Redmine 4.2.1, 4.1.3 and 4.0.9 released (security fixes)

Added by Marius BALTEANU 3 months ago

These 3 maintenance releases are available for download, you can review the changes in the Changelog.

Security: these 3 releases include 4 security fixes, including a critical fix for an arbitrary file read in Git adapter, so upgrading as soon as possible is highly recommended. For those who cannot update immediately, another method to mitigate the critical risk is to update the Git version from the server to at least 2.22.0. You can get more details in Security Advisories.

Many thanks to niubl from TSRC (Tencent Security Response Center) for reporting this issue to the Redmine security team, to Holger Just from www.plan.io for the hard working on these security issues and to Go Maeda who made these releases possible.

Beside this, these new versions clarify and properly fix some inconsistent permissions for issue_edit and add_issue_notes. Before 3.3.0, users only with issue_edit permission were allowed to add notes to issues by design, but this behaviour changed when tracker role-based permissions were added (#285) and the add_issue_notes was explicitly required in the UI. 4.0.8 extended this behaviour to API and 4.0.9 to mail handler. Please check your roles settings if you have the incoming email configured.

Please note that 4.0.9 is the last release for 4.0 series, you should upgrade to Redmine 4.1 or 4.2 to get the future maintenance updates. Next major version is 5.0.0.


Comments

Added by Holger Just 3 months ago

Thanks you to everyone who took part in this release!

As always when there are security fixes, we have updated the Redmine Security Scanner. If you haven’t already, feel free to subscribe your Redmine for regular scanning to get email updates whenever its security status changes.

Added by Hirofumi Kadoya 3 months ago

thanks!

Added by Erik E 3 months ago

Thanks to everyone involved!

Added by Vincent Robert 3 months ago

Good work. Thank you!

Added by Fernando Hartmann 3 months ago

Thanks !

Added by Mantas S about 1 month ago

Does CVE-2021-31863 affect private projects? If I understand correctly, the bug can only be exploited when a user (anonymous or authenticated) has access to a specific project (correct me if I'm wrong). If all projects are private, this would mean that the only users capable of executing the exploit are authenticated users, correct?

Added by DC Kumawat about 1 month ago

thanks for Released Redmine 4.2.1