Home » Archives for April 2012

Month: April 2012

ChiliProject 2.7.1 released

ChiliProject 2.7.1 has just been released. This release is a security release to fix several mass-assignment vulnerabilities. It contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.1.0. It is suitable for use on production websites running ChiliProject 2.x and we highly recommend that 2.x users download the release. For more information about the bug, please see the release announcement for ChiliProject 3.1.0.

Download ChiliProject 2.7.1

What’s included

2.7.1 includes a security fix which was backported from ChiliProject 3.1.0.

  • Bug #922: Mass assignment

Contributors to 2.7.1

I’d like to thank all of the contributors to the 2.7.1 release.

  • Eric Davis
  • Holger Just
  • Jean-Philippe Lang

If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 2.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates until the release of 4.0. After that date the 2.x branch is no longer supported in any way. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 3.1.0.

ChiliProject 3.1.0 released

ChiliProject 3.1.0 has just been released. It includes some new features and bugfixes for ChiliProject 3.0.0 as well as some critical security fixes. It is suitable for use on production websites and we recommend that all users download the release as soon as possible.

Users of the old 2.x release branch, please check the 2.7.1 release which includes the security fixes. User still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.

Download ChiliProject 3.1.0

What’s included

3.1.0 includes 20 bug fixes including one security fix and 5 new features for 3.0.0.

The security fix addresses several the mass assignment vulnerabilities in ChiliProject. These allowed users to write certain pieces of data which they should not have been allowed to. However users could not grant themselves access to data they can’t normally access. It was also not possible for non-admins to grant users additional rights.

All of the vulnerabilities existed since the start of the project, most going back to the beginning of Redmine itself. To further mitigate the issue, we are going to review the controller code and add additional means to prevent mass-assignment vulnerabilities in the future. As these changes require some architectural changes, we will spread them out over the future releases as part of our migration to Rails 3.

More information about the way mass-assignment works in Rails can be found at Michael Hartl’s tech blog.

The full list of changes is below:

  • Bug #739: Relative textile links not converted to full URLs in emails
  • Bug #828: uninitialized constant Redmine::Scm::Adapters::CommandFailed in RepositoryController
  • Bug #861: Apply Filter does not work on all-project-activities view
  • Bug #868: Done bar has no filling
  • Bug #869: Issue option list stacked vertically instead of horizontally
  • Bug #873: Incorrect error message text for groups
  • Bug #882: Right click context menu doesn’t show submenu icon.
  • Bug #887: Stacked month (top row)
  • Bug #888: Cannot edit note
  • Bug #891: quotes around path when shelling out does not work on Windows
  • Bug #892: CP code or test assumes ordering where none is guaranteed
  • Bug #896: Enabling “Authentication required” mode returns 404s
  • Bug #903: ActionView::TemplateError (undefined method `new0′ for DateTime:Class)
  • Bug #911: Sub-sub (and deeper) issues CSS rules are overridden
  • Bug #914: comments gets striked through, when description changes before
  • Bug #922: Mass assignment
  • Bug #927: Reposman script problem
  • Bug #929: Missing links in Issues section in left menu bar
  • Bug #933: News RSS Feed tag not populating
  • Bug #939: GMail documentation in configuration.yml.default out of date
  • Feature #559: Group Menus
  • Feature #899: Create a jQuery verison of the context menu
  • Feature #906: Add Link back to Parent of Subtask
  • Feature #915: default bundle install installs old pg version
  • Feature #928: Increase username length limit from 30 to 60

Contributors to 3.1.0

  • Andrew Smith
  • Dominique Feyer
  • Eric Davis
  • Felix Schäfer
  • Gregor Schmidt
  • Holger Just
  • Jean Philippe Lang
  • Martin S
  • Michaël Rigart
  • Robert Mitwicki

In closing, go and download ChiliProject 3.1.0 now.