Documentation for JIRA 4.4. Documentation for other versions of JIRA is available too.

Skip to end of metadata
Go to start of metadata

On this page:

Upgrade Notes

JIRA 4.1.1 fixes several security vulnerabilities in JIRA. Patches that fix these vulnerabilities in earlier versions of JIRA are also available. Please refer to the JIRA Security Advisory 2010-04-16 or JIRA issue JRA-21004 for more information about these vulnerabilities and links to these patches.

Please be aware that these fixes have resulted in the following changes to JIRA's behaviour.

Setting File Paths via the Administration User Interface

JIRA now recognises a new variable called jira.paths.set.allowed in the jira-application.properties file (located in your JIRA Installation Directory).

By default, the value of this variable is set to false, such that it appears as jira.paths.set.allowed=false in the jira-application.properties file.

JIRA's file path settings are secure when any of the following is true:

  • the jira.paths.set.allowed variable in jira-atlassian.properties is set to false
  • the jira.paths.set.allowed variable in jira-atlassian.properties is set to anything other than true or its value is left blank
  • the jira.paths.set.allowed property does not exist in jira-atlassian.properties or it is 'commented-out'

and the following JIRA screens:

.../secure/admin/ViewAttachmentSettings.jspa (see Configuring File Attachments)
.../secure/admin/IndexActivate.jspa (see Search Indexing)
.../secure/admin/jira/ViewServices!default.jspa (see Automating JIRA Backups)
.../secure/admin/XmlRestore!default.jspa (see Restoring Data)

will display this message:

Changing the attachment, index, backup or restore settings is not allowed for security reasons. You must edit jira-application.properties and explicitly set 'jira.paths.set.allowed=true'. Restart JIRA and then the path settings will be able to be changed.

Changing JIRA's File Path Settings

If you want to change the locations for storing file attachments, backups, etc, you will need to do the following:

  1. Shutdown JIRA.
  2. Ensure jira.paths.set.allowed=true has been set in the jira-application.properties file and restart JIRA.
  3. Perform your location changes and shutdown JIRA.
  4. Secure JIRA's file path settings again by disabling the jira.paths.set.allowed property in jira-application.properties using one of the methods above.
    (info) Although this step is optional, it is strongly recommended as it will minimise the risk of attack to your JIRA instance.
  5. Restart JIRA.

Upon setting the value of the jira.paths.set.allowed variable to true in jira-atlassian.properties, this message is displayed in the screens above:

You have enabled the ability to change attachment, index, backup or restore path settings from within JIRA. Having this setting on can cause a known security risk. See http://jira.atlassian.com/browse/JRA-21004 for more details
To re-enable stronger security, edit jira-application.properties and explicitly set 'jira.paths.set.allowed=false'. Restart JIRA and then the path settings will be NOT able to be changed.

For security reasons, the list of JIRA administrators, which can be accessed via the 'Contact Administrators' link in the JIRA footer, will be blank unless jira.paths.set.allowed is set to true (which is not recommended — see above).

Backing Up Data to XML

JIRA now recognises another new variable called jira.paths.safe.backup.path in the jira-application.properties file (located in your JIRA Installation Directory).

By default, this variable is present in the jira-application.properties file, but it is disabled ('commented-out') and its value is an example directory path value only. If you enable the jira.paths.safe.backup.path variable and set its value to a valid directory, the following screen in JIRA:

.../secure/admin/XmlBackup!default.jspa (see Backing Up Data for more information)

will display this message:

You have named a safe backup directory. Any arbitrary backups will be written to this directory.

Otherwise, this message is displayed:

You have not named a safe backup directory and hence you are not allowed to make backups for security reasons. You must edit jira-application.properties and explicitly set 'jira.paths.safe.backup.path=/to/some/safe/path'. Restart JIRA and then you will be able to make arbitrary backups. NOTE : If you are using Windows, you will need to use double \ characters, for example

d:\\some\\safe\\path

(info) Examples of valid directory paths used with this variable:

  • UNIX-based systems (e.g. Linux or Mac OS X)
    jira.paths.safe.backup.path=/some/safe/path
  • Windows systems
    jira.paths.safe.backup.path=d:\\some\\safe\\path
Icon

JIRA's manual 'Backup Data to XML' feature will not be available unless the value of the jira.paths.safe.backup.path variable in jira-application.properties has been set to a valid path.

Announcement Banner

For security reasons, the ability to preview the Announcement Banner has been disabled.

Data for Support Requests

For security reasons, we no longer attach XML backups and logs to the emails generated by the Support Request page.

Differences between JIRA 4.1.1 and the Security Patches for Earlier JIRA Versions

The main purpose of the JIRA 4.1.1 point release was to fix several security vulnerabilities in JIRA. (Patches to fix these vulnerabilities in earlier versions of JIRA can be obtained via the JIRA Security Advisory 2010-04-16 or JIRA issue JRA-21004.)

However, that there are some differences in behaviour between JIRA 4.1.1 and the patches applied to earlier JIRA versions:

  • Upon upgrading to or initially installing JIRA 4.1.1, Captcha will automatically be activated after five failed login attempts.

    (info) If you had set the Maximum Authentication Attempts Allowed option (via the 'Administration' -> 'Global Settings' -> 'General Configuration' page) to another value prior to upgrading, it will be overridden and set to 5 upon upgrading to JIRA 4.1.1. Hence, to revert this option back to your previous setting, you will need to do this manually via the 'Global Settings' -> 'General Configuration' page.
  • From JIRA 4.1.1, the following additional JSP pages have been disabled and are no longer available:
    • .../secure/admin/cacheViewer.jsp
    • .../secure/admin/editworklog.jsp
    • .../secure/admin/manageyourkitprofiling.jsp
    • .../secure/admin/plugin-bundles.jsp
    • .../secure/admin/workflow-debug.jsp

Developers Note

When using the Atlassian SDK, the correct JIRA version to reference is 4.1.1.1 (not 4.1.1). See the Atlassian Plugin SDK 3.1.2 Release Notes​ for details.

Upgrading from JIRA 4.1 to 4.1.1

Please follow the JIRA general upgrade instructions.

Upgrading from JIRA 4.0.x and Earlier

In addition to the above, please read the JIRA 4.1 Upgrade Guide and the Upgrade Guide for every version you are skipping during the upgrade. The complete list of Upgrade Guides is available here.

  • No labels