Releases

Security Vulnerability Patch in YouTrack 6.5.17031

Please welcome a fresh YouTrack 6.5.17031 update. This minor release is very important, because it contains a fix for the recently discovered vulnerability to XML External Entity (XXE) attack. It affects XML-based REST API, such as user import or command intellisense API. This attack may lead to the disclosure of confidential data, denial of service, port scanning from the perspective of the YouTrack host machine. This OWASP article explains the vulnerability in details.

We strongly recommend all our stand-alone customers to upgrade to the latest YouTrack 6.5.17031 build. If you’re using the older YouTrack version, please consider settings the following java start parameters to mitigate the attack:

-Djavax.xml.accessExternalDTD=

-Djavax.xml.accessExternalSchema=

-Djavax.xml.accessExternalStylesheet=

Please note, that parameter values are intentionally left blank. Please refer to the documentation if unsure how to set them.

All the InCloud servers are already upgraded to the latest build.

For more details about the changes made in this build, please check the Release Notes.

The Drive to Develop

– YouTrack JetBrains Team