Project

General

Profile

Redmine 6.1.3, 6.0.10 and 5.1.13 released

Added by Marius BĂLTEANU 22 days ago

New maintenance releases for the Redmine 6.1, 6.0, and 5.1 series are now available to Download. These releases address multiple security vulnerabilities along with various bug fixes and improvements.

Security Fixes:
All three versions (6.1.3, 6.0.10, and 5.1.13) include the following security fixes:
  • Defect #43951: Bulk attachment download bypasses View files permission for project/version attachments
  • Defect #44109: PreAuth leak name of private Projects
  • Defect #44118: Any project member with add_issue_notes permission can add notes to private issues they cannot view, via the MailHandler reply dispatch
  • Defect #44138: Stored XSS in Textile formatter due to restore_redmine_links
  • Defect #44145: PostScript execution in Redmine::Thumbnail.generate via %% DSC-comment prefix
  • Defect #44146: Time-entry API hidden custom-field leak
Versions 6.1.3 and 6.0.10 also include:
  • Patch #43986: Improve the config.filter_parameters setting
Version 6.1.3 also includes:
  • Defect #44174: OAuth scope enforcement bypass in user account

You can find the new versions in the Download section. For a complete list of changes, please review the detailed Changelog for each version.

Many thanks to all the contributors who helped with these releases, especially those who responsibly reported the vulnerabilities and to Holger Just, Jens Krämer, and to Go MAEDA for their continuous work on these security issues.


Comments

Added by Holger Just 22 days ago

Thanks to all contributors for helping to improve Redmine's security!

As always, Planio has updated the Redmine Security Scanner with these new versions. You can subscribe for a regular scan to get an email update whenever the security status of your Redmine changes.

Added by Massimo Rossello 8 days ago

what happened to 7.0.0?

Added by Marius BĂLTEANU 8 days ago

It will be released very soon.

Added by Marc-Antoine MARTY 7 days ago

Hi,
Would it be possible to publish version 5.1.13 on Docker Hub?
Thanks in advance for your help.
Marc

Added by Alex Chernyakevich 7 days ago

Hello, Marc.

https://hub.docker.com/_/redmine is the Official Images on Docker Hub. It looks like 5.1.x is not supported there any more.

But you could search for "unofficial" images.

I hope it helped.

With best regards and wishes,
Alex.