Project

General

Profile

Redmine 6.0.7, 5.1.10 and 5.0.14 released

Added by Marius BÄ‚LTEANU 4 days ago

Maintenance releases 6.0.7, 5.1.10 and 5.0.14 are now available to Download, bringing a total of 16 bug fixes (Changelog).

Security fixes:

All versions contain the following security fixes:
  • Defect #42998: Username and password stored in login form
  • Defect #43083: Information disclosure in Two-Factor Authentication
  • Defect #43161: When copying issues, all existing custom values are set to the new issue without sufficient validation

Starting with these versions, a new security measure has been implemented in #42998 to improve how Redmine handles sensitive information. The no-store cache header has been added to following forms: login, lost password, change password, sudo pages, auth_source, user, repository and accounts#register.

Thanks everyone for their contributions.

A Note on the End of Life for Redmine 5.0

With the upcoming release of Redmine 6.1.0 later today, we want to remind everyone that this will mark the end of life for the Redmine 5.0 series. If you are currently using a version in the 5.0 branch, we highly recommend you plan to upgrade soon to continue receiving updates and security patches.


Comments

Added by Florian Heberl 3 days ago

Thanks for the releases! I noticed that the Docker images on DockerHub have not yet been updated for these versions. Could you please check and update them?

Added by Holger Just 2 days ago

Thank you for the release and to all contributors who made this possible!

As always when there are security-related updates in a Redmine release, we have updated the Redmine Security Scanner to recognize the new versions and past vulnerabilities. Feel free to subscribe for a regular scan to get email updates whenever the security status of your Redmine changes.

As for the Docker images on DockerHub, please note that these images are not maintained by the Redmine team. Instead, they are maintained and updated by the Docker community without any connection to the Redmine project. Their "official image" designation thus merely indicates that the image is maintained by Docker, rather than a third party. It seems that there is already an open issue requesting an update in their repository.