Redmine

These 3 maintenance releases are available for download, you can review the changes in the Changelog.

Security: these 3 releases include 4 security fixes, including a critical fix for an arbitrary file read in Git adapter, so upgrading as soon as possible is highly recommended. For those who cannot update immediately, another method to mitigate the critical risk is to update the Git version from the server to at least 2.22.0. You can get more details in Security Advisories.

Many thanks to niubl from TSRC (Tencent Security Response Center) for reporting this issue to the Redmine security team, to Holger Just from www.plan.io for the hard working on these security issues and to Go Maeda who made these releases possible.

Beside this, these new versions clarify and properly fix some inconsistent permissions for issue_edit and add_issue_notes. Before 3.3.0, users only with issue_edit permission were allowed to add notes to issues by design, but this behaviour changed when tracker role-based permissions were added (#285) and the add_issue_notes was explicitly required in the UI. 4.0.8 extended this behaviour to API and 4.0.9 to mail handler. Please check your roles settings if you have the incoming email configured.

Please note that 4.0.9 is the last release for 4.0 series, you should upgrade to Redmine 4.1 or 4.2 to get the future maintenance updates. Next major version is 5.0.0.

I am very happy to announce that Redmine 4.2.0 is now available for download. This new version brings more than 190 changes including some long awaited features.

Here are the highlights:

• You can now enable two-factor authentication as an extra security layer for your account (#1237 by Felix Schäfer).
• Admins can now configure which email domains are allowed or not for user accounts (#3369 by Yuichi HARADA).
• User accounts can now be imported from CSV (#33102 by Takenori TAKAKI).

• Notify users about high issues (only) (#32628 by Jan Schulz-Hofen): This new option from My account allows users to receive email notifications for issues that have a high priority even if they're not assigned to or watching it.

• Bulk addition of related issues (#33418 by Dmitry Makurin): You can now add multiple related issues by providing a list of comma separated issue ids or by selecting them from the autocomplete.
• Query links for subtasks on issue page (#28471 by Bernhard Rohloff): The list of subtasks from the issue page contains now the total number of subtasks (open/closed) with links to issues page.

• Show warning and the reason when the issue cannot be closed because of open subtasks or blocking open issue(s) (#31589): by showing the reason, users will be less confused.

• Groups can be added as watchers for issues (#4511 by Yuichi HARADA).
• Forum threads can now be watched (#3390 by Yuichi HARADA).
• Watchers that are not going to receive a notification because they watch a non visible object (for ex: issue) are now marked in the UI as invalid (#33329).

• New toolbar button to insert a table (#1575 by Mizuki ISHIKAWA and Hiroyuki ENDO).

• Wiki table column sorting (#1718 by Takenori TAKAKI).
• Languages in Highlighted code button in toolbar are now customizable by each user (#32528 by Mizuki ISHIKAWA).

• Switch between Edit/Preview tabs using ⌘/Ctrl + Shift + P (#30459).
• Bold, italic and underline text using ⌘/Ctrl + b, ⌘/Ctrl + i and ⌘/Ctrl + u (#34549).
• Submit a form using Ctrl+Enter / Command+Return (#29473 by Mizuki ISHIKAWA).

Activity improvements:
UI options to filter activities by date (#1422 by Mizuki ISHIKAWA) or by user (#33602 by Mizuki ISHIKAWA). Slight design improvements (#33692 by Mizuki ISHIKAWA).

• Download all attachments at once (#7056 by Mizuki ISHIKAWA).
• Auto complete wiki page links (#33820 by Mizuki ISHIKAWA): use "[[" to trigger the inline autocomplete.

• Auto-select fields mapping in Importing (#22913 by Haihan Ji, Yuichi HARADA).
• Fields with validation errors are now highlighted (#32764).

And don't forget to check the many other improvements brought by this new release in the Changelog.
Many thanks to Go MAEDA, Bernhard Rohloff and all the contributors who made this release happen!

These 2 maintenance releases are available for download, you can review the changes in the Changelog.

Security: these 2 releases include several security fixes, including a fix for a permission bypass in Issues API and a fix for private project name that can be leaked in issue journal details, so upgrading as soon as possible is recommended.
You can get more details in Security Advisories.

Thanks to all the contributors who worked on these releases.

These 2 maintenance releases are available for download, you can review the changes in the Changelog.

Security: these 2 releases include several security fixes, including a fix for a persistent XSS vulnerability in Textile formatting, so upgrading as soon as possible is recommanded.
You can get more details in Security Advisories.

Many thanks to Nakayama Daisuke, Maik Stegemann and Mizuki Ishikawa for reporting these issues to the Redmine security team!

Please note that Redmine 3.x has reached end of life, is not supported any longer and is (as well) vulnerable to these security issues. You should upgrade to Redmine 4 to get security updates.

I am happy to announce that Redmine 4.1.0 has been released. You can review the details for the 250 changes that are part of this new feature release.

Here is an overview of the main improvements among all theses changes:

New permissions:

• Edit own issues (#1248 contributed by Yuichi HARADA): you can allow users with specific roles to edit the issues they created only.
• Log time for another user (#3848 contributed by Marius BALTEANU): you can allow some roles to log time for other project members.

• Grouping by date : start, due, creation, update, closing dates (#13803)
• Issue filtering by spent time (#26826)
• "starts with" and "ends with" filter operators for string values (#31879)

Issue history tabs (#3058 contributed by Marius BALTEANU)

You can now choose to display different details in the issue history using tabs: all changes, comments, spent time or commits.

Allow pasting screenshots from clipboard (#3816 contributed by Takenori TAKAKI)

You can now paste image data from your clipboard when editing formatted text, eg. using CTRL+V. That will automatically upload the image as an attachment and append the appriorate tag in the text in order to display the image inline. No more need to save your screenshot as a file before uploading it to Redmine.
Note that you can also drag and drop an image file into the textarea to get the same result.

Query system for Projects page (#29482 contributed by Marius BALTEANU)

The project list now supports filtering and an alternate table display similar to the issue list, with grouping and columns selection. Queries on the project list can also be saved in the same way.

Bookmarks and recently used projects in the project jump box (#31355 contributed by Jens Krämer)

This is a nice improvement for users who belong to many projects. You can now choose your favorite projects that will be displayed at the top of the project selection dropdown. This can be done by using the "Bookmark" link on a project overview. The dropdown will also display the projects you recently visited at the top of the list.

Custom fields visibility (#23997, #31859, #31925 contributed by Jens Krämer and Marius BALTEANU)

Just like issue custom fields, you can restrict the visibility of projects, versions and spent time custom fields by roles

CSV Import for Time Entries (#28234 contributed by Gregor Schmidt)

Just like issues, you can now bulk import time entries from a CSV file.

And don't forget to check the many other improvements brought by this new release in the Changelog.
Many thanks to Go MAEDA and all the contributors who made this release happen!

These 2 maintenance releases are available for download, you can review the changes in the Changelog.

Security: these 2 releases include a fix for an improper markup sanitization in Textile formatting. Redmine 4.0.6 also includes an update to the latest Ruby on Rails 5.2.x version that fixes CVE-2019-16782.

A critical security vulnerability has been discovered in Redmine 3.3.x and all prior releases. This vulnerability could be used to read sensitive data from the database. Although the 3.3.x branch was no longer maintained, Redmine 3.3.10 was released today in order to fix this vulnerability. If you are using Redmine <= 3.3.9, you should upgrade as soon as possible (download).

Thank you to Holger Just from www.plan.io for reporting this vulnerability.

Redmine 3.4.x and 4.0.x are not affected by this vulnerability.

These 2 maintenance releases are available for download, you can review the changes in the Changelog.

Security: these 2 releases include an upgrade to the latest ruby-openid gem that fixes a security vulnerability (see #32294 for more details). Users who have openid authentication activated on their Redmine instance should upgrade as soon as possible.

Thanks to all the contributors who worked on these releases.

These 2 maintenance releases are available for download, you can review the changes in the Changelog.

Security: these 2 release include a fix for a persistent XSS vulnerability found in the Redmine Textile formatter. This issue was discovered and reported to the security team by Глеб Будило and fixed by Holger Just on behalf on Planio. People who uses Textile formatting should upgrade as soon as possible. Those who use Markdown or no text formatting are not vulnerable.

These 2 maintenance releases are available for download, you can review the changes in the Changelog.

Security: several vulnerabilities have been discovered in Ruby on Rails 4 and 5 (see announcement). These 2 releases include an update to the latest Ruby on Rails versions 5.2.2.1 (for Redmine 4.0.3) and Rails 4.2.11.1 (for Redmine 3.4.10) which fix these security issues. Upgrading is highly recommended.