Redmine

These 2 maintenance releases are available for download, you can review the changes in the Changelog.

Security: these 2 releases include several security fixes, including a fix for a persistent XSS vulnerability in Textile formatting, so upgrading as soon as possible is recommanded.
You can get more details in Security Advisories.

Many thanks to Nakayama Daisuke, Maik Stegemann and Mizuki Ishikawa for reporting these issues to the Redmine security team!

Please note that Redmine 3.x has reached end of life, is not supported any longer and is (as well) vulnerable to these security issues. You should upgrade to Redmine 4 to get security updates.

I am happy to announce that Redmine 4.1.0 has been released. You can review the details for the 250 changes that are part of this new feature release.

Here is an overview of the main improvements among all theses changes:

New permissions:

• Edit own issues (#1248 contributed by Yuichi HARADA): you can allow users with specific roles to edit the issues they created only.
• Log time for another user (#3848 contributed by Marius BALTEANU): you can allow some roles to log time for other project members.

Issue list improvements:

• Grouping by date : start, due, creation, update, closing dates (#13803)
• Issue filtering by spent time (#26826)
• "starts with" and "ends with" filter operators for string values (#31879)

Issue history tabs (#3058 contributed by Marius BALTEANU)

You can now choose to display different details in the issue history using tabs: all changes, comments, spent time or commits.

Allow pasting screenshots from clipboard (#3816 contributed by Takenori TAKAKI)

You can now paste image data from your clipboard when editing formatted text, eg. using CTRL+V. That will automatically upload the image as an attachment and append the appriorate tag in the text in order to display the image inline. No more need to save your screenshot as a file before uploading it to Redmine.
Note that you can also drag and drop an image file into the textarea to get the same result.

Query system for Projects page (#29482 contributed by Marius BALTEANU)

The project list now supports filtering and an alternate table display similar to the issue list, with grouping and columns selection. Queries on the project list can also be saved in the same way.

Bookmarks and recently used projects in the project jump box (#31355 contributed by Jens Krämer)

This is a nice improvement for users who belong to many projects. You can now choose your favorite projects that will be displayed at the top of the project selection dropdown. This can be done by using the "Bookmark" link on a project overview. The dropdown will also display the projects you recently visited at the top of the list.

Custom fields visibility (#23997, #31859, #31925 contributed by Jens Krämer and Marius BALTEANU)

Just like issue custom fields, you can restrict the visibility of projects, versions and spent time custom fields by roles

CSV Import for Time Entries (#28234 contributed by Gregor Schmidt)

Just like issues, you can now bulk import time entries from a CSV file.

And don't forget to check the many other improvements brought by this new release in the Changelog.
Many thanks to Go MAEDA and all the contributors who made this release happen!

These 2 maintenance releases are available for download, you can review the changes in the Changelog.

Security: these 2 releases include a fix for an improper markup sanitization in Textile formatting. Redmine 4.0.6 also includes an update to the latest Ruby on Rails 5.2.x version that fixes CVE-2019-16782.

A critical security vulnerability has been discovered in Redmine 3.3.x and all prior releases. This vulnerability could be used to read sensitive data from the database. Although the 3.3.x branch was no longer maintained, Redmine 3.3.10 was released today in order to fix this vulnerability. If you are using Redmine <= 3.3.9, you should upgrade as soon as possible (download).

Thank you to Holger Just from www.plan.io for reporting this vulnerability.

Redmine 3.4.x and 4.0.x are not affected by this vulnerability.

These 2 maintenance releases are available for download, you can review the changes in the Changelog.

Security: these 2 releases include an upgrade to the latest ruby-openid gem that fixes a security vulnerability (see #32294 for more details). Users who have openid authentication activated on their Redmine instance should upgrade as soon as possible.

Thanks to all the contributors who worked on these releases.

These 2 maintenance releases are available for download, you can review the changes in the Changelog.

Security: these 2 release include a fix for a persistent XSS vulnerability found in the Redmine Textile formatter. This issue was discovered and reported to the security team by Глеб Будило and fixed by Holger Just on behalf on Planio. People who uses Textile formatting should upgrade as soon as possible. Those who use Markdown or no text formatting are not vulnerable.

These 2 maintenance releases are available for download, you can review the changes in the Changelog.

Security: several vulnerabilities have been discovered in Ruby on Rails 4 and 5 (see announcement). These 2 releases include an update to the latest Ruby on Rails versions 5.2.2.1 (for Redmine 4.0.3) and Rails 4.2.11.1 (for Redmine 3.4.10) which fix these security issues. Upgrading is highly recommended.

These 2 maintenance releases are available for download, you can review the changes in the Changelog.
Thanks to the contributors for their submissions!

These maintenance releases are available for download.
You can review the changes in the Changelog.

Happy New Year 2019!

Thanks to the many people who contributed to Redmine since last year, I'm glad to announce that Redmine 4.0.0 is now available for download. It brings more than 200 changes including:

• a major change to email notifications: each user now receives its own notification email whereas previous versions were sending a single email to all the notified users
• many improvements to text formatting
• the replacement of Coderay by Rouge to support more languages for code highlighting

Email delivery now relies on Rails ActiveJob. Emails are sent asynchronously by default. But you should consider configuring a persistent backend for ActiveJob since the default uses an in-memory queue that is not well suited for production environnements:
https://guides.rubyonrails.org/v5.2/active_job_basics.html#job-execution

Redmine 4.0.0 uses Rails 5.2.2, the latest Rails version released a few days ago.

Redmine 3.4.7 and 3.3.9 are maintenance releases for 3.4.x and 3.3.x users. You can review the details in the Changelog. They both include an upgrade to Rails 4.2.11 that fixed 2 Rails vulnerabilities. Although these vulnerabilities does not affect Redmine 3.x, you should upgrade if possible.