Redmine 0.8.7 security release

Added by Jean-Philippe Lang about 10 years ago

This release adds protection against potential CSRF attacks.

Migration is done as usual but you need to generate a secret before restarting the application.
From your Redmine directory, simply run the following command once:

rake config/initializers/session_store.rb

This release fixes a few bugs as well.
Download 0.8.7.

If you are not able to upgrade to 0.8.7 but want a fix for this security issue, you can install the following plugin from Eric Davis:
http://github.com/edavis10/redmine_security_4216 (Redmine 0.8.x required)


Comments

Added by Jean-Philippe Lang almost 10 years ago

Trunk was fixed as well in r3051.

Added by Eric Davis almost 10 years ago

I wanted to give credit to p0deje for disclosing this problem to the maintainers through the proper channels. If anyone notices a potential security issue, please report it to us via email at: security AT redmine DOT org.

Added by Henrik Ammer almost 10 years ago

I want to give credit to the developers. Having been a Trac user where almost nothing happens when you add a ticket to come to this product with great developers eager to fix bugs and add new features constantly is such a difference.

Keep up your really great work people!

Added by Rodrigo Mesquita almost 10 years ago

Good work, people!

Added by Bionexo do Brasil Ltda. almost 10 years ago

We're totaly happy with this solution. Redmine simplify our work, control and have works fine with our Scrum process.

Thanks a lot for all!

Added by ulf spaeth almost 9 years ago

I am not able to update with the patch.