Home » release

Tag: release

ChiliProject 2.7.4 released

ChiliProject 2.7.4 has just been released. This release is a security release to fix two XSS vulnerabilities (CVE-2012-3464CVE-2012-3465) and a SQL injection vulnerability (CVE-2012-5664) of Rails. All these bugs were fixed in Rails, we have included the fixes from Rails or backported them to the version of Rails ChiliProject uses right now.

This release contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.4.0. It is suitable for use on production websites running ChiliProject 2.x and we highly recommend that 2.x users download and install the security release immediately.

Download ChiliProject 2.7.4

What’s included

2.7.4 includes three security fixes which were backported from ChiliProject 3.4.0.

  • Security – Bug #1113: Potential XSS Vulnerability in Ruby on Rails
  • Security – Bug #1114: XSS Vulnerability in strip_tags
  • Security – Bug #1195: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)

If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 2.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates until the release of 4.0. After that date the 2.x branch is no longer supported in any way. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 3.4.0.

ChiliProject 3.4.0 released

ChiliProject 3.4.0 has just been released. It includes lots of bug fixes for ChiliProject 3.3.0 as well as 3 security fixes. It is suitable for use on production websites and we highly recommend that all users download the release as soon as possible.

Download ChiliProject 3.4.0

What’s included

3.4.0 includes 3 security fixes for Rails as well as 11 bug fixes for 3.3.0. The security fixes fix two XSS vulnerabilities (CVE-2012-3464, CVE-2012-3465) and a SQL injection vulnerability (CVE-2012-5664) of Rails.

The full list of changes:

  • Bug #904: Copy workflow doesn’t work on per-author / per-assigned modifier
  • Bug #1087: Document category is not saved properly
  • Bug #1090: List of saved queries is not accessible outside of a project
  • Bug #1111: use a monospace font in wiki-text
  • Security – Bug #1113: Potential XSS Vulnerability in Ruby on Rails
  • Security – Bug #1114: XSS Vulnerability in strip_tags
  • Bug #1118: Missing caption in file redmine.rb
  • Bug #1134: HEAD is not considered a read-only method in Redmine.pm
  • Bug #1142: Darcs repository adapter doesn’t work with newer versions (~2.5) of Darcs
  • Bug #1144: configuration.yml.example is broken
  • Bug #1188: Selecting “Current project and its subprojects” isn’t saving.
  • Bug #1194: Problems migrating from chili 2.0.0 to 3.3.0
  • Security – Bug #1195: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)
  • Bug #1197: Links to new and existing Pages in chili wikis have the same color. Thats boring.
  • Task #1192: Add a CONTRIBUTION document

Contributors to 3.4.0

  • Alf Gaida
  • Carlos Moreira
  • Felix Schäfer
  • Holger Just
  • Jean-Philippe Lang
  • Toshi MARUYAMA

ChiliProject 3.2.2 released

ChiliProject 3.2.2 has just been released. This release is a security release to fix two security issues of Rails (CVE-2012-2694 and CVE-2012-2695) which allowe attackers to inject certain forms of SQL into the database queries generated by ChiliProject. The bugs were fixed in Rails 3.2.6. We have backported them to the version of Rails we use right now.

This release contains no other bug fixes or new features. It is suitable for use on production websites running ChiliProject 3.x and we highly recommend that all users of ChiliProject download and install the security release immediately.

Users of the old 2.x release branch, please check the 2.7.3 release which includes the security fixes. User still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.

We apologize for the unusual large number of patch releases lately. The vulnerabilities fixed in the this and the last release are located in Ruby on Rails, a Web framework we use as the basis for ChiliProject. The bugs were announced by Rails and are thus publicly known. As we strive to keep our users as secure as possible we thus release security updates as fast as we can to allow responsible administrators to update their installations in a timely fashion and keep their systems secure.

Download ChiliProject 3.2.2

What’s included

3.2.2 includes two security fixes

  • Bug #1036: Ruby on Rails Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2694)
  • Bug #1037: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-2695)

If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

ChiliProject 2.7.3 released

ChiliProject 2.7.3 has just been released. This release is a security release to fix two security issues of Rails (CVE-2012-2694 and CVE-2012-2695) which allowe attackers to inject certain forms of SQL into the database queries generated by ChiliProject. The bugs were fixed in Rails 3.2.6. We have backported them to the version of Rails we use right now.

This release contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.2.2. It is suitable for use on production websites running ChiliProject 2.x and we highly recommend that 2.x users download and install the security release immediately.

We apologize for the unusual large number of patch releases lately. The vulnerabilities fixed in the this and the last release are located in Ruby on Rails, a Web framework we use as the basis for ChiliProject. The bugs were announced by Rails and are thus publicly known. As we strive to keep our users as secure as possible we thus release security updates as fast as we can to allow responsible administrators to update their installations in a timely fashion and keep their systems secure.

Download ChiliProject 2.7.3

What’s included

2.7.3 includes two security fixes which were backported from ChiliProject 3.2.2.

  • Bug #1036: Ruby on Rails Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2694)
  • Bug #1037: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-2695)

If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 2.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates until the release of 4.0. After that date the 2.x branch is no longer supported in any way. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 3.2.2.

ChiliProject 3.2.0 released

ChiliProject 3.2.0 has just been released. It includes some new features and bugfixes for ChiliProject 3.1.0 as well as a security fix of Rails which was backported to our version. It is suitable for use on production websites and we recommend that all users download the release as soon as possible.

Users of the old 2.x release branch, please check the 2.7.2 release which includes the security fix. User still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.

Download ChiliProject 3.2.0

What’s included

3.2.0 includes 18 bug fixes including one security fix and 6 features for 3.1.0.

The security fix addresses a bug in the parsing of requests by ActionPack. The bug (CVE-2012-2660) was fixed in Rails 3.2.4 and was backported to the Rails version used by us.

The full list of changes is below:

  • Bug #844: Set autocomplete=off for some fields in Registration form
  • Bug #863: missing journals fixture at test/unit/issue_test.rb
  • Bug #950: jQuery AJAX requests don’t include CSRF token
  • Bug #966: “edit own notes” fails since 3.1.0
  • Bug #967: Menu – Missing translations (French)
  • Bug #968: Forum threads aren’t always displaying “Last Message”
  • Bug #969: Forum URLs in the menu are missing the project_id
  • Bug #970: Long version titles extend outside the group menu when expanding Roadmap
  • Bug #974: menu link broken in duplicate issue mode
  • Bug #975: Start Date is not saved for Versions
  • Bug #984: Cannot unlock a forum thread
  • Bug #986: Notification Mail for Wiki-Changes doesn’t contain change comment
  • Bug #994: select all in issue list isn’t working
  • Bug #1007: Right clicking on item in roadmap displays menu at incorrect position
  • Bug #1008: error 500 when uploading a new file to an existing document
  • Bug #1024: Select multiple issues with shift key in issue list
  • Bug #1025: Rails: Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2660)
  • Bug #1033: Replace vendored gravatar lib by gem
  • Feature #749: Git Integration: Property Main Branch
  • Feature #947: Reformat the CSS files to use a standard
  • Feature #983: Bulgarian translation of several strings
  • Feature #988: Swedish translation of several strings
  • Feature #1016: Limit height of project drop down menu
  • Task #982: Updated czech localization for chiliproject 3.1

Contributors to 3.2.0

  • Andrew Smith
  • Björn Blissing
  • Eric Davis
  • Felix Schäfer
  • Gabriel Mazetto
  • Holger Just
  • Ivan Cenov
  • Jean-Philippe Lang
  • Justin Geibel
  • Sébastien Santoro
  • Spenser Jones
  • Toshi MARUYAMA

What’s next?

As some of you might have noticed, this release was a bit delayed. This was necessary because all members of the core team were heavily occupied with their lifes outside of the Open Source space recently, mostly by completing University assignments. However, we are confident that this period is now over and we strive to return to our regular release schedule. We hope you understand our case and continue to support us in our path to create the best project management solution out there.

Going further, we will intensify our work on the new branch for the 4.0 release where we are going to upgrade to Rails 3.2. The details of this conversion process as well as some more insight into our roadmap are going to be detailed in their own blog posts in the next days.

In closing, go and download ChiliProject 3.2.0 now.

ChiliProject 2.7.2 released

ChiliProject 2.7.2 has just been released. This release is a security release to fix a security issue of Rails (CVE-2012-2660). It addresses a bug in the parsing of requests by ActionPack. It was fixed in Rails 3.2.4 and was backported to the Rails version used by us.

This release contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.2.0. It is suitable for use on production websites running ChiliProject 2.x and we highly recommend that 2.x users download the release. For more information about the bug, please see the release announcement for ChiliProject 3.2.0.

Download ChiliProject 2.7.2

What’s included

2.7.2 includes a security fix which was backported from ChiliProject 3.2.0.

  • Bug #1025: Rails: Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2660)

If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 2.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates until the release of 4.0. After that date the 2.x branch is no longer supported in any way. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 3.2.0.

ChiliProject 2.7.1 released

ChiliProject 2.7.1 has just been released. This release is a security release to fix several mass-assignment vulnerabilities. It contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 3.1.0. It is suitable for use on production websites running ChiliProject 2.x and we highly recommend that 2.x users download the release. For more information about the bug, please see the release announcement for ChiliProject 3.1.0.

Download ChiliProject 2.7.1

What’s included

2.7.1 includes a security fix which was backported from ChiliProject 3.1.0.

  • Bug #922: Mass assignment

Contributors to 2.7.1

I’d like to thank all of the contributors to the 2.7.1 release.

  • Eric Davis
  • Holger Just
  • Jean-Philippe Lang

If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 2.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates until the release of 4.0. After that date the 2.x branch is no longer supported in any way. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 3.1.0.

ChiliProject 3.1.0 released

ChiliProject 3.1.0 has just been released. It includes some new features and bugfixes for ChiliProject 3.0.0 as well as some critical security fixes. It is suitable for use on production websites and we recommend that all users download the release as soon as possible.

Users of the old 2.x release branch, please check the 2.7.1 release which includes the security fixes. User still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.

Download ChiliProject 3.1.0

What’s included

3.1.0 includes 20 bug fixes including one security fix and 5 new features for 3.0.0.

The security fix addresses several the mass assignment vulnerabilities in ChiliProject. These allowed users to write certain pieces of data which they should not have been allowed to. However users could not grant themselves access to data they can’t normally access. It was also not possible for non-admins to grant users additional rights.

All of the vulnerabilities existed since the start of the project, most going back to the beginning of Redmine itself. To further mitigate the issue, we are going to review the controller code and add additional means to prevent mass-assignment vulnerabilities in the future. As these changes require some architectural changes, we will spread them out over the future releases as part of our migration to Rails 3.

More information about the way mass-assignment works in Rails can be found at Michael Hartl’s tech blog.

The full list of changes is below:

  • Bug #739: Relative textile links not converted to full URLs in emails
  • Bug #828: uninitialized constant Redmine::Scm::Adapters::CommandFailed in RepositoryController
  • Bug #861: Apply Filter does not work on all-project-activities view
  • Bug #868: Done bar has no filling
  • Bug #869: Issue option list stacked vertically instead of horizontally
  • Bug #873: Incorrect error message text for groups
  • Bug #882: Right click context menu doesn’t show submenu icon.
  • Bug #887: Stacked month (top row)
  • Bug #888: Cannot edit note
  • Bug #891: quotes around path when shelling out does not work on Windows
  • Bug #892: CP code or test assumes ordering where none is guaranteed
  • Bug #896: Enabling “Authentication required” mode returns 404s
  • Bug #903: ActionView::TemplateError (undefined method `new0′ for DateTime:Class)
  • Bug #911: Sub-sub (and deeper) issues CSS rules are overridden
  • Bug #914: comments gets striked through, when description changes before
  • Bug #922: Mass assignment
  • Bug #927: Reposman script problem
  • Bug #929: Missing links in Issues section in left menu bar
  • Bug #933: News RSS Feed tag not populating
  • Bug #939: GMail documentation in configuration.yml.default out of date
  • Feature #559: Group Menus
  • Feature #899: Create a jQuery verison of the context menu
  • Feature #906: Add Link back to Parent of Subtask
  • Feature #915: default bundle install installs old pg version
  • Feature #928: Increase username length limit from 30 to 60

Contributors to 3.1.0

  • Andrew Smith
  • Dominique Feyer
  • Eric Davis
  • Felix Schäfer
  • Gregor Schmidt
  • Holger Just
  • Jean Philippe Lang
  • Martin S
  • Michaël Rigart
  • Robert Mitwicki

In closing, go and download ChiliProject 3.1.0 now.

Chili Cupcake

ChiliProject 3.0.0 released

Chili Cupcake

Almost to the day one year after the first announcement of ChiliProject we are proud to announce the final 3.0.0 release of ChiliProject.

A birthday party is always very exciting, especially the very first one. We have achieved a lot in this year and we have seen a steady stream of new users and contributors to the project. We received great feedback from many people running ChiliProject for their small and medium projects as well as from people running very large instances like the KDE Projects site which hosts Git repositories and provides project management for thousands of developers in the various KDE subprojects.

This release marks a new height as we finally release the long awaited new look-and-feel (new desgin, better usability) into the wild. While we are always working on improving the user experience, this release lays the foundation for the future of ChiliProject.

In ChiliProject 3.0, we introduce a flexible templating system called Liquid. Liquid integration gives users and developers new ways to work with content from various sources and provides the foundation for unprecedented customization options and dynamic content without forcing users to write or deploy Ruby code.

Finally, ChiliProject 3.0 comes with a huge stack of smaller improvements making it more flexible, easy and fun to use.

We are very happy about what we have achieved this past year and confidently look forward to a very bright future.

Download ChiliProject 3.0.0

With this release, the 2.x branch enters maintenance mode. From now on until the release of 4.0.0 (planned for this summer), the 2.x branch will receive security updates only. The final regular version of the 2.x branch is 2.7.0 which was released today.

The old ChiliProject 1.x branch will be considered unsupported from now on. We will not provide any new patches or releases for it. We strongly advise users still running ChiliProject 1.x to update to ChiliProject 3.0.0.

What’s included

3.0.0 includes 24 new features and 15 bugfixes over 2.7.0. It includes all bug fixes and features of the 2.7.0 release.

The full list of changes is below:

Contributors to 3.0.0

  • elm
  • Eric Davis
  • Felix Schäfer
  • Gregor Schmidt
  • Holger Just
  • Jérôme BATAILLE
  • Johannes Wollert
  • Kornelius Kalnbach
  • Moritz Breit
  • Romano Licker
  • Spencer Markowski
  • Toshi MARUYAMA
  • And everyone I forgot… You are all awesome!

Upgrading

The upgrade and installation documentation has already been updated for 3.0.0. The update from 2.x to 3.0.0 will be very smooth as we changed very little of the underlying data-storage compared to the previous 2.0.0 release.

Nevertheless, we strongly encourage you to have a full backup in place before starting the upgrade. We do our best to make it a safe experience but there is always the possibility of uncovering yet hidden bugs.

What’s next?

This is the first release in our 3.x series which we will fully support with monthly bugfix releases until the next major ChiliProject version which is due around July 2012. The big goals for that major release are the upgrade to Rails 3.x and the further modularization of ChiliProject.

If you’re interested in participating or contributing to ChiliProject, please leave a comment below or post to our forums. We would love to have your help in polishing the usability or adding exciting new features. Once the upgrade process to Rails 3 has started, we will need as many tester as we can get to iron out the bumps along the way. If you are interested in helping us, just speak up.

In closing, go and download ChiliProject 3.0.0 now.

ChiliProject 2.7.0 released

ChiliProject 2.7.0 has just been released. It includes some new features and bugfixes for ChiliProject 2.6.0. It is suitable for use on production websites.

This is the last regular release of the 2.x series of ChiliProject. With the final 3.0.0 release today, the 2.x branch enters maintenance mode. We will only provide security updates for it until the release of 4.0.0 planned for summer. The old ChiliProject 1.x branch will be considered unsupported from now on. We will not provide any new patches or releases for it. Users still running ChiliProject 1.x are strongly advised to update to ChiliProject 3.0.0.

Download ChiliProject 2.7.0

What’s included

2.7.0 includes 8 bug fixes for 2.6.0. None of the bug fixes is security related.

User running 2.6.0 are encouraged to updated as the previous 2.6.0 release contained a regression which prevented ChiliProject from using the correct Rails environment when used with certain application servers and environments.

The full list of changes is below:

  • Bug #593: Notification Mail for Wiki-Changes has wrong Diff
  • Bug #775: Activity view too verbose
  • Bug #819: RAILS_ENV is not properly set if running under thin
  • Bug #822: Initial journal creation fails because of the missing log_encoding of Repositories
  • Bug #823: Plugin in new directory not picking up Gemfile
  • Bug #839: ruby-debug19 breaks on Ruby 1.9.3
  • Bug #849: Prefix parameter of thin is not working
  • Bug #857: Gemfile has an non ASCII character

What’s Next?

This release marks the end of the 2.x release cycle. Effective immediately the 2.x branch will enter maintenance mode and will only receive security updates until the release of 4.0.0 around July 2012.

With the release of 3.0.0 today the 1.x branch will stop to be supported at all. We will not issue and more releases, bugfixes or security patches for this branch anymore. If you are still using ChiliProject 1.x, you are strongly advised to upgrade to 3.0.0 as soon as possible.

In closing, go and download ChiliProject 2.7.0 now.