Redmine 3.3.10 release (incl. security fix)
A critical security vulnerability has been discovered in Redmine 3.3.x and all prior releases. This vulnerability could be used to read sensitive data from the database. Although the 3.3.x branch was no longer maintained, Redmine 3.3.10 was released today in order to fix this vulnerability. If you are using Redmine <= 3.3.9, you should upgrade as soon as possible (download).
Thank you to Holger Just from www.plan.io for reporting this vulnerability.
Redmine 3.4.x and 4.0.x are not affected by this vulnerability.
Comments
Thank you for releasing this update, Jean-Philippe!
As always when there are security updates for Redmine, we have updated the Redmine Security Scanner. Redmine admins who have subscribed to the notification service previously should have already have received an update email today.