ChiliProject 3.5.0 released: Important Security Update!

ChiliProject 3.5.0 has just been released. This release is a security release to fix a severe security issue of Rails (CVE-2013-0156) which allows attackers to inject and execute arbitrary code on the server hosting ChiliProject. This bug was fixed in Rails 2.3.15, which is included in this release of ChiliProject.

This release contains no other bug fixes or new features. It is suitable for use on production websites running ChiliProject 3.x and we highly recommend that all users of ChiliProject download and install the security release immediately.

Users of the old 2.x release branch, please check the ChiliProject 2.8.0 release which includes the security fix. Users still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.

Download ChiliProject 3.5.0

What’s included

3.5.0 contains 1 security fix for Rails. To quote the impact section from the announcement to the Rails security list:

The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application.

Due to the critical nature of this vulnerability, and the fact that portions of it have been disclosed publicly, all users running an affected release should either upgrade or use one of the work arounds immediately.

The corresponding ChiliProject bug is:

  • Security – Bug #1200: Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156)

This was also reported as Bug #1201 by Roger Hunwicks, thanks for that!

How to upgrade

Please follow the Upgrade Guide in our Wiki. Make sure to run bundle update during the upgrade procedure to install the new version of Rails. If you omit this step, you will receive an error message instructing you do update the bundle and ChiliProject will refuse to start.

ChiliProject 2.8.0 released: Important Security Update!

ChiliProject 2.8.0 has just been released. This release is a security release to fix a severe security issue of Rails (CVE-2013-0156) which allows attackers to inject and execute arbitrary code on the server hosting ChiliProject. This bug was fixed in Rails 2.3.15, which is included in this release of ChiliProject.

This release contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.5.0. It is suitable for use on production websites running ChiliProject 2.x and we highly recommend that 2.x users download and install the security release immediately.

Download ChiliProject 2.8.0

What’s included

2.8.0 contains 1 security fix for Rails. To quote the impact section from the announcement to the Rails security list:

The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application.

Due to the critical nature of this vulnerability, and the fact that portions of it have been disclosed publicly, all users running an affected release should either upgrade or use one of the work arounds immediately.

The corresponding ChiliProject bug is:

  • Security – Bug #1200: Multiple vulnerabilities in parameter parsing in Action Pack (CVE-2013-0156)

This was also reported as Bug #1201 by Roger Hunwicks, thanks for that!

How to upgrade

Please follow the Upgrade Guide in our Wiki. Make sure to run bundle update during the upgrade procedure to install the new version of Rails. If you omit this step, you will receive an error message instructing you do update the bundle and ChiliProject will refuse to start.

ChiliProject 2.7.4 released

ChiliProject 2.7.4 has just been released. This release is a security release to fix two XSS vulnerabilities (CVE-2012-3464CVE-2012-3465) and a SQL injection vulnerability (CVE-2012-5664) of Rails. All these bugs were fixed in Rails, we have included the fixes from Rails or backported them to the version of Rails ChiliProject uses right now.

This release contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.4.0. It is suitable for use on production websites running ChiliProject 2.x and we highly recommend that 2.x users download and install the security release immediately.

Download ChiliProject 2.7.4

What’s included

2.7.4 includes three security fixes which were backported from ChiliProject 3.4.0.

  • Security – Bug #1113: Potential XSS Vulnerability in Ruby on Rails
  • Security – Bug #1114: XSS Vulnerability in strip_tags
  • Security – Bug #1195: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)

If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 2.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates until the release of 4.0. After that date the 2.x branch is no longer supported in any way. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 3.4.0.

ChiliProject 3.4.0 released

ChiliProject 3.4.0 has just been released. It includes lots of bug fixes for ChiliProject 3.3.0 as well as 3 security fixes. It is suitable for use on production websites and we highly recommend that all users download the release as soon as possible.

Download ChiliProject 3.4.0

What’s included

3.4.0 includes 3 security fixes for Rails as well as 11 bug fixes for 3.3.0. The security fixes fix two XSS vulnerabilities (CVE-2012-3464, CVE-2012-3465) and a SQL injection vulnerability (CVE-2012-5664) of Rails.

The full list of changes:

  • Bug #904: Copy workflow doesn’t work on per-author / per-assigned modifier
  • Bug #1087: Document category is not saved properly
  • Bug #1090: List of saved queries is not accessible outside of a project
  • Bug #1111: use a monospace font in wiki-text
  • Security – Bug #1113: Potential XSS Vulnerability in Ruby on Rails
  • Security – Bug #1114: XSS Vulnerability in strip_tags
  • Bug #1118: Missing caption in file redmine.rb
  • Bug #1134: HEAD is not considered a read-only method in Redmine.pm
  • Bug #1142: Darcs repository adapter doesn’t work with newer versions (~2.5) of Darcs
  • Bug #1144: configuration.yml.example is broken
  • Bug #1188: Selecting “Current project and its subprojects” isn’t saving.
  • Bug #1194: Problems migrating from chili 2.0.0 to 3.3.0
  • Security – Bug #1195: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)
  • Bug #1197: Links to new and existing Pages in chili wikis have the same color. Thats boring.
  • Task #1192: Add a CONTRIBUTION document

Contributors to 3.4.0

  • Alf Gaida
  • Carlos Moreira
  • Felix Schäfer
  • Holger Just
  • Jean-Philippe Lang
  • Toshi MARUYAMA

Going forward: get involved!

After the dry spell we went through in the last few months, the ChiliProject Team wants to get things going again. We still want to get more people involved in ChiliProject and are looking for ways for the Team to communicate outwards but also for the Community as a whole to better communicate. We’re also going to apply more focus on the technology and code work, which will mean some hard-to-make decisions and harsh cuts, but we think those will help us make better progress now and things easier later.

On the community side of things, we’re going to try having a development and a general mailing list. This might sound like an old idea but that’s one we’ve been discussing on and off since the beginnings of ChiliProject. The biggest concern was that it will split discussions even further than they actually are, but the fact is we don’t have correctly functioning discussions at all at the moment. You can find more arguments in the ChiliProject forums. Anyone interested in discussing things ChiliProject or just following what we’re discussing can get on the chiliproject-devel Google Group. There’s only one list for the moment, should things get too crowded there we’ll open more as needed.

On the code side of things, one thing we learnt the hard way was that we’re too few people for too much work / too many goals. One of our top priorities was trying to decruft the codebase, but we’ve been held back amongst other things by concerns about compatibility (backward, with Redmine, with plugins and so on) and not dropping features even if we don’t think they’re central to ChiliProject. All those things have cost us a lot of time and energy, and we don’t think we can afford that anymore. Current candidates for legacy we’d like to shed are the Darcs adapter and the old Rails 2.3 Engines currently used for ChiliProject plugins, but more on that in an upcoming post.

So those are the things currently on the minds of the ChiliProject Team. If you want to get involved, want to yell at us, tell us that we are wrong or just want to read more about where ChiliProject is headed, sign up to the chiliproject-devel Google Group and chat with us.

Retrospective

So the last 6 months happened. Many of you rightly noted that ChiliProject development halted to near nothingness in that time and Holger and I are not only very sorry but also feel guilty about that (anyone who wants to know why one can feel guilty about a voluntary contribution, go read the excellent article Open Source Guilt & Passion by Nick of 37signals). I’m writing this post to try to explain what happened in that time. It’s not meant as an excuse, rather it’s a retrospective to try to avoid this in the future, ideas welcome. We’re also working on getting the ball rolling again, but more on that in a coming blogpost.

One thing that took a lot or time in the past months was University. Holger actually is not a student anymore as he finished his thesis and graduated as a Master in Software Engineering last summer, congrats for that! I don’t have as much to show for it but between work and studies, the time I had left for ChiliProject was little and far between.

Speaking of work, the more important change in our time for ChiliProject went down in October and November. Those of you on board with us since the beginning might remember that we started ChiliProject backed by our then employer finnlabs. finnlabs made several contributions in the months following that, including the current design (thanks for that!), but the way those contributions were made didn’t correspond to what ChiliProject expected. The passing months only went to show that the way Holger, Eric and I envisioned Open Source for ChiliProject wasn’t compatible to the type of Open Source work finnlabs was willing to do, ultimately leading to finnlabs working on their own fork of ChiliProject (rebranded since then). Holger’s and my growing frustration with finnlabs also lead us to quit finnlabs, and we started working with Plan.io since October and November 2012 (you can read Holger’s and my introductory blog posts on the Plan.io blog). Our current work at Plan.io consists of Redmine hosting and development, so we’re still pretty near to what we’re doing here 🙂

Now that the dust has mostly settled over our job and company changes, we’re looking forward to working again on ChiliProject, but as mentioned earlier, that’s for another blog post!

Team changes

We’re always looking for people helping us to make ChiliProject better and we are lucky to have some great contributors investing their free time to fix bugs and generally improve ChiliProject.

In the last couple of weeks, one contributor stood out in particular as he has been steadily submitting improvements to the user interface part of ChiliProject, sanitizing and modernizing the HTML and JavaScript little by little. We were impressed by his patience and the perseverance he showed when providing his technical knowledge and when including our feedback in the areas he contributes to. Consequently, the ChiliProject team unanimously decided to ask him to join our team of core developers. I am very pleased to welcome Andrew Smith on board and we’re looking forward to working even more closely with him.

Going forward, Andrew plans to finish the migration to jQuery away from Prototype, support a fully responsive design, rewrite the CSS to SASS, and apply a lot more Web 2.x and Rails 3+ buzzwords. You can often find him in the ChiliProject IRC channel as EspadaV8, on Twitter as @EspadaV8 and on GitHub as EspadaV8. In his day job he is a PHP developer for an advertising agency in Brisbane, Australia and aside from working on ChiliProject he spends his free time cycling and reading SciFi and Fantasy.

The other change in the team is about someone several of you have inquired about. Unfortunately, we have to announce that Eric Davis is stepping down as the Project Lead of ChiliProject. He and his his wife had the joy to welcome a new member to their family earlier this year and he doesn’t feel the little time he can spare for ChiliProject will allow him to live up to the role of the Project Lead. Eric won’t leave us completely and will continue to be a member of the ChiliProject team. We all thank him for his hard work and guidance and hope to see his contributions extend again once he can justify it.

The team unanimously elected Holger Just as the new Project Lead. Holger’s primary new reponsibilty is to settle any deadlocks in decision making but he will still be a member among others of the ChiliProject team. Furthermore, his expressed opinions will continue to be only his own unless explicitly stated otherwise. Please read the Project Lead page in the wiki for more information or get in touch with us if some things seem unclear.

ChiliProject 3.3.0 released

ChiliProject 3.3.0 has just been released. It includes some new features and bugfixes for ChiliProject 3.2.2. It is suitable for use on production websites and we recommend that all users download the release as soon as possible.

Download ChiliProject 3.3.0

What’s included

3.3.0 includes 12 bug fixes and 8 features for 3.2.2 and fixes 1 regression introduced in 3.2.0.

The regression fix addresses an issue encountered by some plugins explicitly requiring a vendored gravatar library which was replaced in 3.2.0. Most of the features are Andrew Smith‘s work to move the JavaScript parts of ChiliProject to jQuery and to sanitize the HTML a bit. His most noticeable contribution is the datepicker which will use the “native” browser datepicker where applicable (recent Chrome versions, Opera, mobile browsers, …) and use the jQueryUI datepicker elsewhere. Thanks a lot Andrew!

New to the ChiliProject “ecosystem” are also a Chef Cookbook and a Vagrant file. Chef is a configuration management software, with it and the ChiliProject Chef Cookbook you can deploy, install, and update ChiliProject instances and the software it depends on quickly and effortlessly. Vagrant is a virtual machine management and control software, with the ChiliProject Vagrant file you can download, provision, configure and start a VM with ChiliProject installed in 4 commands. Please note though that both projects are still at their beginnings, make sure to read their READMEs carefully before using them in critical environments.

The full list of changes:

  • Bug #935: Serialization problem in Setting model
  • Bug #944: Engines::Testing.set_fixture_path appends array to $LOAD_PATH in Ruby 1.9
  • Bug #952: Engines tests are broken in current versions of Ruby
  • Bug #979: Register / Login not available if authentication required
  • Bug #1050: Create vagrant file/chef cookbook
  • Bug #1051: HTML tag should use users language
  • Bug #1063: Hover on even table rows doesn’t highlight
  • Bug #1067: Upgrade 20100714111653_build_initial_journals_for_acts_as_journalized.rb crashed with method_missing “repo_log_encoding”
  • Bug #1070: Re-compress all the image assets
  • Bug #1074: Rake tasks of plugins in vendor/chiliproject_plugins are not loaded
  • Bug #1075: Can no longer render unordered lists within ordered lists
  • Bug #1078: “incompatible character encoding” with LDAP auth
  • Feature #817: Replace the current custom datepicker with the one shipped with jQuery UI
  • Feature #1017: Custom style (css) per project
  • Feature #1018: Switch to an HTML5 doctype
  • Feature #1046: Enable use of the “<<me>>” operator when querying custom fields
  • Feature #1054: Include modernizr JS
  • Feature #1055: Add a today variable to liquid
  • Feature #1056: Replace the table soup progress bars with HTML5 meters
  • Feature #1076: Update jQuery libraries to their latest version

Contributors to 3.3.0

  • Andrew Smith
  • Felix Schäfer
  • Gregor Schmidt
  • Harald Klimach
  • Holger Just
  • Jan Vlnas
  • Jean-Philippe Lang
  • Romano Licker
  • Steffen Schüssler

In closing, go and download ChiliProject 3.3.0 now.

ChiliProject 3.2.2 released

ChiliProject 3.2.2 has just been released. This release is a security release to fix two security issues of Rails (CVE-2012-2694 and CVE-2012-2695) which allowe attackers to inject certain forms of SQL into the database queries generated by ChiliProject. The bugs were fixed in Rails 3.2.6. We have backported them to the version of Rails we use right now.

This release contains no other bug fixes or new features. It is suitable for use on production websites running ChiliProject 3.x and we highly recommend that all users of ChiliProject download and install the security release immediately.

Users of the old 2.x release branch, please check the 2.7.3 release which includes the security fixes. User still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.

We apologize for the unusual large number of patch releases lately. The vulnerabilities fixed in the this and the last release are located in Ruby on Rails, a Web framework we use as the basis for ChiliProject. The bugs were announced by Rails and are thus publicly known. As we strive to keep our users as secure as possible we thus release security updates as fast as we can to allow responsible administrators to update their installations in a timely fashion and keep their systems secure.

Download ChiliProject 3.2.2

What’s included

3.2.2 includes two security fixes

  • Bug #1036: Ruby on Rails Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2694)
  • Bug #1037: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-2695)

If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

ChiliProject 2.7.3 released

ChiliProject 2.7.3 has just been released. This release is a security release to fix two security issues of Rails (CVE-2012-2694 and CVE-2012-2695) which allowe attackers to inject certain forms of SQL into the database queries generated by ChiliProject. The bugs were fixed in Rails 3.2.6. We have backported them to the version of Rails we use right now.

This release contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.2.2. It is suitable for use on production websites running ChiliProject 2.x and we highly recommend that 2.x users download and install the security release immediately.

We apologize for the unusual large number of patch releases lately. The vulnerabilities fixed in the this and the last release are located in Ruby on Rails, a Web framework we use as the basis for ChiliProject. The bugs were announced by Rails and are thus publicly known. As we strive to keep our users as secure as possible we thus release security updates as fast as we can to allow responsible administrators to update their installations in a timely fashion and keep their systems secure.

Download ChiliProject 2.7.3

What’s included

2.7.3 includes two security fixes which were backported from ChiliProject 3.2.2.

  • Bug #1036: Ruby on Rails Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2694)
  • Bug #1037: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-2695)

If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 2.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates until the release of 4.0. After that date the 2.x branch is no longer supported in any way. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 3.2.2.