Project

General

Profile

News

Redmine 7.0.0 is now available (2 comments)

Added by Marius BĂLTEANU 1 day ago

Redmine 7.0.0 has been released and it is available for download from Download. This release ships 122 issues, with "Webhooks triggers on evens" as major feature, Rails 8 migration, RTL improved support, header/navigation redesign, and continued UI modernization started in 6.0 and 6.1.

This release also marks 20 years since Redmine's first release in 2006 (r1 committed by Jean-Philippe Lang on 28.06.2006). Two decades later, the project is still actively maintained and improved thanks to a community of contributors, users, and companies who keep investing their time and effort into it. Thank you to everyone who has been part of this journey, from the very first commit to today!

Here is a breakdown of the key highlights included in Redmine 7.0.0:

1. Key feature: Redmine can trigger external webhooks on events (#29664). The feature is disabled by default and must be enabled by a system administrator from the new “Integration” tab.

2. Rails, Ruby and platform upgrades:
  • Redmine has been migrated to Rails 8 (#43205).
  • Ruby 4.0 is now supported (#43650). Note: Ruby versions 4.0.0 to 4.0.3 have a significant wiki rendering slowdown caused by a regression in the Ruby runtime itself (#43737, tracked upstream at bugs.ruby-lang.org #21856). This was fixed upstream in Ruby 4.0.4, so we recommend running Redmine 7.0 on Ruby 4.0.4 or later.
  • Several core dependencies have been updated, including Propshaft, Commonmarker, Rubyzip, Trilogy, Rouge, the pg and sqlite3 gems, and others.
  • The Raphael.js dependency has been removed in favor of native SVG APIs (#43845).
  • ChartJs has been upgraded and migrated to ES Modules (#44018).
  • html-pipeline gem has been removed. Loofah is used now for HTML filtering, and Textile processing has been aligned with the same approach used for CommonMark (#42737, #43643). Some existing code related to text formatting have been moved to scrubbers (#43745).
  • Deprecated icon-* CSS classes, kept temporarily since 6.0 for backward compatibility, have now been removed from core stylesheets and moved to `legacy-icons-compat.css`, completing the transition to Tabler SVG icons (#43206). The legacy CSS file still can be imported by theme or plugin developers using the standard import syntax.
3. UI / UX improvements:
  • Header redesign : A new navigation bar with a lighter visual weight (#43937), and the user-related links in the top menu have been replaced with a proper user menu (#31353).
  • RTL support overhaul : Physical CSS properties have been replaced with logical ones across core stylesheets, rtl.css has been removed in favor of integrated overrides, and the Gantt chart and other views have been adapted for right-to-left layouts (#43506, #43515, #43700, #43678, #43822).
  • Color Standardization via Open Color : The core styling framework now integrates Open Color to unify and standardize CSS colors natively across default elements (#43256).
  • General visual cleanup: simplified fieldset borders, unified spacing around section separators, increased page padding, refined box-like UI elements, and aligned sidebar/pagination styling (#44111, #43836, #43824, #43575).
  • File-type icons now replace the generic paperclip icon in attachment lists, with coverage extended to more MIME types (#43797, #43805).
  • The Roadmap view now highlights the currently selected version (#39882).
4. Workflow and usability enhancements:
  • Assignee dropdown improvements : configurable users/groups ordering, "Users by group" display option (#43996, #44015, #4507).
  • Users can opt in to be automatically added as watchers of issues they're assigned to (#2716).
  • A new mail notification option for watched objects only has been added (#37978).
  • Add / remove multiple users from a group (#43640).
  • Default due date can now be set with a configurable offset from today (#31518), an option also extended to date format custom fields (#44129).
  • Default value can be set for the private issue flag (#9432).
  • Time span input (e.g. 0:45) is now supported in hours filters across issue and time entry queries (#43948, #43968).
  • CSV export of project memberships is now available (#37480).
  • All wiki pages of a project can now be exported as a ZIP archive (#43978).
5. Text formatting and preview
  • Spreadsheet tables can now be pasted directly as CommonMark/Textile tables in wiki textareas (#43950), and Tab/Shift+Tab indentation is supported in CommonMark editing (#44061).
  • Microsoft Office and LibreOffice Writer files can now be previewed directly (#8959), and PDF/repository file previews are shown inline instead of forcing a download (#22483).
  • Image support preview has been added for AVIF (#43943) and SVG (#44126) images.
  • Text documentation workflows are smoother with new support for block indentation inside CommonMark textareas using standard Tab and Shift+Tab keys (#44061).
6. API changes
  • The project is now included in the wiki page API response (#43569).
  • Custom Fields API now returns visible roles consistently and includes associated projects (#44152, #44153).`
7. Performance improvements
  • Resolving @login-style mentions used a case-insensitive query with no supporting database index, forcing a full table scan on every mention — a serious bottleneck on large instances like redmine.org. A proper index has been added and the lookup logic optimized accordingly (#43838).
  • The @mention autocomplete now limits the number of initial suggestions shown (#44190) and caches autocomplete responses to avoid firing redundant requests as you type (#44194).
  • Saving workflow transitions now uses hash-based lookups instead of repeatedly scanning the full transitions array, significantly speeding up workflow edits on instances with many statuses/roles (#43957).
8. Security improvements
  • Sudo mode is now enabled by default (#44052).
  • "Last usage" timestamp for API and Atom access keys have been added to user account (#43938).

For a detailed overview of all the improvements and fixes, please refer to the Changelog_7_0.

Redmine Version Status and Release Policy Updates:
  • Redmine 5.1 is now officially End of Life (EOL) and will no longer receive security or maintenance patches.
  • Redmine 6.0 series transitions to our legacy stable branch.
  • Redmine 6.1 and 7.0 series are the stable versions.
  • Redmine 7.1.0 is the next major release.

Many thanks again to all contributors who made this release possible, especially Go MAEDA and his team, to Jens Krämer and Holger Just for their important contributions and everyone who dedicated their time and hard work to make this major milestone release happen!

Redmine 6.1.3, 6.0.10 and 5.1.13 released (5 comments)

Added by Marius BĂLTEANU 16 days ago

New maintenance releases for the Redmine 6.1, 6.0, and 5.1 series are now available to Download. These releases address multiple security vulnerabilities along with various bug fixes and improvements.

Security Fixes:
All three versions (6.1.3, 6.0.10, and 5.1.13) include the following security fixes:
  • Defect #43951: Bulk attachment download bypasses View files permission for project/version attachments
  • Defect #44109: PreAuth leak name of private Projects
  • Defect #44118: Any project member with add_issue_notes permission can add notes to private issues they cannot view, via the MailHandler reply dispatch
  • Defect #44138: Stored XSS in Textile formatter due to restore_redmine_links
  • Defect #44145: PostScript execution in Redmine::Thumbnail.generate via %% DSC-comment prefix
  • Defect #44146: Time-entry API hidden custom-field leak
Versions 6.1.3 and 6.0.10 also include:
  • Patch #43986: Improve the config.filter_parameters setting
Version 6.1.3 also includes:
  • Defect #44174: OAuth scope enforcement bypass in user account

You can find the new versions in the Download section. For a complete list of changes, please review the detailed Changelog for each version.

Many thanks to all the contributors who helped with these releases, especially those who responsibly reported the vulnerabilities and to Holger Just, Jens Krämer, and to Go MAEDA for their continuous work on these security issues.

Redmine 6.1.2, 6.0.9 and 5.1.12 released (2 comments)

Added by Marius BĂLTEANU 4 months ago

New maintenance releases for the Redmine 6.1, 6.0, and 5.1 series are now available to Download. These releases address multiple security vulnerabilities along with various bug fixes and improvements.

Security Fixes

All three versions (6.1.2, 6.0.9, and 5.1.12) include the following security fixes:
  • Defect #43661: Unsafe eval usage in AttachmentsHelper
  • Defect #43690: Directory Traversal via Backslash-Separated Paths in Filesystem SCM
  • Defect #43691: DOM (Stored) XSS in @mention autocomplete via unescaped user name
  • Defect #43692: LDAP Injection (Unescaped Input in LDAP Search Filter)
  • Defect #43694: DOM XSS: HTML Injection via Custom Field Name in Query Filter Generation
  • Defect #43830: User who is allowed to view only their own time entries can retrieve other users’ time entry details by directly specifying the TimeEntry ID via the REST API
  • Defect #43864 / #43840: Update Nokogiri to 1.18.9 (5.1.12) or 1.19.1 (6.1.2 and 6.0.9).

Maintenance Improvements

Redmine 6.1.2 includes a significant number of maintenance fixes (30 in total).
  • A new series of fixes for RTL languages
  • SVG Icons: Theme developers can now override the default icons sprite, please see #43087 for details
  • recent_pages macro supports now include_subprojects parameter

Download and Changelog
You can find the new versions in the Download section. For a complete list of changes, please review the detailed Changelog for each version.

Many thanks to all the contributors who helped with these releases, especially those who responsibly reported the security issues (Sho Odagiri and kaminuma).

Redmine 6.1.1, 6.0.8 and 5.1.11 released (1 comment)

Added by Marius BĂLTEANU 6 months ago

New maintenance releases for the Redmine 6.1, 6.0, and 5.1 series are now available to Download. These releases address three security vulnerabilities along with various bug fixes and improvements.

Security Fixes

All three versions (6.1.1, 6.0.8, and 5.1.11) include the following security fixes:
  • Defect #43451: PostScript disguised as PDF can lead to arbitrary file operations via thumbnail generation
  • Defect #43634: Authorization bypass in Redmine allows modification of attachment metadata on invisible issues
  • Defect #43635: Authorization bypass in Redmine allows deletion of attachment on invisible issues

Maintenance Improvements

Redmine 6.1.1 includes a significant number of maintenance fixes (34 in total), with a particular focus on the user interface:
  • RTL Support: Numerous fixes for RTL layouts, including corrected positioning for reaction buttons, copy buttons, and avatars.
  • Text Formatting: Improvements to CommonMark alerts, including localized titles (note, tip, warning, etc.), a new CJK-friendly emphasis extension and automatic list markers support for task list items (#43234, #43379, #43265).
  • SVG Icons: Continued refinement of the new SVG icon system and visual consistency.

Download and Changelog
You can find the new versions in the Download section. For a complete list of changes, please review the detailed Changelog for each version.

Many thanks to all the contributors who helped with these releases, especially those who responsibly reported the security issues (Elweth from YesWeHack and to Abor).

Happy New Year!

Two-factor authentication is now mandatory at Redmine.org (2 comments)

Added by Go MAEDA 8 months ago

At www.redmine.org, we have made two-factor authentication (2FA) mandatory for all users to help prevent spam and strengthen security.

If you have not enabled 2FA on www.redmine.org, you will be asked to set it up the next time you sign in. Please follow the on-screen instructions and use a TOTP-compatible authentication app such as Google Authenticator, Microsoft Authenticator, Authy, or Duo Mobile.

Background

In recent years, we have seen an increase in spam and test submissions on Redmine.org. To address this problem and to better protect user accounts, we have made 2FA mandatory.

Two-factor authentication also greatly reduces the risk of account takeovers and improves the overall security of the site.

While the registration process for new users will take a bit more effort, it may help reduce spam and test submissions to some extent.

We apologize for the extra steps required to sign in and appreciate your cooperation.

Redmine 6.1 is now available (6 comments)

Added by Marius BĂLTEANU 9 months ago

Redmine 6.1.0 is a feature-rich update that brings a number of new features, improvements, and technical changes. This release is a result of implementing nearly 70 issues, from small optimizations to completely new features, designed to improve user workflows and provide administrators with more control. Redmine developers can now use more modern tools from the Rails world.

1. Key features:
  • Reactions to content: Users can add reactions to issues, notes, news, and forum posts (#42630).
  • OAuth2 support: Redmine can now function as an OAuth2 provider (#24808).
  • User initials as avatar: A native avatar has been implemented to display user initials as their avatar when Gravatar service is disabled (#29824). For those who use Gravatar service to display user avatars, support has been added for the new "initials" option recently launched by Gravatar (#42623).
  • "Progress bar" custom field: A new custom field format has been introduced, which behaves like the existing "Done Ratio" Issue field (#42335).
2. UI improvements:
  • Sticky header for issues: The issue subject now remains visible at the top of the screen when scrolling through a long issue page, preventing the mistake of accidentally updating the wrong issue (#42684).
  • Copy buttons: API keys and content from pre code blocks can be copied directly to the clipboard (#5953, #29214).
  • Icons update: Watch icon has been changed to eye (#31531) and the quote note icon to quotation mark (#31531).
  • Journals / comments / replies look and feel update: all three now uses the same structure (#42972) and the look and feel have been updated (#40744) in order to simplify the view.
2. Text formatting improvements:
  • Automatic list marker insertion: pressing Enter when editing a text using Markdown or Textile formatting after a list item it will automatically insert the next list marker (#43095).
  • CommonMark alert extension enabled: the extension is now enabled and it can be used to highlight text as Note, Tip, Warning, Caution and Important (#42603).
  • Improved HiDPI Display: Images inserted into issues and other content will automatically adjust to the correct size on high-pixel-density screens (#38504).
  • {{recent_pages}} macro: the new macro displays a list of recently updated Wiki pages (#38501).
3. Enhancements for administrators:
  • Configurable columns: The lists of child and related issues can now be customized with configurable columns (#42477).
  • Time tracking on closed issues: You can now configure if time entries are allowed after closing an issue (#13596).
  • Configurable auto-watch: The default settings for automatically watching issues are now customizable (#42880).
  • Disable JavaScript table sorting in wiki content: Administrators can now disable this feature that can be a nuisance in some cases (#40588). Also, the setting is disabled for new installations.
  • Improved role deletion: The error message for role deletion now lists the projects where the role is in use, with links to the project settings page (Feature #42441).
4. Rails, Ruby and other technical improvements :
  • Ruby 3.4 is now supported (#41976) and support for Ruby 3.1 has been dropped (#42496).
  • Stimulus have been added to the core as a modern JavaScript framework (#42510). For now, only a few features have been implemented / modernised using this new framework, but we will continue to adopt it in Redmine 7.
  • 14 issues tickets that improve the performance. On top of this, Redmine developers can now use the bullet gem to automatically detect inefficient database queries (#42555).
  • Redmine::I18n::Backend has been removed (#42859).
  • The task list items provided by the CommoMark uses now the commonmarks tasklist extension. deckar01-task_list gem has been removed.

You can download the new version from Download and you can see the full Changelog.

Many thanks to all contributors that have been made this release possible, especially to Go MAEDA and his team (Katsuya HIDAKA, Mizuki ISHIKAWA) who actively improves Redmine, to Plan.io (Jens Krämer, Holger Just) for their major contributions and many others.

Redmine versions status and releases policy updates:
  • as we already announced in Redmine 6.0.7, 5.1.10 and 5.0.14 released, Redmine 5.0 is now end of life.
  • Redmine 5.1 is now the legacy version that will receive only security updates.
  • Redmine 6 series are the stable versions.
  • Redmine 7.0.0 is the next major release.

We are planning to change the release cycle of the major versions in order to match the release cycle of Ruby / Rails and to support quicker the new versions. I hope we can achieve this starting from next year.

Redmine 6.0.7, 5.1.10 and 5.0.14 released (2 comments)

Added by Marius BĂLTEANU 9 months ago

Maintenance releases 6.0.7, 5.1.10 and 5.0.14 are now available to Download, bringing a total of 16 bug fixes (Changelog).

Security fixes:

All versions contain the following security fixes:
  • Defect #42998: Username and password stored in login form
  • Defect #43083: Information disclosure in Two-Factor Authentication
  • Defect #43161: When copying issues, all existing custom values are set to the new issue without sufficient validation

Starting with these versions, a new security measure has been implemented in #42998 to improve how Redmine handles sensitive information. The no-store cache header has been added to following forms: login, lost password, change password, sudo pages, auth_source, user, repository and accounts#register.

Thanks everyone for their contributions.

A Note on the End of Life for Redmine 5.0

With the upcoming release of Redmine 6.1.0 later today, we want to remind everyone that this will mark the end of life for the Redmine 5.0 series. If you are currently using a version in the 5.0 branch, we highly recommend you plan to upgrade soon to continue receiving updates and security patches.

Redmine 6.0.6, 5.1.9 and 5.0.13 released (2 comments)

Added by Marius BĂLTEANU 12 months ago

Maintenance releases 6.0.6, 5.1.9 and 5.0.13 are now available to Download, bringing a total of 32 bug fixes (Changelog).

All three releases contain a new version of net-imap gem to address CVE-2025-43857 (#42662) and also some important fixes to improve the compatibility of Redmine with Rack >= 3.1.14 (#42875, #42962). Additionally, the patch for #38529, initially released in version 5.1.0, is now properly fixed and the locales are limited to those defined by Redmine itself.

Thanks everyone for their contributions.

Redmine 6.0.4, 5.1.7 and 5.0.12 released (security fixes)

Added by Marius BĂLTEANU over 1 year ago

We have released new maintenance updates, Redmine 6.0.4, 5.1.7 and 5.0.12.
These 3 maintenance releases are available for download, you can review the changes in the Changelog.

All versions contain multiple important security fixes:
  • 2 XSS vulnerabilities
  • Project query leaks details of private projects
  • /my/account does not correctly enforce sudo mode
  • Update Nokogiri to 1.18.3 to address CVE-2025-24928 and CVE-2024-56171
    You can review them in Security Advisories.

Beside the security issues, #42245 is now fixed also on 5.1.7.

Thank you to everyone who contributed to the releases and special thanks to Holger Just for handling all these security issues.

(1-10/161)

Also available in: Atom