What's Fixed in TeamForge 25.1?

In addition to addressing several security vulnerabilities, the following issues were fixed in TeamForge 25.1.

General Fixes

• Fixed an issue where users with Document Admin permissions were unable to close document reviews unless they were also granted Project Admin access. Document Admins can now close reviews as expected.

• Fixed an issue where Project Home pages failed to load with a Page Not Found error after an SVN repository webhook was triggered. Project Home pages now load correctly after webhook execution.

Security Fixes

• Fixed an open redirection vulnerability that allowed user-controlled parameters to redirect users to external domains. This security improvement prevents potential phishing attacks by enforcing safe redirect validation.

• Strengthened password policy by increasing the minimum password length from 8 to 12 characters to improve protection against brute-force attacks and align with security best practices.

• Resolved an SSL certificate trust issue by updating the certificate chain to ensure proper validation and prevent potential man-in-the-middle vulnerabilities.

• Addressed security vulnerabilities by upgrading Oracle JRE and Tomcat to their latest supported versions.

• Fixed an Apache Tomcat authentication bypass vulnerability CVE-2025-52520 that could allow denial of service attacks through maliciously large multipart uploads.

TeamForge SCM Fixes

• Fixed an issue where the gerrit show-caches command took an excessive amount of time to complete due to oversized H2 cache files. Cache compaction was optimized using the h2.maxCompactTime configuration, significantly reducing cache database sizes and improving overall cache processing performance.

• Fixed an issue where PDF files uploaded to SVN repositories were not rendered correctly in the TeamForge code browser UI, even when the svn:mime-type was set to application/pdf. PDF files in SVN repositories are now displayed properly, consistent with the behavior in Git repositories.

• Fixed an issue where users could not correctly select or retain Submit Type options for Git repositories in the repository settings page. The selected submit type is now saved and reflected properly after updating the settings, instead of reverting to the default value.

• Fixed an issue where an Invalid replicaId error was logged after deleting and re-adding a Git replica server. The replica configuration is now refreshed correctly during reprovisioning, preventing stale or null replica IDs from being used and eliminating the need to restart the Gerrit service to clear the error.

• Fixed an issue where the Gerrit Reviewers plugin failed to automatically assign default reviewers based on path filters. Path-based reviewer assignments now work correctly for Pull Request reviews.

• Fixed an issue where accessing files using relative paths in SVN repositories failed with a "Can't get entries of non-directory" error. Relative path handling now works correctly.

• Fixed a SAXParseException error that occurred during SOAP API calls to RbacSoap.listClusterForDefaultAccessPermissions, which caused repository refresh operations to fail.

• Fixed an issue where TeamForge FullSync failed with "Permission denied" errors when calling RbacSoap.getRoleList for certain projects. Role synchronization now works correctly across all projects.

Provisioning and System Fixes

• Fixed an issue where the teamforge reinitialize command failed on integration services with an invalidParameter error for UseInternalCodeBrowser. The deprecated parameter is now automatically removed during upgrade.