Redmine

These 3 maintenance releases are available for download, you can review the changes in the Changelog.

Security: these 3 releases include 4 security fixes, including a critical fix for an arbitrary file read in Git adapter, so upgrading as soon as possible is highly recommended. For those who cannot update immediately, another method to mitigate the critical risk is to update the Git version from the server to at least 2.22.0. You can get more details in Security Advisories.

Many thanks to niubl from TSRC (Tencent Security Response Center) for reporting this issue to the Redmine security team, to Holger Just from www.plan.io for the hard working on these security issues and to Go Maeda who made these releases possible.

Beside this, these new versions clarify and properly fix some inconsistent permissions for issue_edit and add_issue_notes. Before 3.3.0, users only with issue_edit permission were allowed to add notes to issues by design, but this behaviour changed when tracker role-based permissions were added (#285) and the add_issue_notes was explicitly required in the UI. 4.0.8 extended this behaviour to API and 4.0.9 to mail handler. Please check your roles settings if you have the incoming email configured.

Please note that 4.0.9 is the last release for 4.0 series, you should upgrade to Redmine 4.1 or 4.2 to get the future maintenance updates. Next major version is 5.0.0.