Home » Archives for Holger Just

Author: Holger Just

Half-time Ruby and Rails developer and half-time friendly operations guy, I try to improve the world one step at a time, striving for perfection along the way.

You can follow me on Twitter or subscribe to my blog.

Announcing the end of ChiliProject

Unfortunately, we have to announce the end of ChiliProject. This might not come as a surprise for people following the GitHub repository or this blog as there were indeed no new releases or even commits for quite some time.

We have now faced the inevitable truth that we, the current developers of ChiliProject, are no longer able to maintain the current code base or develop new features for ChiliProject. Thus, we believe it is necessary to shutdown the project and make it clear that there will be no further updates in any way to ChiliProject.

While the current website on chiliproject.org is still available, we have removed the possibility for changes. Going forward, we will provide a static version of the wiki and a dump of the current issue list. Furthermore, we have closed all outstanding pull requests on GitHub.

We are very thankful for the support we have received over the years from all of you. I’m sorry we have to let you down. Should anyone be willing to step up and continue to maintain ChiliProject, please contact either Holger or Felix.

In order to continue using your project management systems, we recommend that you migrate to a currently maintained system, e.g. Redmine. As a last update, we plan to provide a migration script to move your existing ChiliProject data to Redmine. In the meantime, you could use one of the community-provided scripts, e.g. the instructions by Christian Daehn of ASinteg GmbH.

So Long, and Thanks For All the Fish!

ChiliProject 3.7.0 released: Important security update!

ChiliProject 3.7.0 has just been released. This release is a security release to fix security issues in Rails (CVE-2013-0277), the JSON gem (CVE-2013-0333, CVE-2013-0269) and with MySQL’s handling of strings and numbers during value comparison.

This release contains no new features and 1 other bug fix for last tag in the Liquid template language. It is suitable for use on production websites running ChiliProject 3.x. Due to the severity of these issues, all ChiliProject administrators are urged to update their installation immediately.

Users of the old 2.x release branch, please check the ChiliProject 2.10.0 release which includes the security fixes. Users still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive any updates.

Download ChiliProject 3.7.0

What’s included

3.7.0 contains security fixes for Rails (CVE-2013-0277) and the JSON gem (CVE-2013-0269) which are handled by enforcing updated versions of these dependencies to ChiliProject. For details on the issues, please refer to the linked posts on the Ruby On Rails security mailing list.

In addition to these issues, we audited our own codebase for potential issues with the recently published MySQL quirks when comparing strings with numbers. We found some potential issues in our token handling code which is used to authenticate users some access variants. Especially administrators who run ChiliProject on MySQL and have enabled the REST API, or have enabled the lost password feature (which is enabled by default) are potentially vulnerable and should upgrade immediately. User running SQLite or PostgreSQL are not affected by this issue.

The corresponding ChiliProject bugs are:

  • Bug #1233: Bump rails to 2.3.17 to address [CVE-2013-0276]
  • Security – Bug #1234: Potential vulnerability in token authentication when running on MySQL

How to upgrade

Please follow the Upgrade Guide in our Wiki. Make sure to run bundle update during the upgrade procedure to install the new version of Rails and the JSON gem. If you omit this step, you will receive an error message instructing you do update the bundle and ChiliProject will refuse to start.

ChiliProject 2.10.0 released: Important Security Update!

ChiliProject 2.10.0 has just been released. This release is a security release to fix security issues in Rails (CVE-2013-0277), the JSON gem (CVE-2013-0333, CVE-2013-0269) and with MySQL’s handling of strings and numbers during value comparison.

This release contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.7.0. It is suitable for use on production websites running ChiliProject 2.x. Due to the severity of these issues, all ChiliProject administrators are urged to update their installation immediately.

Download ChiliProject 2.10.0

What’s included

2.10.0 contains security fixes for Rails (CVE-2013-0277) and the JSON gem (CVE-2013-0269) which are handled by enforcing updated versions of these dependencies to ChiliProject. For details on the issues, please refer to the linked posts on the Ruby On Rails security mailing list.

In addition to these issues, we audited our own codebase for potential issues with the recently published MySQL quirks when comparing strings with numbers. We found some potential issues in our token handling code which is used to authenticate users some access variants. Especially administrators who run ChiliProject on MySQL and have enabled the REST API, or have enabled the lost password feature (which is enabled by default) are potentially vulnerable and should upgrade immediately. User running SQLite or PostgreSQL are not affected by this issue.

The corresponding ChiliProject bugs are:

  • Bug #1233: Bump rails to 2.3.17 to address [CVE-2013-0276]
  • Security – Bug #1234: Potential vulnerability in token authentication when running on MySQL

How to upgrade

Please follow the Upgrade Guide in our Wiki. Make sure to run bundle update during the upgrade procedure to install the new version of Rails and the JSON gem. If you omit this step, you will receive an error message instructing you do update the bundle and ChiliProject will refuse to start.

ChiliProject 3.5.1 released: Security Release

ChiliProject 3.5.1 has just been released. This release is a security release to fix a security issue of Rails (CVE-2013-0155) which allows attackers to issue unexpected database queries with IS NULL or empty where clauses. The vulnerability does not allow attackers to insert arbitrary values into an SQL query.

Additional details are available in the updated advisory of the Rails project.

This release contains no other bug fixes or new features. It is suitable for use on production websites running ChiliProject 3.x and we recommend that all users of ChiliProject download and install the security release as soon as possible.

Users of the old 2.x release branch, please check the ChiliProject 2.8.1 release which includes the security fix. Users still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.

Download ChiliProject 3.5.1

What’s included

3.5.1 contains 1 security fix for Rails. To quote the impact section from the announcement to the Rails security list:

Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with “IS NULL” or empty where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn’t expect it.

All users running an affected release should either upgrade or use one of the work arounds immediately. All users running an affected release should upgrade immediately. Please note, this vulnerability is a variant of CVE-2012-2660, and CVE-2012-2694. Even if you upgraded to address those issues, you must take action again.

The corresponding ChiliProject bug is:

  • Security – Bug #1208: Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155)

How to upgrade

Please follow the Upgrade Guide in our Wiki.

ChiliProject 2.8.1 released: Security Release

ChiliProject 2.8.1 has just been released. This release is a security release to fix a security issue of Rails (CVE-2013-0155) which allows attackers to issue unexpected database queries with IS NULL or empty where clauses. The vulnerability does not allow attackers to insert arbitrary values into an SQL query.

Additional details are available in the updated advisory of the Rails project.

This release contains no other bug fixes or new features. It is suitable for use on production websites running ChiliProject 2.x and we recommend that all users of ChiliProject download and install the security release as soon as possible.

This release contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.5.1. It is suitable for use on production websites running ChiliProject 2.x and we highly recommend that 2.x users download and install the security release as soon as possible. Users still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.

Download ChiliProject 2.8.1

What’s included

2.8.1 contains 1 security fix for Rails. To quote the impact section from the announcement to the Rails security list:

Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with “IS NULL” or empty where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn’t expect it.

All users running an affected release should either upgrade or use one of the work arounds immediately. All users running an affected release should upgrade immediately. Please note, this vulnerability is a variant of CVE-2012-2660, and CVE-2012-2694. Even if you upgraded to address those issues, you must take action again.

The corresponding ChiliProject bug is:

  • Security – Bug #1208: Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155)

How to upgrade

Please follow the Upgrade Guide in our Wiki.

ChiliProject 3.5.0 released: Important Security Update!

ChiliProject 3.5.0 has just been released. This release is a security release to fix a severe security issue of Rails (CVE-2013-0156) which allows attackers to inject and execute arbitrary code on the server hosting ChiliProject. This bug was fixed in Rails 2.3.15, which is included in this release of ChiliProject.

This release contains no other bug fixes or new features. It is suitable for use on production websites running ChiliProject 3.x and we highly recommend that all users of ChiliProject download and install the security release immediately.

Users of the old 2.x release branch, please check the ChiliProject 2.8.0 release which includes the security fix. Users still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.

Download ChiliProject 3.5.0

What’s included

3.5.0 contains 1 security fix for Rails. To quote the impact section from the announcement to the Rails security list:

The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application.

Due to the critical nature of this vulnerability, and the fact that portions of it have been disclosed publicly, all users running an affected release should either upgrade or use one of the work arounds immediately.

The corresponding ChiliProject bug is:

  • Security – Bug #1200: Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156)

This was also reported as Bug #1201 by Roger Hunwicks, thanks for that!

How to upgrade

Please follow the Upgrade Guide in our Wiki. Make sure to run bundle update during the upgrade procedure to install the new version of Rails. If you omit this step, you will receive an error message instructing you do update the bundle and ChiliProject will refuse to start.

ChiliProject 3.2.2 released

ChiliProject 3.2.2 has just been released. This release is a security release to fix two security issues of Rails (CVE-2012-2694 and CVE-2012-2695) which allowe attackers to inject certain forms of SQL into the database queries generated by ChiliProject. The bugs were fixed in Rails 3.2.6. We have backported them to the version of Rails we use right now.

This release contains no other bug fixes or new features. It is suitable for use on production websites running ChiliProject 3.x and we highly recommend that all users of ChiliProject download and install the security release immediately.

Users of the old 2.x release branch, please check the 2.7.3 release which includes the security fixes. User still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.

We apologize for the unusual large number of patch releases lately. The vulnerabilities fixed in the this and the last release are located in Ruby on Rails, a Web framework we use as the basis for ChiliProject. The bugs were announced by Rails and are thus publicly known. As we strive to keep our users as secure as possible we thus release security updates as fast as we can to allow responsible administrators to update their installations in a timely fashion and keep their systems secure.

Download ChiliProject 3.2.2

What’s included

3.2.2 includes two security fixes

  • Bug #1036: Ruby on Rails Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2694)
  • Bug #1037: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-2695)

If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

ChiliProject 2.7.3 released

ChiliProject 2.7.3 has just been released. This release is a security release to fix two security issues of Rails (CVE-2012-2694 and CVE-2012-2695) which allowe attackers to inject certain forms of SQL into the database queries generated by ChiliProject. The bugs were fixed in Rails 3.2.6. We have backported them to the version of Rails we use right now.

This release contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.2.2. It is suitable for use on production websites running ChiliProject 2.x and we highly recommend that 2.x users download and install the security release immediately.

We apologize for the unusual large number of patch releases lately. The vulnerabilities fixed in the this and the last release are located in Ruby on Rails, a Web framework we use as the basis for ChiliProject. The bugs were announced by Rails and are thus publicly known. As we strive to keep our users as secure as possible we thus release security updates as fast as we can to allow responsible administrators to update their installations in a timely fashion and keep their systems secure.

Download ChiliProject 2.7.3

What’s included

2.7.3 includes two security fixes which were backported from ChiliProject 3.2.2.

  • Bug #1036: Ruby on Rails Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2694)
  • Bug #1037: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-2695)

If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 2.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates until the release of 4.0. After that date the 2.x branch is no longer supported in any way. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 3.2.2.

ChiliProject 3.2.0 released

ChiliProject 3.2.0 has just been released. It includes some new features and bugfixes for ChiliProject 3.1.0 as well as a security fix of Rails which was backported to our version. It is suitable for use on production websites and we recommend that all users download the release as soon as possible.

Users of the old 2.x release branch, please check the 2.7.2 release which includes the security fix. User still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.

Download ChiliProject 3.2.0

What’s included

3.2.0 includes 18 bug fixes including one security fix and 6 features for 3.1.0.

The security fix addresses a bug in the parsing of requests by ActionPack. The bug (CVE-2012-2660) was fixed in Rails 3.2.4 and was backported to the Rails version used by us.

The full list of changes is below:

  • Bug #844: Set autocomplete=off for some fields in Registration form
  • Bug #863: missing journals fixture at test/unit/issue_test.rb
  • Bug #950: jQuery AJAX requests don’t include CSRF token
  • Bug #966: “edit own notes” fails since 3.1.0
  • Bug #967: Menu – Missing translations (French)
  • Bug #968: Forum threads aren’t always displaying “Last Message”
  • Bug #969: Forum URLs in the menu are missing the project_id
  • Bug #970: Long version titles extend outside the group menu when expanding Roadmap
  • Bug #974: menu link broken in duplicate issue mode
  • Bug #975: Start Date is not saved for Versions
  • Bug #984: Cannot unlock a forum thread
  • Bug #986: Notification Mail for Wiki-Changes doesn’t contain change comment
  • Bug #994: select all in issue list isn’t working
  • Bug #1007: Right clicking on item in roadmap displays menu at incorrect position
  • Bug #1008: error 500 when uploading a new file to an existing document
  • Bug #1024: Select multiple issues with shift key in issue list
  • Bug #1025: Rails: Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2660)
  • Bug #1033: Replace vendored gravatar lib by gem
  • Feature #749: Git Integration: Property Main Branch
  • Feature #947: Reformat the CSS files to use a standard
  • Feature #983: Bulgarian translation of several strings
  • Feature #988: Swedish translation of several strings
  • Feature #1016: Limit height of project drop down menu
  • Task #982: Updated czech localization for chiliproject 3.1

Contributors to 3.2.0

  • Andrew Smith
  • Björn Blissing
  • Eric Davis
  • Felix Schäfer
  • Gabriel Mazetto
  • Holger Just
  • Ivan Cenov
  • Jean-Philippe Lang
  • Justin Geibel
  • Sébastien Santoro
  • Spenser Jones
  • Toshi MARUYAMA

What’s next?

As some of you might have noticed, this release was a bit delayed. This was necessary because all members of the core team were heavily occupied with their lifes outside of the Open Source space recently, mostly by completing University assignments. However, we are confident that this period is now over and we strive to return to our regular release schedule. We hope you understand our case and continue to support us in our path to create the best project management solution out there.

Going further, we will intensify our work on the new branch for the 4.0 release where we are going to upgrade to Rails 3.2. The details of this conversion process as well as some more insight into our roadmap are going to be detailed in their own blog posts in the next days.

In closing, go and download ChiliProject 3.2.0 now.

ChiliProject 2.7.2 released

ChiliProject 2.7.2 has just been released. This release is a security release to fix a security issue of Rails (CVE-2012-2660). It addresses a bug in the parsing of requests by ActionPack. It was fixed in Rails 3.2.4 and was backported to the Rails version used by us.

This release contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.2.0. It is suitable for use on production websites running ChiliProject 2.x and we highly recommend that 2.x users download the release. For more information about the bug, please see the release announcement for ChiliProject 3.2.0.

Download ChiliProject 2.7.2

What’s included

2.7.2 includes a security fix which was backported from ChiliProject 3.2.0.

  • Bug #1025: Rails: Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2660)

If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 2.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates until the release of 4.0. After that date the 2.x branch is no longer supported in any way. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 3.2.0.