News

Redmine 4.2.7 and 5.0.2 (6 comments)

Added by Marius BALTEANU 3 months ago

Redmine 4.2.7 and 5.0.2 have been released and are available for download, you can review the changes in the Changelog.

These maintenance releases fixes some important issues and multiple security fixes that were found in the latest Redmine 4.2.* and 5.0.* versions.

Security:
  1. Updates commonmark gem version to 0.23.4 when Ruby >= 2.6 is used in order to fix a remote code execution vulnerability. Because the fixed version of the gem doesn't support Ruby 2.5, those instances that are using Redmine 5.0.*, Commonmark and Ruby 2.5, it is highly recommended to update Ruby version to at least 2.6 because it's the only way to get the update and the fix. Also, the next major Redmine version (5.1.0) already dropped support for Ruby 2.5 (#37159).
  2. Updates jQuery UI to 1.31.1 to fix 3 medium severity XSS vulnerabilities
  3. Fixes unauthorised Information Leak in QueryAssociationColumn and QueryAssociationCustomFieldColumn when the user has no permission to view on the associated object

Many thanks to Liane Hampe and Felix Schäfer for reporting these security issues and to Holger Just and Felix Schäfer for their work on fixing all these issues.

Redmine 4.2.6 and 5.0.1 released (4 comments)

Added by Marius BALTEANU 5 months ago

Redmine 4.2.6 and 5.0.1 have been released and are available for download, you can review the changes in the Changelog.

These maintenance releases address some important issues that were found in the latest Redmine 4.2.5 and 5.0.0 releases.

Security: these releases include two security fixes:

Thanks to A Fora for reporting the nokogiri security issues and all the contributors who worked on these releases!

Redmine 5.0.0, 4.2.5 and 4.1.7 released (6 comments)

Added by Marius BALTEANU 6 months ago

I'm very happy to announce that Redmine 5.0.0 has been released. The new version ships more than 143 changes including some major updates:

  1. Migrate to Rails 6.1 with Zeitwerk autoloading (#29914). Switching to Zeitwerk autoloader breaks some plugins and requires plugin developers to fix the compatibility issues.
  2. Introduced CommonMark Markdown (GitHub Flavored) formatter (#32424) as an alternative to existing Markdown formatter based on Redcarpet. This new formatter is marked as experimental for now, but without any known issue. In the future versions, the Markdown based on Redcarpet will be deprecated and removed. A new configuration (common_mark_enable_hardbreaks) was added to the configuration file (configuration.yml) that allows to configure the hardbreak behaviour. Also, this formatter contains many fixes/improvements and supports task list items (#35742). Switching to this formatter is recommended for existing Markdown (there are some migration tips in the ticket).
  3. Users can be mention now using @ autocomplete by other users with add watchers permission (#13919). This a long awaited feature.
  4. Issue custom query: default query per instance, project and user (#7360). This a long awaited feature.
  5. Default project custom query: per instance and per user (#35795).
  6. Ability to add watchers to Wiki pages (#7652).
  7. Issues can now be filtered by notes (#5893) or by file description (#34715).
  8. "Contains" operator supports now multiple search items (#35764). Using wilcard characters (_ or %) is no longer supported (#35073).
  9. Two-factor authentication improvements: you can enable it only for certain groups (#31920) or for users with administration rights (#35439). Users list contains now the 2FA status as column and as filter option (#35934).

Please review all the changes in the Changelog.

Redmine 4.1.7 and 4.2.5 are maintenance releases for 4.1.x and 4.2.x users. You can review the details in the Changelog.

Please note that 4.1.7 is the last release for 4.1 series, you should upgrade to Redmine 4.2 or 5.0 to get the future maintenance updates.

Many thanks to Go Maeda, Mizuki ISHIKAWA, Takashi Kato, Bernhard Rohloff, Plan.io team, Pavel Rosický and all the contributors who made this release possible.

Redmine 4.2.4 and 4.1.6 released (security fix) (5 comments)

Added by Marius BALTEANU 7 months ago

Redmine 4.1.6 and 4.2.4 have been released and are available for download[1], you can review the changes in the Changelog.

Security: these 2 releases include an update to the latest Ruby on Rails 5.2.* version that fixes CVE-2022-23633.

Thanks to all the contributors who worked on these releases.

1 These releases are not available yet on the releases page from a technical reason, we are sorry for this and we expect to have them uploaded next week. I'll post here an update after we have them uploaded.

Redmine 4.2.3 and 4.1.5 released (security fix) (2 comments)

Added by Marius BALTEANU 12 months ago

These 2 maintenance releases are available for download, you can review the changes in the Changelog.

Security: these 2 releases include a fix for a moderate severity issue found in all recent releases, so upgrading as soon as possible is recommended. You can get more details in Security Advisories.

Many thanks to Mischa The Evil for reporting and fixing this security issue!

Redmine 4.2.2 and 4.1.4 released (security fixes) (5 comments)

Added by Marius BALTEANU about 1 year ago

These 2 maintenance releases are available for download, you can review the changes in the Changelog.

Security: these 2 releases include an update to Ruby on Rails 5.2.6 version that fixes multiple vulnerability issues. Version 4.2.2 includes a fix for a low severity issue found in the 2FA feature, so upgrading as soon as possible is recommanded.
You can get more details in Security Advisories.

Many thanks to Felix Schäfer and Holger Just for reporting and fixing this security issue!

Redmine 4.2.1, 4.1.3 and 4.0.9 released (security fixes) (7 comments)

Added by Marius BALTEANU over 1 year ago

These 3 maintenance releases are available for download, you can review the changes in the Changelog.

Security: these 3 releases include 4 security fixes, including a critical fix for an arbitrary file read in Git adapter, so upgrading as soon as possible is highly recommended. For those who cannot update immediately, another method to mitigate the critical risk is to update the Git version from the server to at least 2.22.0. You can get more details in Security Advisories.

Many thanks to niubl from TSRC (Tencent Security Response Center) for reporting this issue to the Redmine security team, to Holger Just from www.plan.io for the hard working on these security issues and to Go Maeda who made these releases possible.

Beside this, these new versions clarify and properly fix some inconsistent permissions for issue_edit and add_issue_notes. Before 3.3.0, users only with issue_edit permission were allowed to add notes to issues by design, but this behaviour changed when tracker role-based permissions were added (#285) and the add_issue_notes was explicitly required in the UI. 4.0.8 extended this behaviour to API and 4.0.9 to mail handler. Please check your roles settings if you have the incoming email configured.

Please note that 4.0.9 is the last release for 4.0 series, you should upgrade to Redmine 4.1 or 4.2 to get the future maintenance updates. Next major version is 5.0.0.

Redmine 4.2.0 released (10 comments)

Added by Marius BALTEANU over 1 year ago

I am very happy to announce that Redmine 4.2.0 is now available for download. This new version brings more than 190 changes including some long awaited features.

Here are the highlights:

Authentication / User accounts
  • You can now enable two-factor authentication as an extra security layer for your account (#1237 by Felix Schäfer).
  • Admins can now configure which email domains are allowed or not for user accounts (#3369 by Yuichi HARADA).
  • User accounts can now be imported from CSV (#33102 by Takenori TAKAKI).
Notifications:
  • Notify users about high issues (only) (#32628 by Jan Schulz-Hofen): This new option from My account allows users to receive email notifications for issues that have a high priority even if they're not assigned to or watching it.

Issues:
  • Bulk addition of related issues (#33418 by Dmitry Makurin): You can now add multiple related issues by providing a list of comma separated issue ids or by selecting them from the autocomplete.
  • Query links for subtasks on issue page (#28471 by Bernhard Rohloff): The list of subtasks from the issue page contains now the total number of subtasks (open/closed) with links to issues page.

  • Show warning and the reason when the issue cannot be closed because of open subtasks or blocking open issue(s) (#31589): by showing the reason, users will be less confused.

Watchers:
  • Groups can be added as watchers for issues (#4511 by Yuichi HARADA).
  • Forum threads can now be watched (#3390 by Yuichi HARADA).
  • Watchers that are not going to receive a notification because they watch a non visible object (for ex: issue) are now marked in the UI as invalid (#33329).
Text formatting:
  • New toolbar button to insert a table (#1575 by Mizuki ISHIKAWA and Hiroyuki ENDO).

  • Wiki table column sorting (#1718 by Takenori TAKAKI).
  • Languages in Highlighted code button in toolbar are now customizable by each user (#32528 by Mizuki ISHIKAWA).

Keyboard shortcuts:
  • Switch between Edit/Preview tabs using ⌘/Ctrl + Shift + P (#30459).
  • Bold, italic and underline text using ⌘/Ctrl + b, ⌘/Ctrl + i and ⌘/Ctrl + u (#34549).
  • Submit a form using Ctrl+Enter / Command+Return (#29473 by Mizuki ISHIKAWA).

Activity improvements:
UI options to filter activities by date (#1422 by Mizuki ISHIKAWA) or by user (#33602 by Mizuki ISHIKAWA). Slight design improvements (#33692 by Mizuki ISHIKAWA).

Another nice features:
  • Download all attachments at once (#7056 by Mizuki ISHIKAWA).
  • Auto complete wiki page links (#33820 by Mizuki ISHIKAWA): use "[[" to trigger the inline autocomplete.

  • Auto-select fields mapping in Importing (#22913 by Haihan Ji, Yuichi HARADA).
  • Fields with validation errors are now highlighted (#32764).

And don't forget to check the many other improvements brought by this new release in the Changelog.
Many thanks to Go MAEDA, Bernhard Rohloff and all the contributors who made this release happen!

Redmine 4.1.2 and 4.0.8 released (7 comments)

Added by Marius BALTEANU over 1 year ago

These 2 maintenance releases are available for download, you can review the changes in the Changelog.

Security: these 2 releases include several security fixes, including a fix for a permission bypass in Issues API and a fix for private project name that can be leaked in issue journal details, so upgrading as soon as possible is recommended.
You can get more details in Security Advisories.

Thanks to all the contributors who worked on these releases.

Redmine 4.1.1 and 4.0.7 released (8 comments)

Added by Jean-Philippe Lang over 2 years ago

These 2 maintenance releases are available for download, you can review the changes in the Changelog.

Security: these 2 releases include several security fixes, including a fix for a persistent XSS vulnerability in Textile formatting, so upgrading as soon as possible is recommanded.
You can get more details in Security Advisories.

Many thanks to Nakayama Daisuke, Maik Stegemann and Mizuki Ishikawa for reporting these issues to the Redmine security team!

Please note that Redmine 3.x has reached end of life, is not supported any longer and is (as well) vulnerable to these security issues. You should upgrade to Redmine 4 to get security updates.

1 2 3 ... 14 (1-10/137)

Also available in: Atom