Redmine 3.4.3, 3.3.5 and 3.2.8 released

Added by Jean-Philippe Lang about 1 month ago

These 3 new maintenance release are available for download.
You can review the changes in the Changelog.

Security: All of these releases include a fix for multiple XSS vulnerabilities. Thanks to Andi Fink and Holger Just who reported them to the Redmine team.


Comments

Added by Mischa The Evil about 1 month ago

Thanks to all who were involved in preparing these releases...

As a side note to this release news the following:

It has come to the attention that the 3.1.6 release didn't include the fixes for the security issues (which were not related to the XSS vulnerabilities fixed in the latest [3.4.3, 3.3.5 and 3.2.8] releases) due to the fact that the related revisions were accidentally not merged into the 3.1-stable branch. This means that Redmine versions 3.1.6 and 3.1.7 remained/remains susceptible for 'persistent XSS vulnerabilities in text formatting (Textile and Markdown) and the project homepage'.

This is only affecting 3.1.6 and subsequent 3.1.7 releases, 3.2.3 and any subsequent releases did include the fixes as they were supposed to.
Now that the 3.1-stable branch is EOL'd for a while now and later vulnerabilities have been found and not fixed in this branch, it is decided not to push another 3.1.x release.

It is advised to upgrade any 3.1.x (or earlier) instance to a safe and supported Redmine release ASAP. The currently supported release-branches are 3.2-stable (3.2.8), 3.3-stable (3.3.5) and the latest 3.4-stable (3.4.3).