Home » ChiliProject 1.5.4 released

ChiliProject 1.5.4 released

ChiliProject 1.5.4 has just been released. This release is a security release to fix a Cross-Site-Scripting bug (XSS) that was discovered in ChiliProject 1.5.3. It contains no other bug fixes or new features and is released for users who are unable to upgrade to ChiliProject 2.4.0. It is suitable for use on production websites running ChiliProject 1.x and we highly recommend that 1.x users download the release.

Download ChiliProject 1.5.4

What’s included

1.5.4 includes a security fix that was back ported from ChiliProject 2.4.0.

  • Bug #647: XSS: User input for images is not properly sanitized

All users of ChiliProject are strongly advised to update their installations as soon as possible as the resolved issue allows users able to add or edit content to inject persistent Javascript code into pages.

Users of Redmine should be advised that the fixed issue is also present there. There is currently no Redmine release that fixes the it. Currently it is only addressed in the trunk and 1.2-stable branch in the repository. You should either upgrade or apply the fix in the issue manually.

Contributors to 1.5.4

I’d like to thank all of the contributors to the 1.5.4 release.

  • Etienne Massip
  • Holger Just
  • Karel Picman
  • Mischa The Evil

We would like to especially thank Mischa The Evil who informed us of the security issue.

If you think you have found a security issue in ChiliProject please report it to the security team privately so we can follow responsible disclosure.

What’s Next?

The 1.x versions of ChiliProject are officially in maintenance mode and will only be getting security updates until the release of 3.0 in early January. After that date the 1.x branch is no longer supported in any way. We recommend upgrading to the current stable version of ChiliProject in order to get general bug fixes and features, currently ChiliProject 2.4.0.

One comment

Comments are closed.