Redmine 0.8.7 security release

Added by Jean-Philippe Lang almost 8 years ago

This release adds protection against potential CSRF attacks.

Migration is done as usual but you need to generate a secret before restarting the application.
From your Redmine directory, simply run the following command once:

rake config/initializers/session_store.rb

This release fixes a few bugs as well.
Download 0.8.7.

If you are not able to upgrade to 0.8.7 but want a fix for this security issue, you can install the following plugin from Eric Davis:
http://github.com/edavis10/redmine_security_4216 (Redmine 0.8.x required)


Comments

Added by Jean-Philippe Lang almost 8 years ago

Trunk was fixed as well in r3051.

Added by Eric Davis almost 8 years ago

I wanted to give credit to p0deje for disclosing this problem to the maintainers through the proper channels. If anyone notices a potential security issue, please report it to us via email at: security AT redmine DOT org.

Added by Henrik Ammer almost 8 years ago

I want to give credit to the developers. Having been a Trac user where almost nothing happens when you add a ticket to come to this product with great developers eager to fix bugs and add new features constantly is such a difference.

Keep up your really great work people!

Added by Rodrigo Mesquita almost 8 years ago

Good work, people!

Added by Bionexo do Brasil Ltda. almost 8 years ago

We're totaly happy with this solution. Redmine simplify our work, control and have works fine with our Scrum process.

Thanks a lot for all!

Added by ulf spaeth almost 7 years ago

I am not able to update with the patch.