Announcing the end of ChiliProject

Unfortunately, we have to announce the end of ChiliProject. This might not come as a surprise for people following the GitHub repository or this blog as there were indeed no new releases or even commits for quite some time.

We have now faced the inevitable truth that we, the current developers of ChiliProject, are no longer able to maintain the current code base or develop new features for ChiliProject. Thus, we believe it is necessary to shutdown the project and make it clear that there will be no further updates in any way to ChiliProject.

While the current website on chiliproject.org is still available, we have removed the possibility for changes. Going forward, we will provide a static version of the wiki and a dump of the current issue list. Furthermore, we have closed all outstanding pull requests on GitHub.

We are very thankful for the support we have received over the years from all of you. I’m sorry we have to let you down. Should anyone be willing to step up and continue to maintain ChiliProject, please contact either Holger or Felix.

In order to continue using your project management systems, we recommend that you migrate to a currently maintained system, e.g. Redmine. As a last update, we plan to provide a migration script to move your existing ChiliProject data to Redmine. In the meantime, you could use one of the community-provided scripts, e.g. the instructions by Christian Daehn of ASinteg GmbH.

So Long, and Thanks For All the Fish!

ChiliProject 3.8.0 released: Security Update

ChiliProject 3.8.0 has just been released. This release is a security release to fix security issues in Rails (CVE-2013-1854 among other security advisories not relevant to ChiliProject).

This release contains no new features and 3 other bug fixes. It is suitable for use on production websites running ChiliProject 3.x. While the issue can only be exploited for DoS attacks, we urge all ChiliProject administrators to update their installation immediately.

Users of the old 2.x release branch, please check the ChiliProject 2.11.0 release which includes the security fixes. Users still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive any updates.

Download ChiliProject 3.8.0

What’s included

3.8.0 contains a security fix for Rails (CVE-2013-1854) which is handled by enforcing an updated version of this dependency to ChiliProject. For details on the issues, please refer to the linked post on the Ruby On Rails security mailing list and the corresponding Rails 2.3.18 announcement on the Ruby on Rails blog.

In addition, this release corrects 3 bugs, including a bug where the datepickers on the start and due dates for new issues would disappear when changing the tracker.

The corresponding ChiliProject bugs are:

  • Bug #1121: Date Picker Icons disappear when changing the Tracker
  • Bug #1164: Error in “rake db:migrate:down VERSION=20100714111652”
  • Bug #1248: Routing issue
  • Security – Bug #1252: Update Rails to 2.3.18

How to upgrade

Please follow the Upgrade Guide in our Wiki. Make sure to run bundle update during the upgrade procedure to install the new version of Rails. If you omit this step, you will receive an error message instructing you to update the bundle and ChiliProject will refuse to start.

ChiliProject 2.11.0 released: Security Update

ChiliProject 2.11.0 has just been released. This release is a security release to fix security issues in Rails (CVE-2013-1854 among other security advisories not relevant to ChiliProject).

This release contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.8.0. It is suitable for use on production websites running ChiliProject 2.x. While the issue can only be exploited for DoS attacks, we urge all ChiliProject administrators to update their installation immediately.

Download ChiliProject 2.11.0

What’s included

2.11.0 contains a security fix for Rails (CVE-2013-1854) which is handled by enforcing an updated version of this dependency to ChiliProject. For details on the issues, please refer to the linked post on the Ruby On Rails security mailing list and the corresponding Rails 2.3.18 announcement on the Ruby on Rails blog.

The corresponding ChiliProject bug is:

  • Security – Bug #1252: Update Rails to 2.3.18

How to upgrade

Please follow the Upgrade Guide in our Wiki. Make sure to run bundle update during the upgrade procedure to install the new version of Rails. If you omit this step, you will receive an error message instructing you do update the bundle and ChiliProject will refuse to start.

ChiliProject 3.7.0 released: Important security update!

ChiliProject 3.7.0 has just been released. This release is a security release to fix security issues in Rails (CVE-2013-0277), the JSON gem (CVE-2013-0333, CVE-2013-0269) and with MySQL’s handling of strings and numbers during value comparison.

This release contains no new features and 1 other bug fix for last tag in the Liquid template language. It is suitable for use on production websites running ChiliProject 3.x. Due to the severity of these issues, all ChiliProject administrators are urged to update their installation immediately.

Users of the old 2.x release branch, please check the ChiliProject 2.10.0 release which includes the security fixes. Users still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive any updates.

Download ChiliProject 3.7.0

What’s included

3.7.0 contains security fixes for Rails (CVE-2013-0277) and the JSON gem (CVE-2013-0269) which are handled by enforcing updated versions of these dependencies to ChiliProject. For details on the issues, please refer to the linked posts on the Ruby On Rails security mailing list.

In addition to these issues, we audited our own codebase for potential issues with the recently published MySQL quirks when comparing strings with numbers. We found some potential issues in our token handling code which is used to authenticate users some access variants. Especially administrators who run ChiliProject on MySQL and have enabled the REST API, or have enabled the lost password feature (which is enabled by default) are potentially vulnerable and should upgrade immediately. User running SQLite or PostgreSQL are not affected by this issue.

The corresponding ChiliProject bugs are:

  • Bug #1233: Bump rails to 2.3.17 to address [CVE-2013-0276]
  • Security – Bug #1234: Potential vulnerability in token authentication when running on MySQL

How to upgrade

Please follow the Upgrade Guide in our Wiki. Make sure to run bundle update during the upgrade procedure to install the new version of Rails and the JSON gem. If you omit this step, you will receive an error message instructing you do update the bundle and ChiliProject will refuse to start.

ChiliProject 2.10.0 released: Important Security Update!

ChiliProject 2.10.0 has just been released. This release is a security release to fix security issues in Rails (CVE-2013-0277), the JSON gem (CVE-2013-0333, CVE-2013-0269) and with MySQL’s handling of strings and numbers during value comparison.

This release contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.7.0. It is suitable for use on production websites running ChiliProject 2.x. Due to the severity of these issues, all ChiliProject administrators are urged to update their installation immediately.

Download ChiliProject 2.10.0

What’s included

2.10.0 contains security fixes for Rails (CVE-2013-0277) and the JSON gem (CVE-2013-0269) which are handled by enforcing updated versions of these dependencies to ChiliProject. For details on the issues, please refer to the linked posts on the Ruby On Rails security mailing list.

In addition to these issues, we audited our own codebase for potential issues with the recently published MySQL quirks when comparing strings with numbers. We found some potential issues in our token handling code which is used to authenticate users some access variants. Especially administrators who run ChiliProject on MySQL and have enabled the REST API, or have enabled the lost password feature (which is enabled by default) are potentially vulnerable and should upgrade immediately. User running SQLite or PostgreSQL are not affected by this issue.

The corresponding ChiliProject bugs are:

  • Bug #1233: Bump rails to 2.3.17 to address [CVE-2013-0276]
  • Security – Bug #1234: Potential vulnerability in token authentication when running on MySQL

How to upgrade

Please follow the Upgrade Guide in our Wiki. Make sure to run bundle update during the upgrade procedure to install the new version of Rails and the JSON gem. If you omit this step, you will receive an error message instructing you do update the bundle and ChiliProject will refuse to start.

ChiliProject 3.6.0 released: Important Security Update!

ChiliProject 3.6.0 has just been released. This release is a security release to fix a severe security issue of Rails (CVE-2013-0333) which allows attackers to inject and execute arbitrary code on the server hosting ChiliProject. This bug was fixed in Rails 2.3.16, which is included in this release of ChiliProject.

This release contains 1 other bug fix and no new features. It is suitable for use on production websites running ChiliProject 3.x and we highly recommend that all users of ChiliProject download and install the security release immediately.

Users of the old 2.x release branch, please check the ChiliProject 2.9.0 release which includes the security fix. Users still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.

Download ChiliProject 3.6.0

What’s included

3.6.0 contains 1 security fix for Rails and 1 bug fix. To quote the impact section from the announcement to the Rails security list:

The JSON Parsing code in Rails 2.3 and 3.0 support multiple parsing backends.  One of the backends involves transforming the JSON into YAML, and passing that through the YAML parser.  Using a specially crafted payload attackers can trick the backend into decoding a subset of YAML.

All users running an affected application should upgrade or use the workaround immediately.

The corresponding ChiliProject bugs are:

  • Bug #1216: “Only for things I watch or I’m involved in” sends notifications only for issues
  • Security – Bug #1219: Vulnerability in JSON Parser in Ruby on Rails (CVE-2013-0333)

How to upgrade

Please follow the Upgrade Guide in our Wiki. Make sure to run bundle update during the upgrade procedure to install the new version of Rails. If you omit this step, you will receive an error message instructing you do update the bundle and ChiliProject will refuse to start.

ChiliProject 2.9.0 released: Important Security Update!

ChiliProject 2.9.0 has just been released. This release is a security release to fix a severe security issue of Rails (CVE-2013-0333) which allows attackers to inject and execute arbitrary code on the server hosting ChiliProject. This bug was fixed in Rails 2.3.16, which is included in this release of ChiliProject.

This release contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.6.0. It is suitable for use on production websites running ChiliProject 2.x and we highly recommend that 2.x users download and install the security release immediately.

Download ChiliProject 2.9.0

What’s included

2.9.0 contains 1 security fix for Rails. To quote the impact section from the announcement to the Rails security list:

The JSON Parsing code in Rails 2.3 and 3.0 support multiple parsing backends.  One of the backends involves transforming the JSON into YAML, and passing that through the YAML parser.  Using a specially crafted payload attackers can trick the backend into decoding a subset of YAML.

All users running an affected application should upgrade or use the workaround immediately.

The corresponding ChiliProject bugs are:

  • Security – Bug #1219: Vulnerability in JSON Parser in Ruby on Rails (CVE-2013-0333)

How to upgrade

Please follow the Upgrade Guide in our Wiki. Make sure to run bundle update during the upgrade procedure to install the new version of Rails. If you omit this step, you will receive an error message instructing you do update the bundle and ChiliProject will refuse to start.

ChiliProject 3.5.1 released: Security Release

ChiliProject 3.5.1 has just been released. This release is a security release to fix a security issue of Rails (CVE-2013-0155) which allows attackers to issue unexpected database queries with IS NULL or empty where clauses. The vulnerability does not allow attackers to insert arbitrary values into an SQL query.

Additional details are available in the updated advisory of the Rails project.

This release contains no other bug fixes or new features. It is suitable for use on production websites running ChiliProject 3.x and we recommend that all users of ChiliProject download and install the security release as soon as possible.

Users of the old 2.x release branch, please check the ChiliProject 2.8.1 release which includes the security fix. Users still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.

Download ChiliProject 3.5.1

What’s included

3.5.1 contains 1 security fix for Rails. To quote the impact section from the announcement to the Rails security list:

Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with “IS NULL” or empty where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn’t expect it.

All users running an affected release should either upgrade or use one of the work arounds immediately. All users running an affected release should upgrade immediately. Please note, this vulnerability is a variant of CVE-2012-2660, and CVE-2012-2694. Even if you upgraded to address those issues, you must take action again.

The corresponding ChiliProject bug is:

  • Security – Bug #1208: Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155)

How to upgrade

Please follow the Upgrade Guide in our Wiki.

ChiliProject 2.8.1 released: Security Release

ChiliProject 2.8.1 has just been released. This release is a security release to fix a security issue of Rails (CVE-2013-0155) which allows attackers to issue unexpected database queries with IS NULL or empty where clauses. The vulnerability does not allow attackers to insert arbitrary values into an SQL query.

Additional details are available in the updated advisory of the Rails project.

This release contains no other bug fixes or new features. It is suitable for use on production websites running ChiliProject 2.x and we recommend that all users of ChiliProject download and install the security release as soon as possible.

This release contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.5.1. It is suitable for use on production websites running ChiliProject 2.x and we highly recommend that 2.x users download and install the security release as soon as possible. Users still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.

Download ChiliProject 2.8.1

What’s included

2.8.1 contains 1 security fix for Rails. To quote the impact section from the announcement to the Rails security list:

Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with “IS NULL” or empty where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn’t expect it.

All users running an affected release should either upgrade or use one of the work arounds immediately. All users running an affected release should upgrade immediately. Please note, this vulnerability is a variant of CVE-2012-2660, and CVE-2012-2694. Even if you upgraded to address those issues, you must take action again.

The corresponding ChiliProject bug is:

  • Security – Bug #1208: Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155)

How to upgrade

Please follow the Upgrade Guide in our Wiki.

Going forward: focus

In addition to our already discussed attempt to broaden our community reach and communication, we want to bring more focus to our code and development processes. The current development team is too small to properly take care of the whole codebase of ChiliProject with all its different functions and dependencies, correct bugs, implement new features and follow the development of Ruby and Ruby on Rails all at the same time. To alleviate these problems, we’re going to focus our development on one topic or part of the ChiliProject codebase at a time, during which other things will see less or no development. We will also focus the ChiliProject codebase itself on its core functions. This will mean some hardships and probably controversial decisions in the future, but this should also lead to a cleanup of the codebase and make it more lean, lowering the barrier of entry for new developers.

Focusing the ChiliProject codebase means replacing current code with tried and tested libraries with same or similar functionality. This will obviously lead to less code that the ChiliProject team has to take care of and in most cases the use of better and better tested code than what is currently used in ChiliProject. One example is user authentication: ChiliProject currently supports authentication against the ChiliProject database or against LDAP, and keeping up with current security best practices is hard. Switching to a library like OmniAuth or Devise would not only take the authentication concern out of ChiliProject, but also opens the way to more authentication backends (CAS, OAuth, …). Focusing the ChiliProject codebase also means spinning out code currently part of the ChiliProject core to independent libraries or plugins.

Focusing our development means choosing one area of work or major feature per release we will work on. During that time we will only take care of bug fixes in other areas. Furthermore, we will discontinue support for certain features we don’t feel we have enough expertise to develop. A prime candidate for discontinuation is the CVS adapter: we don’t have any experience with CVS and hopefully nobody uses it anymore. Lastly, we will try using external services to manage some parts of ChiliProject for which manual maintenance is tedious and time-consuming. The first such part will probably the management of the translations for ChiliProject.

I will write again about the proposed changes and deprecations for ChiliProject 4 in a few days, anyone wanting to get involved in the process can read and participate in the “focus” thread and subscribe to the chiliproject-devel mailing list.