Documentation for JIRA 4.4. Documentation for other versions of JIRA is available too.
On this page:
JIRA 4.1.1 fixes several security vulnerabilities in JIRA. Patches that fix these vulnerabilities in earlier versions of JIRA are also available. Please refer to the JIRA Security Advisory 2010-04-16 or JIRA issue JRA-21004 for more information about these vulnerabilities and links to these patches.
Please be aware that these fixes have resulted in the following changes to JIRA's behaviour.
JIRA now recognises a new variable called jira.paths.set.allowed
in the jira-application.properties
file (located in your JIRA Installation Directory).
By default, the value of this variable is set to false
, such that it appears as jira.paths.set.allowed=false
in the jira-application.properties
file.
JIRA's file path settings are secure when any of the following is true:
jira.paths.set.allowed
variable in jira-atlassian.properties
is set to false
jira.paths.set.allowed
variable in jira-atlassian.properties
is set to anything other than true
or its value is left blankjira.paths.set.allowed
property does not exist in jira-atlassian.properties
or it is 'commented-out'and the following JIRA screens:
.../secure/admin/ViewAttachmentSettings.jspa (see Configuring File Attachments)
.../secure/admin/IndexActivate.jspa (see Search Indexing)
.../secure/admin/jira/ViewServices!default.jspa (see Automating JIRA Backups)
.../secure/admin/XmlRestore!default.jspa (see Restoring Data)
will display this message:
Changing the attachment, index, backup or restore settings is not allowed for security reasons. You must edit jira-application.properties and explicitly set 'jira.paths.set.allowed=true'. Restart JIRA and then the path settings will be able to be changed.
If you want to change the locations for storing file attachments, backups, etc, you will need to do the following:
jira.paths.set.allowed=true
has been set in the jira-application.properties
file and restart JIRA.jira.paths.set.allowed
property in jira-application.properties
using one of the methods above.Upon setting the value of the jira.paths.set.allowed
variable to true
in jira-atlassian.properties
, this message is displayed in the screens above:
You have enabled the ability to change attachment, index, backup or restore path settings from within JIRA. Having this setting on can cause a known security risk. See http://jira.atlassian.com/browse/JRA-21004 for more details
To re-enable stronger security, edit jira-application.properties and explicitly set 'jira.paths.set.allowed=false'. Restart JIRA and then the path settings will be NOT able to be changed.
For security reasons, the list of JIRA administrators, which can be accessed via the 'Contact Administrators' link in the JIRA footer, will be blank unless jira.paths.set.allowed
is set to true
(which is not recommended — see above).
JIRA now recognises another new variable called jira.paths.safe.backup.path
in the jira-application.properties
file (located in your JIRA Installation Directory).
By default, this variable is present in the jira-application.properties
file, but it is disabled ('commented-out') and its value is an example directory path value only. If you enable the jira.paths.safe.backup.path
variable and set its value to a valid directory, the following screen in JIRA:
.../secure/admin/XmlBackup!default.jspa (see Backing Up Data for more information)
will display this message:
You have named a safe backup directory. Any arbitrary backups will be written to this directory.
Otherwise, this message is displayed:
You have not named a safe backup directory and hence you are not allowed to make backups for security reasons. You must edit jira-application.properties and explicitly set 'jira.paths.safe.backup.path=/to/some/safe/path'. Restart JIRA and then you will be able to make arbitrary backups. NOTE : If you are using Windows, you will need to use double \ characters, for example
d:\\some\\safe\\path
Examples of valid directory paths used with this variable:
jira.paths.safe.backup.path=/some/safe/path
jira.paths.safe.backup.path=d:\\some\\safe\\path
JIRA's manual 'Backup Data to XML' feature will not be available unless the value of the jira.paths.safe.backup.path
variable in jira-application.properties
has been set to a valid path.
For security reasons, the ability to preview the Announcement Banner has been disabled.
For security reasons, we no longer attach XML backups and logs to the emails generated by the Support Request page.
The main purpose of the JIRA 4.1.1 point release was to fix several security vulnerabilities in JIRA. (Patches to fix these vulnerabilities in earlier versions of JIRA can be obtained via the JIRA Security Advisory 2010-04-16 or JIRA issue JRA-21004.)
However, that there are some differences in behaviour between JIRA 4.1.1 and the patches applied to earlier JIRA versions:
->
'Global Settings' ->
'General Configuration' page) to another value prior to upgrading, it will be overridden and set to 5 upon upgrading to JIRA 4.1.1. Hence, to revert this option back to your previous setting, you will need to do this manually via the 'Global Settings' ->
'General Configuration' page.When using the Atlassian SDK, the correct JIRA version to reference is 4.1.1.1 (not 4.1.1). See the Atlassian Plugin SDK 3.1.2 Release Notes for details.
Please follow the JIRA general upgrade instructions.
In addition to the above, please read the JIRA 4.1 Upgrade Guide and the Upgrade Guide for every version you are skipping during the upgrade. The complete list of Upgrade Guides is available here.