Redmine

At www.redmine.org, we have made two-factor authentication (2FA) mandatory for all users to help prevent spam and strengthen security.

If you have not enabled 2FA on www.redmine.org, you will be asked to set it up the next time you sign in. Please follow the on-screen instructions and use a TOTP-compatible authentication app such as Google Authenticator, Microsoft Authenticator, Authy, or Duo Mobile.

Background

In recent years, we have seen an increase in spam and test submissions on Redmine.org. To address this problem and to better protect user accounts, we have made 2FA mandatory.

Two-factor authentication also greatly reduces the risk of account takeovers and improves the overall security of the site.

While the registration process for new users will take a bit more effort, it may help reduce spam and test submissions to some extent.

We apologize for the extra steps required to sign in and appreciate your cooperation.

Redmine 6.1.0 is a feature-rich update that brings a number of new features, improvements, and technical changes. This release is a result of implementing nearly 70 issues, from small optimizations to completely new features, designed to improve user workflows and provide administrators with more control. Redmine developers can now use more modern tools from the Rails world.

• Reactions to content: Users can add reactions to issues, notes, news, and forum posts (#42630).
• OAuth2 support: Redmine can now function as an OAuth2 provider (#24808).
• User initials as avatar: A native avatar has been implemented to display user initials as their avatar when Gravatar service is disabled (#29824). For those who use Gravatar service to display user avatars, support has been added for the new "initials" option recently launched by Gravatar (#42623).
• "Progress bar" custom field: A new custom field format has been introduced, which behaves like the existing "Done Ratio" Issue field (#42335).

• Sticky header for issues: The issue subject now remains visible at the top of the screen when scrolling through a long issue page, preventing the mistake of accidentally updating the wrong issue (#42684).
• Copy buttons: API keys and content from pre code blocks can be copied directly to the clipboard (#5953, #29214).
• Icons update: Watch icon has been changed to eye (#31531) and the quote note icon to quotation mark (#31531).
• Journals / comments / replies look and feel update: all three now uses the same structure (#42972) and the look and feel have been updated (#40744) in order to simplify the view.

• Automatic list marker insertion: pressing Enter when editing a text using Markdown or Textile formatting after a list item it will automatically insert the next list marker (#43095).
• CommonMark alert extension enabled: the extension is now enabled and it can be used to highlight text as Note, Tip, Warning, Caution and Important (#42603).
• Improved HiDPI Display: Images inserted into issues and other content will automatically adjust to the correct size on high-pixel-density screens (#38504).
• {{recent_pages}} macro: the new macro displays a list of recently updated Wiki pages (#38501).

• Configurable columns: The lists of child and related issues can now be customized with configurable columns (#42477).
• Time tracking on closed issues: You can now configure if time entries are allowed after closing an issue (#13596).
• Configurable auto-watch: The default settings for automatically watching issues are now customizable (#42880).
• Disable JavaScript table sorting in wiki content: Administrators can now disable this feature that can be a nuisance in some cases (#40588). Also, the setting is disabled for new installations.
• Improved role deletion: The error message for role deletion now lists the projects where the role is in use, with links to the project settings page (Feature #42441).

• Ruby 3.4 is now supported (#41976) and support for Ruby 3.1 has been dropped (#42496).
• Stimulus have been added to the core as a modern JavaScript framework (#42510). For now, only a few features have been implemented / modernised using this new framework, but we will continue to adopt it in Redmine 7.
• 14 issues tickets that improve the performance. On top of this, Redmine developers can now use the bullet gem to automatically detect inefficient database queries (#42555).
• Redmine::I18n::Backend has been removed (#42859).
• The task list items provided by the CommoMark uses now the commonmarks tasklist extension. deckar01-task_list gem has been removed.

You can download the new version from Download and you can see the full Changelog.

Many thanks to all contributors that have been made this release possible, especially to Go MAEDA and his team (Katsuya HIDAKA, Mizuki ISHIKAWA) who actively improves Redmine, to Plan.io (Jens Krämer, Holger Just) for their major contributions and many others.

• as we already announced in Redmine 6.0.7, 5.1.10 and 5.0.14 released, Redmine 5.0 is now end of life.
• Redmine 5.1 is now the legacy version that will receive only security updates.
• Redmine 6 series are the stable versions.
• Redmine 7.0.0 is the next major release.

We are planning to change the release cycle of the major versions in order to match the release cycle of Ruby / Rails and to support quicker the new versions. I hope we can achieve this starting from next year.

Maintenance releases 6.0.7, 5.1.10 and 5.0.14 are now available to Download, bringing a total of 16 bug fixes (Changelog).

Security fixes:

• Defect #42998: Username and password stored in login form
• Defect #43083: Information disclosure in Two-Factor Authentication
• Defect #43161: When copying issues, all existing custom values are set to the new issue without sufficient validation

Starting with these versions, a new security measure has been implemented in #42998 to improve how Redmine handles sensitive information. The no-store cache header has been added to following forms: login, lost password, change password, sudo pages, auth_source, user, repository and accounts#register.

Thanks everyone for their contributions.

A Note on the End of Life for Redmine 5.0

With the upcoming release of Redmine 6.1.0 later today, we want to remind everyone that this will mark the end of life for the Redmine 5.0 series. If you are currently using a version in the 5.0 branch, we highly recommend you plan to upgrade soon to continue receiving updates and security patches.

Maintenance releases 6.0.6, 5.1.9 and 5.0.13 are now available to Download, bringing a total of 32 bug fixes (Changelog).

All three releases contain a new version of net-imap gem to address CVE-2025-43857 (#42662) and also some important fixes to improve the compatibility of Redmine with Rack >= 3.1.14 (#42875, #42962). Additionally, the patch for #38529, initially released in version 5.1.0, is now properly fixed and the locales are limited to those defined by Redmine itself.

Thanks everyone for their contributions.

Maintenance releases 6.0.5 and 5.1.8 are now available to Download, bringing a total of 32 bug fixes (Changelog).

Version 6.0.5 also continues the transition to modern SVG icons powered by Tabler, resolves an issue with plugin activity SVG icon paths when multiple plugins are loaded (#42509) and improves the support for RTL languages (#42575, #42465).

Thanks everyone for their contributions.

We have released new maintenance updates, Redmine 6.0.4, 5.1.7 and 5.0.12.
These 3 maintenance releases are available for download, you can review the changes in the Changelog.

• 2 XSS vulnerabilities
• Project query leaks details of private projects
• /my/account does not correctly enforce sudo mode
• Update Nokogiri to 1.18.3 to address CVE-2025-24928 and CVE-2024-56171
  You can review them in Security Advisories.

Beside the security issues, #42245 is now fixed also on 5.1.7.

Thank you to everyone who contributed to the releases and special thanks to Holger Just for handling all these security issues.

We have released Redmine 5.0.11 today, following the releases of Redmine 6.0.3 and 5.1.6 yesterday.

This version backports a critical fix from Redmine 5.1.6 that resolves an issue where the application fails to start when using the concurrent-ruby gem version 1.3.5 or later in Redmine 5.0 and 5.1 series (#42113).

We recommend all users of Redmine 5.0 and 5.1 series update to 5.0.11 or 5.1.6 to avoid startup issues.

The latest maintenance releases are available for download, you can review the changes in the Changelog.

We have released two maintenance updates, Redmine 6.0.3 and 5.1.5.
These 2 maintenance releases are available for download, you can review the changes in the Changelog.

Redmine 6.0.3 addresses a major issue where Redmine fails to start if the database adapter name `mysql` in `config/database.yml` is enclosed in double quotes (#42013). Additionally, it includes several UI fixes.

Redmine 5.1.6 addresses a critical issue preventing Redmine 5.0.x from starting when using concurrent-ruby gem version 1.3.5 or later (#42113).

We appreciate the contributions of everyone who reported and resolved these issues.

These 2 maintenance releases are available for download, you can review the changes in the Changelog.

• Time entry API (#41819) and CSV export (#41895) return `hours` as Rational instead of Float
• Projects endpoint ignores offset and limit params and returns list of all projects (#41791)
• Plugin activity cannot show icons after switching to SVG icons (#41880)
• Multiple fixes related to the migration from legacy icons to SVG icons

Both versions include a fix for the following warning during startup: "Unresolved or ambiguous specs during Gem::Specification.reset" (#41749).

We strongly recommend updating to Redmine 6.0.2.

Thanks everyone for the effort to report and fix all these issues.

Redmine 6.0.1 has been released and it is now available for Download.

This release includes an important fix for the issue reported in #41729 which prevents users from installing Redmine 6 without development dependencies (bundle install --without development:test fails with the error LoadError: cannot load such file -- svg_sprite (LoadError)).

We recommend that all Redmine 6 users upgrade to this release.