Bamboo 2.5.5 Upgrade Guide
A few changes to Bamboo's behavior have resulted as a consequence of some important fixes to security vulnerabilities in Bamboo 2.5.5. For more information about these security vulnerabilities and their fixes, please refer to the Bamboo Security Advisory 2010-05-04.
Setting File Paths in Bamboo
When modifying Bamboo's 'File Path' option on the Export or Import administration pages or the 'Backup Path' option on the Scheduled Backup page, you can only change the name of files associated with these options (not the the actual file path component itself). To change these file path components, you must explicitly run Bamboo with the following system property:
Please refer to Starting Bamboo for details on how to run Bamboo with system properties.
Brute Force Attack Prevention
By default, if you attempt to log in to Bamboo three times unsuccessfully, then for subsequent login attempts, Bamboo will require you recognize a distorted picture of a word and type that word into a text field. For more information, please refer to Using Captcha for failed logins.
HttpOnly Session ID Cookies
If you are running the Bamboo EAR-WAR distribution, then to minimize the risk of common XSS attacks, we strongly recommend that you configure the application server (Tomcat) running Bamboo to transmit session ID cookies using the HttpOnly flag. Please refer to Securing Bamboo with Tomcat using SSL for more information.
Upgrading from Bamboo 2.5.3 to 2.5.5
Please follow the Bamboo upgrade guide.
No additional upgrade tasks are required to upgrade from Bamboo 2.5.3 to 2.5.5.
Upgrading from Bamboo 2.4.x or earlier
In addition to the above, please read the Bamboo 2.5 Upgrade Guide and the Upgrade Guide for every version you are skipping during the upgrade.