This release adds protection against potential CSRF attacks.
Migration is done as usual but you need to generate a secret before restarting the application.
From your Redmine directory, simply run the following command once:
rake config/initializers/session_store.rb
This release fixes a few bugs as well.
Download 0.8.7.
If you are not able to upgrade to 0.8.7 but want a fix for this security issue, you can install the following plugin from Eric Davis:
http://github.com/edavis10/redmine_security_4216 (Redmine 0.8.x required)
This release fixes a few bugs and vulnerabilities.
As previous 0.8.x releases, it's still running with Rails 2.1.2.
You can see the list of changes in the Changelog and download it at Rubyforge.
As of r2887, Redmine devel version (trunk) runs with Rails 2.3.4.
You can install the required gems by running:
gem install rails -v=2.3.4
This release fixes a few Redmine bugs and includes Rails 2.1.2 with several security patches applied:
If you are running the trunk version of Redmine, you can either:
- install Rails 2.2.3 once it's released by the Rails core team
- update your copy to r2887 that runs with Rails 2.3.4
Redmine 0.8.4 fixes a vulnerability related to the 'autologin' feature. This vulnerability may affect people using Redmine with Phusion Passenger (a.k.a. mod_rails/mod_rack) and thus, upgrading is highly recommended. If you're not able to upgrade, you should disable the 'autologin' feature.
This release also fixes a memory consumption on big files upload.
As previous 0.8.x releases, it's still running with Rails 2.1.2.
You can see the list of changes in the Changelog and download this release at Rubyforge.
Eric Davis, an active contributor, launches a blog dedicated to Redmine.
This blog will keep you informed of latest Redmine core and plugins features.
You can find it at redmineblog.com.
This maintenance release can be found at Rubyforge.
The work done last weeks in the rails-2.2 branch was merged into the trunk a few minutes ago (r2493).
So current trunk now requires Rails 2.2.2 to be installed. Installing the appropriate gem is pretty straightforward:
gem install rails -v=2.2.2
Here are some important notes for people who want to upgrade their trunk checkout:
- If you had frozen Rails in your working copy, make sure to remove it before restarting the application (simply remove
/vendor/rails). Otherwise the application will use this old frozen Rails version, and won't start.
- As requested in #2628, Redmine now uses cookies to store session data by default. This prevents tons of files from being saved in
/tmp/sessions and improves overall response time.
To insure data integrity, the cookie store needs a secret to be generated before the first time you start the application. A rake task was added to make this step easier. You just need to run the following command from your Redmine directory:
rake config/initializers/session_store.rb
Another big change was done on the internationalization support. Redmine now uses the new I18n module shipped with Rails 2.2, instead of the GLoc plugin. Translation files can be found under /config/locales. Contributors are now invited to submit their translation updates based on these files.
The 0.8-stable branch and the forthcoming 0.8.x releases will still use Rails 2.1.2.
This new release fixes several bugs including the invalid redirect after a login failure, and brings a few improvements.
See what's new in the Changelog and download it at Rubyforge.
Redmine 0.8.7 security release
(6 comments)