Redmine 4.2.1, 4.1.3 and 4.0.9 released (security fixes)
These 3 maintenance releases are available for download, you can review the changes in the Changelog.
Security: these 3 releases include 4 security fixes, including a critical fix for an arbitrary file read in Git adapter, so upgrading as soon as possible is highly recommended. For those who cannot update immediately, another method to mitigate the critical risk is to update the Git version from the server to at least 2.22.0. You can get more details in Security Advisories.
Many thanks to niubl from TSRC (Tencent Security Response Center) for reporting this issue to the Redmine security team, to Holger Just from www.plan.io for the hard working on these security issues and to Go Maeda who made these releases possible.
Beside this, these new versions clarify and properly fix some inconsistent permissions for issue_edit
and add_issue_notes
. Before 3.3.0, users only with issue_edit
permission were allowed to add notes to issues by design, but this behaviour changed when tracker role-based permissions were added (#285) and the add_issue_notes
was explicitly required in the UI. 4.0.8 extended this behaviour to API and 4.0.9 to mail handler. Please check your roles settings if you have the incoming email configured.
Please note that 4.0.9 is the last release for 4.0 series, you should upgrade to Redmine 4.1 or 4.2 to get the future maintenance updates. Next major version is 5.0.0.
Comments
Added by Holger Just over 3 years ago
Thanks you to everyone who took part in this release!
As always when there are security fixes, we have updated the Redmine Security Scanner. If you haven’t already, feel free to subscribe your Redmine for regular scanning to get email updates whenever its security status changes.
Added by Hirofumi Kadoya over 3 years ago
thanks!
Added by Erik E over 3 years ago
Thanks to everyone involved!
Added by Vincent Robert over 3 years ago
Good work. Thank you!
Added by Fernando Hartmann over 3 years ago
Thanks !
Added by Anonymous over 3 years ago
Does CVE-2021-31863 affect private projects? If I understand correctly, the bug can only be exploited when a user (anonymous or authenticated) has access to a specific project (correct me if I'm wrong). If all projects are private, this would mean that the only users capable of executing the exploit are authenticated users, correct?
Added by DC Kumawat over 3 years ago
thanks for Released Redmine 4.2.1