Home » 1.x series

Tag: 1.x series

ChiliProject 1.5.5 Released

ChiliProject 1.5.5 has just been released. This release is a security release to fix a cache poisoning bug in the bundle Redmine.pm module which can be used for authenticating and authorizing subversion or git users for repositories served through Apache. It contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 2.5.0. It is suitable for use on production websites running ChiliProject 1.x and we highly recommend that 1.x users download the release.

Download ChiliProject 1.5.5

What’s included

1.5.5 includes a security fix which was back ported from ChiliProject 2.5.0.

  • Bug #709: Redmine.pm potential security issue with cache credential enabled and subversion

All users of ChiliProject who use the bundled Redmine.pm module are strongly advised to update their installations as soon as possible as the resolved issue potentially allows users to access restricted repository data.

Users of Redmine should be advised that the fixed issue is also present there. There is currently no Redmine release that fixes the it. Currently it is only addressed in the trunk and 1.3-stable branch in the repository. You should either upgrade or apply the fix in the issue manually.

Contributors to 1.5.5

I’d like to thank all of the contributors to the 1.5.5 release.

  • Holger Just
  • Jean-Philippe Lang

We would like to especially thank Niels Lindenthal who informed us of the security issue.

If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 1.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates until the release of 3.0 in early January. After that date the 1.x branch is no longer supported in any way. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 2.5.0.

ChiliProject 1.5.4 released

ChiliProject 1.5.4 has just been released. This release is a security release to fix a Cross-Site-Scripting bug (XSS) that was discovered in ChiliProject 1.5.3. It contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 2.4.0. It is suitable for use on production websites running ChiliProject 1.x and we highly recommend that 1.x users download the release.

Download ChiliProject 1.5.4

What’s included

1.5.4 includes a security fix that was back ported from ChiliProject 2.4.0.

  • Bug #647: XSS: User input for images is not properly sanitized

All users of ChiliProject are strongly advised to update their installations as soon as possible as the resolved issue allows users able to add or edit content to inject persistent Javascript code into pages.

Users of Redmine should be advised that the fixed issue is also present there. There is currently no Redmine release that fixes the it. Currently it is only addressed in the trunk and 1.2-stable branch in the repository. You should either upgrade or apply the fix in the issue manually.

Contributors to 1.5.4

I’d like to thank all of the contributors to the 1.5.4 release.

  • Etienne Massip
  • Holger Just
  • Karel Picman
  • Mischa The Evil

We would like to especially thank Mischa The Evil who informed us of the security issue.

If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 1.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates until the release of 3.0 in early January. After that date the 1.x branch is no longer supported in any way. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 2.4.0.

ChiliProject 1.5.3 released

ChiliProject 1.5.3 has just been released. This release is a security release to fix numerous major security bugs that were discovered in ChiliProject 1.5.2. It contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 2.3.0. It is suitable for use on production websites running ChiliProject 1.x and we highly recommend that 1.x users download the release.

Download ChiliProject 1.5.3

What’s included

1.5.3 includes 1 minor security fix that was back ported from ChiliProject 2.3.0.

  • Bug #619: Redmine.pm allows anonymous read access to repositories even if Anonymous role prohibits it

Unless you use the Repository integration, you do not need to update your installation as the fix of Redmine.pm is the only update included in this release.

Contributors to 1.5.3

I’d like to thank all of the contributors to the 1.5.3 release.

  • Holger Just
  • Jan Schulz-Hofen

If you think you have found a security bug in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 1.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates from now on. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 2.3.0.

ChiliProject 1.5.2 Released

ChiliProject 1.5.2 has just been released. This release is a security release to fix numerous major security bugs that were discovered in ChiliProject 1.5.1. It contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 2.1.1. It is suitable for use on production websites running ChiliProject 1.x and we highly recommend that 1.x users download the release.

Download ChiliProject 1.5.2

What’s included

1.5.2 includes 1 major security fix that was back ported from ChiliProject 2.1.1.

  • Bug #557: Multiple XSS vulnerabilities

Contributors to 1.5.2

I’d like to thank all of the contributors to the 1.5.2 release.

  • Eric Davis
  • Holger Just

If you think you have found a security bug in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 1.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates from now on. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 2.1.1.

Download ChiliProject 1.5.2

ChiliProject 1.5.1 Released

ChiliProject 1.5.1 has just been released. This release is a security release to fix two security bugs in ChiliProject 1.5.0. It contains no other bug fixes or new features and it released for users who are unable to upgrade to ChiliProject 2.1.0. It is suitable for use on production websites running ChiliProject 1.x and we highly recommend that 1.x users download the release.

Download ChiliProject 1.5.1

What’s included

1.5.1 includes 2 security fixes that were back ported from ChiliProject 2.1.0.

  • Bug #536: CSRF Protection
  • Bug #544: XSS in app/views/issues/show.rhtml

Contributors to 1.5.1

I’d like to thank all of the contributors to the 1.5.1 release.

  • Eric Davis
  • Holger Just
  • Jan Schulz-Hofen
  • Joernchen of Phenoelit

I would especially like to thank Joernchen of Phenoelit and Jan Schulz-Hofen for reporting the security bugs to us through the correct channels.

If you think you have found a security bug in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 1.x versions of ChiliProject is officially in maintenance mode and will only be getting security update from now on. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 2.1.0.

Download ChiliProject 1.5.1

ChiliProject 1.5.0 Released

ChiliProject 1.5.0 has just been released. This release is a security release to fix a potential XSS bug in the Remote Authorization Sources (e.g. LDAP Authentication). It is suitable for use on production websites and we recommend that all users download the release.

Download ChiliProject 1.5.0

What’s included

1.5.0 includes 1 security bug fix and 1 small feature.

  • Bug #490: XSS in app/views/auth_sources/index.html.erb
  • Feature #488: Hook for additional formats on Wiki#show page

Contributors to 1.5.0

I’d like to thank all of the contributors to the 1.5.0 release.

  • Eric Davis
  • Felix Schäfer
  • Jan Schulz-Hofen
  • MAEDA, Go
  • Tom Kersten

We would also like to especially thank MAEDA, Go for reporting and providing a patch to the potential XSS security vulnerability.

Migrating from Redmine

We have tested migrating several different Redmine sites from and have documented an easy upgrade process on our wiki. This release is also compatible with existing Redmine themes and plugins. If you have any questions or need help with the migration, please come by our IRC channel or forums.

What’s Next?

We are working on the final bug fixes for the next release candidate for ChiliProject 2.0.0. If you’re interested in participating or helping out the development, please leave a comment below or post to our forums.

Download ChiliProject 1.5.0

ChiliProject 1.4.0 Released

The 1.4.0 release of ChiliProject is now finished and ready to be downloaded. This release is the fourth release in our 1.x stable line of code and is suitable for use on production websites.

Download ChiliProject 1.4.0

What’s included

1.4.0 includes 12 bug fixes and 4 small features. It is recommended that all production websites are upgraded.

  • Bug #81: Replace favicon
  • Bug #311: Update the watcher list on “watch”-link click
  • Bug #322: reposman.rb doesn’t work with Rubygems >= 1.6.0
  • Bug #340: Properly format blockquotes in HTML mails
  • Bug #357: Wrap long text fields properly in PDF exports
  • Bug #360: Set autocomplete=off for some fields in user form
  • Bug #373: Issue auto completion returns duplicates
  • Bug #374: HTML-escaped URLs in JavaScript
  • Bug #379: Help controller headings rendered differently in Ruby 1.9
  • Bug #380: Wiki-Help Page
  • Bug #424: Loading issue context menu causes two identical AJAX requests
  • Bug #425: Deprecation warning when using ChiliProject with Rake 0.9
  • Feature #202: Adding the theme used on chiliproject.org to the repository
  • Feature #304: Add a helper to format user lists
  • Feature #361: [Cleanup] Removing code comment, by answering the implied question in wikitoolbar_for helper
  • Feature #362: Introduce Help controller to dynamically generate wiki help pages

Contributors to 1.4.0

I’d like to thank all of the contributors to the 1.4.0 release.

  • Emilio Carlos da Palma
  • Enderson Maia
  • Eric Davis
  • Felix Schäfer
  • Gregor Schmidt
  • Holger Just
  • Hugo Ferreira
  • Price M.
  • Alf Gaida

Migrating from Redmine

We have tested migrating several different Redmine sites from and have documented an easy upgrade process on our wiki. This release is also compatible with existing Redmine themes and plugins. If you have any questions or need help with the migration, please come by our IRC channel or forums.

What’s Next?

We are getting the first release candidate ready for 2.0.0 this weekend. If everything goes as planned, 1.4.0 will be our last release in the 1.x release series and 2.0.0 will be ready for production use next month. If you’re interested in participating or helping out the development, please leave a comment below or post to our forums.

Download ChiliProject 1.4.0

ChiliProject 1.3.0 Released

The 1.3.0 release of ChiliProject is now finished and ready to be downloaded. This release is the third release in our 1.x stable line of code and is suitable for use on production websites.

Download ChiliProject 1.3.0

What’s included

1.3.0 includes only 3 bug fixes but one of them is a potential security vulnerability. It is recommended that all production websites are upgraded as soon as possible.

  • Bug #309 The login screen after lost_password redirects back to lost_password after you login
  • Bug #347 Potential Security Vulnerability – Execution After Redirect
  • Bug #352 Errorpage should be modified

Contributors to 1.3.0

I’d like to thank all of the contributors to the 1.3.0 release.

  • Eric Davis
  • Adam Doupé
  • Robert Chady

We would also like to especially thank Adam Doupé for reporting and providing a patch to the potential Execution After Redirect security vulnerability.

Migrating from Redmine

We have tested migrating several different Redmine sites from and have documented an easy upgrade process on our wiki. This release is also compatible with existing Redmine themes and plugins. If you have any questions or need help with the migration, please come by our IRC channel or forums.

What’s Next?

We will be continuing to support the 1.x release series with monthly bug-fix releases until 2.0 is ready. Development on 2.0 is progressing nicely and we might be able to have an early release. 2.0 will include updates to Ruby on Rails (2.3.11), updates to other underlying libraries used by ChiliProject, and some new features. If you’re interested in participating or helping out the development, please leave a comment below or post to our forums.

Download ChiliProject 1.3.0

ChiliProject 1.2.0 Released

The 1.2.0 release of ChiliProject is now finished and ready to be downloaded. This release is the second release in our 1.x stable line of code and is suitable for use on production websites.

Download ChiliProject 1.2.0

What’s included

1.2.0 includes 14 bug fixes and 8 small features since 1.1.0.

  • Bug #209: Don’t hardcode user viewable labels (like “Path to .git repository”)
  • Bug #225: Support spaces in scm commands
  • Bug #250: Filter assignee group to Team leaders
  • Bug #251: Make Chili work with RubyGems 1.6
  • Bug #266: Fix monkey patching of rubytree in lib/redmine/menu_manager.rb
  • Bug #267: /issues/changes?format=atom is returning 500 Internal Error
  • Bug #270: Reposman.rb does not consider underscore to be valid char for a project identifier
  • Bug #273: custom autologin cookie name not read
  • Bug #278: Issue Form: Parent autocomplete won’t work with issues under 3 charactors
  • Bug #280: Issues AutoComplete isn’t searching issue ids
  • Bug #281: Cross project issues aren’t showing their project on the Version page
  • Bug #282: Enhance Redmine::SafeAttributes to work for subclasses
  • Bug #302: Protect methods in ApplicationController
  • Bug #305: Toolbar for textile edit fields is buggy in IE8
  • Feature #199: [PATCH] Adding a hook in the heading on showing an issue
  • Feature #219: Add plugin hooks to the mailer layout
  • Feature #230: Allow the loadpaths of themes to be specified in configuration.yml
  • Feature #245: Merge Redmine.pm git smart-http functionality
  • Feature #271: Replace checks for “auth_source_id” with “change_password_allowed?” in UsersController
  • Feature #276: Add Log Time link to the sidebar on Project Overview
  • Feature #283: Check pre-i18n 0.4.2 depreciation
  • Feature #307: Add retro style gravatars
  • Task #246: Document git-smart-http integration
  • Task #308: Remove Redmine::VERSION::BRANCH

Contributors to 1.2.0

I’d like to thank all of the contributors to the 1.2.0 release.

  • Eric Davis
  • Felix Schäfer
  • Gregor Schmidt
  • Holger Just
  • Ivan Evtuhovich
  • Jean-Baptiste Barth
  • Jens Ulferts
  • Stephan Eckardt
  • Toshi MARUYAMA
  • Yuki Sonoda

Migrating from Redmine

We have tested migrating several different Redmine sites from and have documented an easy upgrade process on our wiki. This release is also compatible with existing Redmine themes and plugins. If you have any questions or need help with the migration, please come by our IRC channel or forums.

What’s Next?

We will be continuing to support the 1.x release series with monthly bug-fix releases until 2.0 is ready. Development on 2.0 has already started and will include updates to Ruby on Rails and other underlying libraries used by ChiliProject. We will be looking for some help and feedback on the new features over the coming months. If you’re interested in participating, please leave a comment below or post to our forums.

Download ChiliProject 1.2.0

ChiliProject 1.1.0 Released

ChiliProject’s first release (1.1.0) is now complete and ready to be downloaded. This release is the first in our 1.x stable line of code since forking from Redmine and is ready for use on production websites.

Download ChiliProject 1.1.0

What’s included

1.1.0 includes everything in Redmine 1.1.1, some recent code from Redmine trunk, and additional features and bug fixes from the ChiliProject team.

  • Bug #64: Forums list shows even if the forum module is not active
  • Bug #81: Replace favicon
  • Bug #85: Crash when saving a wiki page with no content
  • Bug #89: MailHandler is changing the Tracker on issues even when there is no keyword for it
  • Bug #96: Wiki: H4 Headings are too small in toc
  • Bug #109: Backport fix to display full TOC with present < p r e > tags
  • Bug #125: User profile does not keep email preferences
  • Bug #133: Add hack for rubygems > 1.5 compatibility
  • Bug #163: Rails: Potential XSS Problem with mail_to :encode => :javascript
  • Bug #171: unit/user_test.rb:138 fails with mysql2 gem
  • Bug #178: Multiselect issues on Mac
  • Bug #190: Change the default Gantt limit to unlimited
  • Feature #101: Change the Help link to point to the ChiliProject site
  • Feature #104: Add email header for the type of message
  • Feature #129: Change public strings of Redmine to ChiliProject
  • Feature #146: Allow underscores in project identifiers
  • Feature #149: Issues – Hide the File upload section
  • Feature #150: Skip the “Text Formatting: Help” link when tabbing
  • Feature #168: [PATCH] RSS autodiscovery for wiki pages
  • Feature #169: [PATCH] hiding form pages from search engines
  • Feature #170: [PATCH] Extensible MailHandler

Contributors to 1.1.0

I’d like to thank all of the contributors to the 1.1.0 release.

  • Eric Davis
  • Eric Thomas
  • Felix Schäfer
  • Gregor Schmidt
  • Holger Just
  • Jean-Baptiste Barth
  • Jean-Philippe Lang
  • Simon COURTOIS
  • Thibaut Deloffre
  • Toshi MARUYAMA
  • Yuki Sonoda

Migrating from Redmine

We have tested migrating several different Redmine sites from and have documented an easy upgrade process on our wiki. This release is also compatible with existing Redmine themes and plugins. If you have any questions or need help with the migration, please come by our IRC channel or forums.

What’s Next?

Now that 1.1.0 is released we will begin to work on two new versions following our release process. 1.2.0 will be the next update and is scheduled to be released in March 2011. We will also start development on 2.0 where we will be adding  the major new features over the next 6 months.