Redmine 4.2.9 and 5.0.4 released

Added by Marius BALTEANU 2 months ago

Redmine 4.2.9 and 5.0.4 have been released and are available for download, you can review the changes in the Changelog.

These new versions contain 4 important security fixes, including an access control issue introduced in Redmine 5.0 that allows an unauthenticated user to download all attachments associated with a WikiContentVersion, so upgrading as soon as possible is highly recommended. You can review the Security_Advisories for more information.

Many thanks to all contributors that worked on the fixes and to Robert Dick, Frans Rosén, Noriko Totsuka from JPCERT/CC, Shiga Takuma of BroadBand Security, Inc. and Holger Just for reporting the security issues!


Comments

Added by Holger Just 2 months ago

Thank you to all contributors that made this release possible and especially to you, Marius, for tackling this!

As always when there are security-related updates in a Redmine release, we have updated the Redmine Security Scanner to fully recognize the new versions. Feel free to subscribe for a regular scan to get email updates whenever the security status of your Redmine changes.

Added by Federico Vera 2 months ago

Thanks guys! congratulations on another job well done!