Redmine

New maintenance releases for the Redmine 6.1, 6.0, and 5.1 series are now available to Download. These releases address three security vulnerabilities along with various bug fixes and improvements.

Security Fixes

All three versions (6.1.1, 6.0.8, and 5.1.11) include the following security fixes:

• Defect #43451: PostScript disguised as PDF can lead to arbitrary file operations via thumbnail generation
• Defect #43634: Authorization bypass in Redmine allows modification of attachment metadata on invisible issues
• Defect #43635: Authorization bypass in Redmine allows deletion of attachment on invisible issues

Maintenance Improvements

Redmine 6.1.1 includes a significant number of maintenance fixes (34 in total), with a particular focus on the user interface:

• RTL Support: Numerous fixes for RTL layouts, including corrected positioning for reaction buttons, copy buttons, and avatars.
• Text Formatting: Improvements to CommonMark alerts, including localized titles (note, tip, warning, etc.), a new CJK-friendly emphasis extension and automatic list markers support for task list items (#43234, #43379, #43265).
• SVG Icons: Continued refinement of the new SVG icon system and visual consistency.

Download and Changelog
You can find the new versions in the Download section. For a complete list of changes, please review the detailed Changelog for each version.

Many thanks to all the contributors who helped with these releases, especially those who responsibly reported the security issues (Elweth from YesWeHack and to Abor).

Happy New Year!