On this page:
JIRA 4.1.1 fixes several security vulnerabilities in JIRA. Patches that fix these vulnerabilities in earlier versions of JIRA are also available. Please refer to the JIRA Security Advisory 2010-04-16 or JIRA issue JRA-21004 for more information about these vulnerabilities and links to these patches.
Please be aware that these fixes have resulted in the following changes to JIRA's behaviour.
Setting File Paths via the Administration User Interface
By default, the value of this variable is set to
false, such that it appears as
jira.paths.set.allowed=false in the
JIRA's file path settings are secure when any of the following is true:
jira-atlassian.propertiesis set to
jira-atlassian.propertiesis set to anything other than
trueor its value is left blank
jira.paths.set.allowedproperty does not exist in
jira-atlassian.propertiesor it is 'commented-out'
and the following JIRA screens:
.../secure/admin/ViewAttachmentSettings.jspa (see Configuring File Attachments)
.../secure/admin/IndexActivate.jspa (see Search Indexing)
.../secure/admin/jira/ViewServices!default.jspa (see Automating JIRA Backups)
.../secure/admin/XmlRestore!default.jspa (see Restoring Data)
will display this message:
Changing the attachment, index, backup or restore settings is not allowed for security reasons. You must edit jira-application.properties and explicitly set 'jira.paths.set.allowed=true'. Restart JIRA and then the path settings will be able to be changed.
Changing JIRA's File Path Settings
If you want to change the locations for storing file attachments, backups, etc, you will need to do the following:
- Shutdown JIRA.
jira.paths.set.allowed=truehas been set in the
jira-application.propertiesfile and restart JIRA.
- Perform your location changes and shutdown JIRA.
- Secure JIRA's file path settings again by disabling the
jira-application.propertiesusing one of the methods above.
Although this step is optional, it is strongly recommended as it will minimise the risk of attack to your JIRA instance.
- Restart JIRA.
Upon setting the value of the
jira.paths.set.allowed variable to
jira-atlassian.properties, this message is displayed in the screens above:
You have enabled the ability to change attachment, index, backup or restore path settings from within JIRA. Having this setting on can cause a known security risk. See http://jira.atlassian.com/browse/JRA-21004 for more details
To re-enable stronger security, edit jira-application.properties and explicitly set 'jira.paths.set.allowed=false'. Restart JIRA and then the path settings will be NOT able to be changed.
'Contact Administrators' Link
For security reasons, the list of JIRA administrators, which can be accessed via the 'Contact Administrators' link in the JIRA footer, will be blank unless
jira.paths.set.allowed is set to
true (which is not recommended — see above).
Backing Up Data to XML
By default, this variable is present in the
jira-application.properties file, but it is disabled ('commented-out') and its value is an example directory path value only. If you enable the
jira.paths.safe.backup.path variable and set its value to a valid directory, the following screen in JIRA:
.../secure/admin/XmlBackup!default.jspa (see Backing Up Data for more information)
will display this message:
You have named a safe backup directory. Any arbitrary backups will be written to this directory.
Otherwise, this message is displayed:
You have not named a safe backup directory and hence you are not allowed to make backups for security reasons. You must edit jira-application.properties and explicitly set 'jira.paths.safe.backup.path=/to/some/safe/path'. Restart JIRA and then you will be able to make arbitrary backups. NOTE : If you are using Windows, you will need to use double \ characters, for example
Examples of valid directory paths used with this variable:
- UNIX-based systems (e.g. Linux or Mac OS X)
- Windows systems
JIRA's manual 'Backup Data to XML' feature will not be available unless the value of the
jira.paths.safe.backup.path variable in
jira-application.properties has been set to a valid path.
For security reasons, the ability to preview the Announcement Banner has been disabled.
Data for Support Requests
For security reasons, we no longer attach XML backups and logs to the emails generated by the Support Request page.
Differences between JIRA 4.1.1 and the Security Patches for Earlier JIRA Versions
The main purpose of the JIRA 4.1.1 point release was to fix several security vulnerabilities in JIRA. (Patches to fix these vulnerabilities in earlier versions of JIRA can be obtained via the JIRA Security Advisory 2010-04-16 or JIRA issue JRA-21004.)
However, that there are some differences in behaviour between JIRA 4.1.1 and the patches applied to earlier JIRA versions:
- Upon upgrading to or initially installing JIRA 4.1.1, Captcha will automatically be activated after five failed login attempts.
If you had set the Maximum Authentication Attempts Allowed option (via the 'Administration'
->'General Configuration' page) to another value prior to upgrading, it will be overridden and set to 5 upon upgrading to JIRA 4.1.1. Hence, to revert this option back to your previous setting, you will need to do this manually via the 'Global Settings'
->'General Configuration' page.
- From JIRA 4.1.1, the following additional JSP pages have been disabled and are no longer available:
When using the Atlassian SDK, the correct JIRA version to reference is 184.108.40.206 (not 4.1.1). See the Atlassian Plugin SDK 3.1.2 Release Notes for details.
Upgrading from JIRA 4.1 to 4.1.1
Please follow the JIRA general upgrade instructions.