Home » Archives for November 2011

Month: November 2011

ChiliProject 1.5.5 Released

ChiliProject 1.5.5 has just been released. This release is a security release to fix a cache poisoning bug in the bundle Redmine.pm module which can be used for authenticating and authorizing subversion or git users for repositories served through Apache. It contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 2.5.0. It is suitable for use on production websites running ChiliProject 1.x and we highly recommend that 1.x users download the release.

Download ChiliProject 1.5.5

What’s included

1.5.5 includes a security fix which was back ported from ChiliProject 2.5.0.

  • Bug #709: Redmine.pm potential security issue with cache credential enabled and subversion

All users of ChiliProject who use the bundled Redmine.pm module are strongly advised to update their installations as soon as possible as the resolved issue potentially allows users to access restricted repository data.

Users of Redmine should be advised that the fixed issue is also present there. There is currently no Redmine release that fixes the it. Currently it is only addressed in the trunk and 1.3-stable branch in the repository. You should either upgrade or apply the fix in the issue manually.

Contributors to 1.5.5

I’d like to thank all of the contributors to the 1.5.5 release.

  • Holger Just
  • Jean-Philippe Lang

We would like to especially thank Niels Lindenthal who informed us of the security issue.

If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 1.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates until the release of 3.0 in early January. After that date the 1.x branch is no longer supported in any way. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 2.5.0.

ChiliProject 2.5.0 Released

ChiliProject 2.5.0 has just been released. It includes some bugfixes for ChiliProject 2.4.0 as well as one security fix. It is suitable for use on production websites and we recommend that all users download the release as soon as possible.

Users of the old 1.x release branch, please check the 1.5.5 release which includes the security fix.

Download ChiliProject 2.5.0

What’s included

2.5.0 includes 3 new features and 9 bug fixes including 1 security fix for 2.4.0. The major highlights of this release are:

  • The provided perl module Redmine.pm for authenticating and authorizing subversion or git users for repositories served through Apache was vulnerable to a cache poisoning attack if caching was enabled. The vulnerability could result in a temporary permissions escalation giving a user write permission to a repository she normally had only read permission. The fix will be immediately active after installation and reboot of the Apache the Redmine.pm is installed on.
  • Registered but not-yet activated users can now be deleted.
  • ChiliProject will be transitioning to jQuery as the primary javascript library for client-side scripting. To ease the transition, plugin developers can query ChiliProject::Compatibility to decide if they want to use the to-be-bundled jQuery or use a version they bundle with their plugin. ChiliProject::Compatibility can also be queried to check for the presence or absence of Prototype.
  • 2 view hooks have been added to the Project index.
  • Still more Ruby 1.9 compatibility fixes.
  • The vendored ruby-net-ldap gem has been removed and replaced by an updated version (now called net-ldap) in the Gemfile.
  • Small bug fixes and translation improvements.

All users of ChiliProject are strongly advised to update their installations as soon as possible.

Users of Redmine should be advised that the fixed security issue of Redmine.pm is also present there. There is currently no Redmine release that fixes the it. Currently it is only addressed in the trunk and 1.3-stable branch in the repository. You should either upgrade or apply the fix manually.
The full list of changes are below:

  • Bug #258: Upgrade from ruby-net-ldap to net-ldap gem
  • Bug #554: Failed to migrate from 1.2.0 to 2.1.0 with Ruby 1.9.2
  • Bug #688: doc/CHANGELOG.rdoc is very huge
  • Bug #698: Searching in issue is broken on ruby 1.9
  • Bug #707: Wiki diffs: incompatible character encoding error on Ruby 1.9.2
  • Bug #709: Redmine.pm potential security issue with cache credential enabled and subversion
  • Bug #711: translation missing: en, field_lock_version on issue edit on Ruby 1.9
  • Bug #735: any user can edit time entries via context menu
  • Bug #736: Adding users with a dash “-” in email address is broken sometimes
  • Feature #124: User deletion
  • Feature #706: Add hooks to view projects/index.rhtml
  • Feature #725: Compatibility check for jQuery and Prototype availability

Contributors to 2.5.0

  • David O
  • Eric Davis
  • Felix Schäfer
  • Gregor Schmidt
  • Holger Just
  • Ivan Cenov
  • Jan Schulz-Hofen
  • Jean Philippe Lang
  • Moritz Breit

We would like to especially thank Niels Lindenthal and Jan Schulz-Hofen who informed us of the (potential) security issues. If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

In closing, go and download ChiliProject 2.5.0 now.