Redmine 3.3.10 release (incl. security fix) (1 comment)
A critical security vulnerability has been discovered in Redmine 3.3.x and all prior releases. This vulnerability could be used to read sensitive data from the database. Although the 3.3.x branch was no longer maintained, Redmine 3.3.10 was released today in order to fix this vulnerability. If you are using Redmine <= 3.3.9, you should upgrade as soon as possible (download).
Thank you to Holger Just from www.plan.io for reporting this vulnerability.
Redmine 3.4.x and 4.0.x are not affected by this vulnerability.
Redmine 4.0.5 and 3.4.12 released (6 comments)
Security: these 2 releases include an upgrade to the latest ruby-openid gem that fixes a security vulnerability (see #32294 for more details). Users who have openid authentication activated on their Redmine instance should upgrade as soon as possible.
Thanks to all the contributors who worked on these releases.
Security: these 2 release include a fix for a persistent XSS vulnerability found in the Redmine Textile formatter. This issue was discovered and reported to the security team by Глеб Будило and fixed by Holger Just on behalf on Planio. People who uses Textile formatting should upgrade as soon as possible. Those who use Markdown or no text formatting are not vulnerable.
Redmine 4.0.3 and 3.4.10 released (5 comments)
Security: several vulnerabilities have been discovered in Ruby on Rails 4 and 5 (see announcement). These 2 releases include an update to the latest Ruby on Rails versions 188.8.131.52 (for Redmine 4.0.3) and Rails 184.108.40.206 (for Redmine 3.4.10) which fix these security issues. Upgrading is highly recommended.
Redmine 4.0.2 and 3.4.9 released (4 comments)
Redmine 4.0.1 and 3.4.8 released (6 comments)
Happy New Year 2019!
Redmine 4.0.0, 3.4.7 and 3.3.9 released (18 comments)
- a major change to email notifications: each user now receives its own notification email whereas previous versions were sending a single email to all the notified users
- many improvements to text formatting
- the replacement of Coderay by Rouge to support more languages for code highlighting
Email delivery now relies on Rails ActiveJob. Emails are sent asynchronously by default. But you should consider configuring a persistent backend for ActiveJob since the default uses an in-memory queue that is not well suited for production environnements:
Redmine 4.0.0 uses Rails 5.2.2, the latest Rails version released a few days ago.
Redmine 3.4.7 and 3.3.9 are maintenance releases for 3.4.x and 3.3.x users. You can review the details in the Changelog. They both include an upgrade to Rails 4.2.11 that fixed 2 Rails vulnerabilities. Although these vulnerabilities does not affect Redmine 3.x, you should upgrade if possible.
Redmine 3.4.6 and 3.3.8 released (1 comment)
Redmine 3.4.5 and 3.3.7 released (2 comments)
Thanks to all the contributors who worked on these releases!
Redmine 3.4.4, 3.3.6 and 3.2.9 released (5 comments)
Security: All of these releases include a fix for a remote command execution vulnerability in the Mercurial adapter. Thanks to Yuya Nishihara who reported this issue to the Redmine team. If you are using Mercurial repositories with Redmine, you should update to one of these releases as soon as possible.
Also available in: Atom