostgreSQL and MySQL database servers. It is no longer necessary to export your Crowd database to XML and then re-import it. Instead, you can simply point your new Crowd installation at your existing home directory. The upgrade procedure will upgrade your database for you. See the upgrade guide.
When configuring trusted proxy servers, you can now specify a wildcard IP range using CIDR notation. Before this release, you had to specify each IP address individually.
For added security, we have locked down the location of the backup file. When you request a Crowd backup, you can specify a file name for the XML backup file, but the path is no longer configurable. Crowd will create the file in the in the
/backups directory under your Crowd Home directory.
Please note: When you upgrade to Crowd 2.0.4, users with expired passwords will no longer be able to log in to Crowd-connected applications. For the Crowd internal directory, password expiry is determined by the field 'Maximum Unchanged Password Days'. (See Configuring an Internal Directory.) Up to this release, users were able to log in to the applications even if they had not changed their passwords within the specified number of days. We have now fixed this bug (CWD-1724). Please be aware that on upgrading you may find a number of people unable to log in to the applications until their passwords are reset, due to expired passwords. To prevent this, you can either ask users to check and change their passwords if necessary, or you can set the value of 'Maximum Unchanged Password Days' to zero, which means that there is no expiry period.
Don't have Crowd 2.0 yet?
Take a look at the new features and other highlights in the Crowd 2.0 Release Notes.