Currently we are using JIRA 3.13. This version has many vulnerabilities like XSS,CSRF,XFS, Improper session management,No strong password policy, No account lockout feature etc.,
Could anyone please let me know which JIRA version eliminates all these vulnerabilities and the steps required for migration.
Basically, the security advice is usually "use the latest version". At the very least, you need to be on 5.1 or above to avoid a lot of the problems. Read https://confluence.atlassian.com/display/JIRA/Upgrading+JIRAand then I'd highly recommend reading every minor release note thereafter - 4.0, 4.1, 4.2 etc (don't worry too much about the point releases)
The password/lockout stuff can be fixed by using external user management :-) BUT, you'll need to do that in any version :-(
Thanks Nic Brough for clarifying the query and sharing valuable information. This link helps me how to proceed with upgrading JIRA.I need small calrification on the upgrading process.
While upgrading.. will all the customized workflows in current JIRA will be copied to the New JIRA with the restore process of backup XML of old JIRA or do we need to recreate the workflows in the new JIRA.
The database contains everything - the only things that live outside the database are code changes, some small bits of configuration you can't do inside the application and your attachments. A slightly different way to think of it - if you can change it in the UI, it'll be upgraded.
Have installed the latest JIRA version 6.1.7 and observed that CSRF and XSS vulnerabilities are closed but still there are few vulnerabilities observed like cross frame scripting(XFS) attack, vulnerable to input validation,SQL Injection and was recommended to enforce strong input validation and output encoding throughout the application but the product allows all special characters including the black listed characters. Please suggest how to fix this?
Also how to restrict to upload only specific file type as this product allows all file types to upload .ie. any exe/ double extension files (.bat.jpeg, .html, .dll, etc.) with malicious content.Please suggest.
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot