Home » ChiliProject 3.8.0 released: Security Update

ChiliProject 3.8.0 released: Security Update

ChiliProject 3.8.0 has just been released. This release is a security release to fix security issues in Rails (CVE-2013-1854 among other security advisories not relevant to ChiliProject).

This release contains no new features and 3 other bug fixes. It is suitable for use on production websites running ChiliProject 3.x. While the issue can only be exploited for DoS attacks, we urge all ChiliProject administrators to update their installation immediately.

Users of the old 2.x release branch, please check the ChiliProject 2.11.0 release which includes the security fixes. Users still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive any updates.

Download ChiliProject 3.8.0

What’s included

3.8.0 contains a security fix for Rails (CVE-2013-1854) which is handled by enforcing an updated version of this dependency to ChiliProject. For details on the issues, please refer to the linked post on the Ruby On Rails security mailing list and the corresponding Rails 2.3.18 announcement on the Ruby on Rails blog.

In addition, this release corrects 3 bugs, including a bug where the datepickers on the start and due dates for new issues would disappear when changing the tracker.

The corresponding ChiliProject bugs are:

  • Bug #1121: Date Picker Icons disappear when changing the Tracker
  • Bug #1164: Error in “rake db:migrate:down VERSION=20100714111652”
  • Bug #1248: Routing issue
  • Security – Bug #1252: Update Rails to 2.3.18

How to upgrade

Please follow the Upgrade Guide in our Wiki. Make sure to run bundle update during the upgrade procedure to install the new version of Rails. If you omit this step, you will receive an error message instructing you to update the bundle and ChiliProject will refuse to start.

2 comments

Comments are closed.