Redmine

New maintenance releases for the Redmine 6.1, 6.0, and 5.1 series are now available to Download. These releases address multiple security vulnerabilities along with various bug fixes and improvements.

Security Fixes

All three versions (6.1.2, 6.0.9, and 5.1.12) include the following security fixes:

• Defect #43661: Unsafe eval usage in AttachmentsHelper
• Defect #43690: Directory Traversal via Backslash-Separated Paths in Filesystem SCM
• Defect #43691: DOM (Stored) XSS in @mention autocomplete via unescaped user name
• Defect #43692: LDAP Injection (Unescaped Input in LDAP Search Filter)
• Defect #43694: DOM XSS: HTML Injection via Custom Field Name in Query Filter Generation
• Defect #43830: User who is allowed to view only their own time entries can retrieve other users’ time entry details by directly specifying the TimeEntry ID via the REST API
• Defect #43864 / #43840: Update Nokogiri to 1.18.9 (5.1.12) or 1.19.1 (6.1.2 and 6.0.9).

Maintenance Improvements

Redmine 6.1.2 includes a significant number of maintenance fixes (30 in total).

• A new series of fixes for RTL languages
• SVG Icons: Theme developers can now override the default icons sprite, please see #43087 for details
• recent_pages macro supports now include_subprojects parameter

Download and Changelog
You can find the new versions in the Download section. For a complete list of changes, please review the detailed Changelog for each version.

Many thanks to all the contributors who helped with these releases, especially those who responsibly reported the security issues (Sho Odagiri and kaminuma).