ChiliProject 3.1.0 has just been released. It includes some new features and bugfixes for ChiliProject 3.0.0 as well as some critical security fixes. It is suitable for use on production websites and we recommend that all users download the release as soon as possible.
Users of the old 2.x release branch, please check the 2.7.1 release which includes the security fixes. User still running an old 1.x install are strongly encouraged to update to a more recent version as that branch is not supported any more and doesn’t receive updates.
3.1.0 includes 20 bug fixes including one security fix and 5 new features for 3.0.0.
The security fix addresses several the mass assignment vulnerabilities in ChiliProject. These allowed users to write certain pieces of data which they should not have been allowed to. However users could not grant themselves access to data they can’t normally access. It was also not possible for non-admins to grant users additional rights.
All of the vulnerabilities existed since the start of the project, most going back to the beginning of Redmine itself. To further mitigate the issue, we are going to review the controller code and add additional means to prevent mass-assignment vulnerabilities in the future. As these changes require some architectural changes, we will spread them out over the future releases as part of our migration to Rails 3.
More information about the way mass-assignment works in Rails can be found at Michael Hartl’s tech blog.
The full list of changes is below:
- Bug #739: Relative textile links not converted to full URLs in emails
- Bug #828: uninitialized constant Redmine::Scm::Adapters::CommandFailed in RepositoryController
- Bug #861: Apply Filter does not work on all-project-activities view
- Bug #868: Done bar has no filling
- Bug #869: Issue option list stacked vertically instead of horizontally
- Bug #873: Incorrect error message text for groups
- Bug #882: Right click context menu doesn’t show submenu icon.
- Bug #887: Stacked month (top row)
- Bug #888: Cannot edit note
- Bug #891: quotes around path when shelling out does not work on Windows
- Bug #892: CP code or test assumes ordering where none is guaranteed
- Bug #896: Enabling “Authentication required” mode returns 404s
- Bug #903: ActionView::TemplateError (undefined method `new0′ for DateTime:Class)
- Bug #911: Sub-sub (and deeper) issues CSS rules are overridden
- Bug #914: comments gets striked through, when description changes before
- Bug #922: Mass assignment
- Bug #927: Reposman script problem
- Bug #929: Missing links in Issues section in left menu bar
- Bug #933: News RSS Feed tag not populating
- Bug #939: GMail documentation in configuration.yml.default out of date
- Feature #559: Group Menus
- Feature #899: Create a jQuery verison of the context menu
- Feature #906: Add Link back to Parent of Subtask
- Feature #915: default bundle install installs old pg version
- Feature #928: Increase username length limit from 30 to 60
Contributors to 3.1.0
- Andrew Smith
- Dominique Feyer
- Eric Davis
- Felix Schäfer
- Gregor Schmidt
- Holger Just
- Jean Philippe Lang
- Martin S
- Michaël Rigart
- Robert Mitwicki
In closing, go and download ChiliProject 3.1.0 now.