Redmine Release Notes

Security Fixes

All three versions (6.1.2, 6.0.9, and 5.1.12) include the following security fixes:

• Defect #43661: Unsafe eval usage in AttachmentsHelper
• Defect #43690: Directory Traversal via Backslash-Separated Paths in Filesystem SCM
• Defect #43691: DOM (Stored) XSS in @mention autocomplete via unescaped user name
• Defect #43692: LDAP Injection (Unescaped Input in LDAP Search Filter)
• Defect #43694: DOM XSS: HTML Injection via Custom Field Name in Query Filter Generation
• Defect #43830: User who is allowed to view only their own time entries can retrieve other users’ time entry details by directly specifying the TimeEntry ID via the REST API
• Defect #43864 / #43840: Update Nokogiri to 1.18.9 (5.1.12) or 1.19.1 (6.1.2 and 6.0.9).

Maintenance Improvements

Redmine 6.1.2 includes a significant number of maintenance fixes (30 in total).

• A new series of fixes for RTL languages
• SVG Icons: Theme developers can now override the default icons sprite, please see #43087 for details
• recent_pages macro supports now include_subprojects parameter

Download and Changelog

You can find the new versions in the Download section. For a complete list of changes, please review the detailed Changelog for each version.

Many thanks to all the contributors who helped with these releases, especially those who responsibly reported the security issues (Sho Odagiri and kaminuma).

We have released new maintenance updates, Redmine 6.0.4, 5.1.7, and 5.0.12.

These 3 maintenance releases are available for download, you can review the changes in the Changelog.

All versions contain multiple important security fixes:

• 2 XSS vulnerabilities
• Project query leaks details of private projects
• /my/account does not correctly enforce sudo mode
• Update Nokogiri to 1.18.3 to address CVE-2025-24928 and CVE-2024-56171

You can review them in Security Advisories.

Beside the security issues, #42245 is now fixed also on 5.1.7.

Thank you to everyone who contributed to the releases and special thanks to Holger Just for handling all these security issues.

We have released two maintenance updates, Redmine 6.0.3 and 5.1.5.
These 2 maintenance releases are available for download, you can review the changes in the Changelog.

Redmine 6.0.3

Redmine 6.0.3 addresses a major issue where Redmine fails to start if the database adapter name mysql in config/database.yml is enclosed in double quotes (#42013). Additionally, it includes several UI fixes.

Redmine 5.1.6

Redmine 5.1.6 addresses a critical issue preventing Redmine 5.0.x from starting when using concurrent-ruby gem version 1.3.5 or later (#42113).

We appreciate the contributions of everyone who reported and resolved these issues.

Release

We have released Redmine 5.0.11 today, following the releases of Redmine 6.0.3 and 5.1.6 yesterday.

This version backports a critical fix from Redmine 5.1.6 that resolves an issue where the application fails to start when using the concurrent-ruby gem version 1.3.5 or later in Redmine 5.0 and 5.1 series (#42113).

We recommend all users of Redmine 5.0 and 5.1 series update to 5.0.11 or 5.1.6 to avoid startup issues.

The latest maintenance releases are available for download, you can review the changes in the Changelog.

Maintenance releases 6.0.6, 5.1.9 and 5.0.13 are now available to Download, bringing a total of 32 bug fixes (Changelog).

All three releases contain a new version of net-imap gem to address CVE-2025-43857 (#42662) and also some important fixes to improve the compatibility of Redmine with Rack >= 3.1.14 (#42875, #42962). Additionally, the patch for #38529, initially released in version 5.1.0, is now properly fixed and the locales are limited to those defined by Redmine itself.

Thanks everyone for their contributions.

Code cleanup/refactoring

• Patch #43872: Update GitHub Actions workflow dependencies

Database

• Patch #43668: Serialize address limit checks during email_addresses#create

Issues

• Feature #43837: Add a hint to the issue relation add form that clarifies multiple comma-separated issue IDs are accepted

Issues filter

• Patch #43736: author.group filter test fix

Issues list

• Defect #31972: An empty group_count badge is displayed when grouped with created_on

Permissions and roles

• Feature #43659: Set minimum width for Permission column in permission report

Security

• Defect #43661: Unsafe eval usage in AttachmentsHelper
• Defect #43690: Directory Traversal via Backslash-Separated Paths in Filesystem SCM
• Defect #43691: DOM (Stored) XSS in @mention autocomplete via unescaped user name
• Defect #43692: LDAP Injection (Unescaped Input in LDAP Search Filter)
• Defect #43694: DOM XSS: HTML Injection via Custom Field Name in Query Filter Generation
• Defect #43830: User who is allowed to view only their own time entries can retrieve other users’ time entry details by directly specifying the TimeEntry ID via the REST API
• Defect #43840: Update Nokogiri to 1.19.1

Text formatting

• Defect #40918: Wiki "Edit this section" does not extract SeText headings correctly in CommonMark Markdown

UI

• Defect #43804: Custom field preview does not work on bulk issue edit
• Defect #43869: Default assignee selected by category is not shown in UI

Maintenance releases and Security fixes

Added by
Marius B2CLETEANU

6 months ago

Maintenance releases 6.0.7, 5.1.10 and 5.0.14 are now available to Download, bringing a total of 16 bug fixes (Changelog).

Security fixes:
All versions contain the following security fixes:

• Defect #42998: Username and password stored in login form
• Defect #43083: Information disclosure in Two-Factor Authentication
• Defect #43161: When copying issues, all existing custom values are set to the new issue without sufficient validation

Starting with these versions, a new security measure has been implemented in #42998 to improve how Redmine handles sensitive information. The

no-store

cache header has been added to following forms: login, lost password, change password, sudo pages, auth_source, user, repository and accounts#register.

Thanks everyone for their contributions.

A Note on the End of Life for Redmine 5.0

With the upcoming release of Redmine 6.1.0 later today, we want to remind everyone that this will mark the end of life for the Redmine 5.0 series. If you are currently using a version in the 5.0 branch, we highly recommend you plan to upgrade soon to continue receiving updates and security patches.

New maintenance releases for the Redmine 6.1, 6.0, and 5.1 series are now available to Download. These releases address three security vulnerabilities along with various bug fixes and improvements.

Security Fixes

All three versions (6.1.1, 6.0.8, and 5.1.11) include the following security fixes:

• Defect #43451: PostScript disguised as PDF can lead to arbitrary file operations via thumbnail generation
• Defect #43634: Authorization bypass in Redmine allows modification of attachment metadata on invisible issues
• Defect #43635: Authorization bypass in Redmine allows deletion of attachment on invisible issues

Maintenance Improvements

Redmine 6.1.1 includes a significant number of maintenance fixes (34 in total), with a particular focus on the user interface:

• RTL Support: Numerous fixes for RTL layouts, including corrected positioning for reaction buttons, copy buttons, and avatars.
• Text Formatting: Improvements to CommonMark alerts, including localized titles (note, tip, warning, etc.), a new CJK-friendly emphasis extension and automatic list markers support for task list items (#43234, #43379, #43265).
• SVG Icons: Continued refinement of the new SVG icon system and visual consistency.

Download and Changelog

You can find the new versions in the Download section. For a complete list of changes, please review the detailed Changelog for each version.

Many thanks to all the contributors who helped with these releases, especially those who responsibly reported the security issues (Elweth from YesWeHack and to Abor).

Happy New Year!

6.1.2

CLOSED

2026-03-15

closed: 100%
100%

14 issues (14 closed — 0 open)

Issues by Tracker

• Defect 100% 10/10
• 10/10
• Feature 100% 2/2
• 2/2
• Patch 100% 2/2
• 2/2

Related issues

• Defect #33610: Submitting the issue edit form without changes unexpectedly updates updated_on
• Defect #43651: Searching issues with searchable custom fields causes a performance regression on MySQL
• Defect #43662: Cursor may move to incorrect position when pasting inline images from clipboard
• Defect #43664: Project menu tab left/right buttons are broken in RTL layout
• Defect #43672: Indent icons for subtasks and subprojects in list tables are misplaced in RTL layout
• Defect #43674: Unintended global ol styling in changeset CSS
• Defect #43675: "Add filter" dropdown in query form appears on the wrong side in RTL layout
• Defect #43714: Arrow buttons for Available/Selected columns are misleading in the issues query form on RTL layouts
• Defect #43715: Project selector does not indent subprojects in RTL layout
• Defect #43718: Issue beginning/ending arrows should be flipped in RTL calendars
• Feature #43087: Allow to change icons sprites from theme
• Feature #43631: Add "include_subprojects" parameter to recent_pages macro to include pages from subprojects
• Patch #43649: Remove MySQL 5.7-related comments from database.yml.example
• Patch #43713: Add missing entries "apps" and "shield-check" to icon_source.yml

Powered by Redmine © 2006-2023 Jean-Philippe Lang

2.2.4

(2013-03-19)

• Upgrade to Rails 3.2.13
• Defect #12243: Ordering forum replies by last reply date is broken
• Defect #13127: h1 multiple lined titles breaks into main menu
• Defect #13138: Generating PDF of issue causes UndefinedConversionError with htmlentities gem
• Defect #13165: rdm-mailhandler.rb: initialize_http_header override basic auth
• Defect #13232: Link to topic in nonexistent forum causes error 500
• Patch #13181: Bulgarian translation of jstoolbar-bg.js
• Patch #13207: Portuguese translation for 2.2-stable
• Patch #13310: pt-BR label_last_n_weeks translation
• Patch #13325: pt-BR translation for 2.2-stable
• Patch #13343: Vietnamese translation for 2.2-stable
• Patch #13398: Czech translation for 2.2-stable

Updated by

Jean-Philippe Lang

almost 13 years ago · 1 revisions
LOCKED

2.3.4 (2013-11-17)

• Defect #13348: Repository tree can't handle two loading at once
• Defect #13632: Empty page attached when exporting PDF
• Defect #14590: migrate_from_trac.rake does not import Trac users, uses too short password
• Defect #14656: JRuby: Encoding error when creating issues
• Defect #14883: Update activerecord-jdbc-adapter
• Defect #14902: Potential invalid SQL error with invalid group_ids
• Defect #14931: SCM annotate with non ASCII author
• Defect #14960: migrate_from_mantis.rake does not import Mantis users, uses too short password
• Defect #14977: Internal Server Error while uploading file
• Defect #15190: JS-error while using a global custom query w/ project filter in a project context
• Defect #15235: Wiki Pages REST API with version returns wrong comments
• Defect #15344: Default status always inserted to allowed statuses when changing status
• Feature #14919: Update ruby-openid version above 2.3.0
• Patch #14592: migrate_from_trac.rake does not properly parse First Name and Last Name
• Patch #14886: Norweigan - label_copied_to and label_copied_from translated
• Patch #15185: Simplified Chinese translation for 2.3-stable

2.4.7 (2014-10-21)

• Defect #17446: Error when editing custom field with blank min_length or max_length
• Defect #17581: Drag & Drop does not work with Safari 5.1
• Defect #17585: Typo in Traditional Chinese detailed syntax help
• Defect #17826: PDF export fails if there is U+FFFD in issue data or journals

2.4.6 (2014-07-06)

• Defect #13932: File upload does not work with Safari
• Defect #16467: back_url redirection does not work for '/'
• Defect #16511: Potentiel data leak in "Invalid form authenticity token" error screen
• Defect #16530: back_url redirection work for non sub uri
• Defect #16711: Non-ascii attachment file name get corrupted in IE11
• Defect #17151: File upload broken on Chrome 36
• Defect #17235: use test_email report can't modify frozen String
• Defect #17391: Upgrade to Rails 3.2.19
• Patch #17206: Fix Invalid CSS on Error-Pages

2.4.5 (2014-03-29)

• Defect #16466: Fixed back url verification (JVN#93004610)

2.4.4 (2014-03-02)

• Defect #16081: Export CSV - Custom field true/false not using translation
• Defect #16161: Parent task search and datepicker not available after changing status
• Defect #16169: Wrong validation when updating integer custom field with spaces
• Defect #16177: Mercurial 2.9 compatibility

2.4.3 (2014-02-08)

• Defect #13544: Commit reference: autogenerated issue note has wrong commit link syntax in multi-repo or cross-project context
• Defect #15664: Unable to upload attachments without add_issues, edit_issues or add_issue_notes permission
• Defect #15756: 500 on admin info/settings page on development environment
• Defect #15781: Customfields have a noticable impact on search performance due to slow database COUNT
• Defect #15849: Redmine:Fetch_Changesets Single-inheritance issue in subclass "Repository:Git"
• Defect #15870: Parent task completion is 104% after update of subtasks
• Defect #16032: Repository.fetch_changesets > app/models/repository/git.rb:137:in `[]=': string not matched (IndexError)
• Defect #16038: Issue#css_classes corrupts user.groups association cache
• Patch #15960: pt-BR translation for 2.4-stable

Additional note:
#15781 was forgotten to merge to v2.4.3.
It is in v2.5.0.

2.4.2 (2013-12-23)

• Defect #15398: HTML 5 invalid tag
• Defect #15523: CSS class for done ratio is not properly generated
• Defect #15623: Timelog filtering by activity field does not handle project activity overrides
• Defect #15677: Links for relations in notifications do not include hostname
• Defect #15684: MailHandler : text/plain attachments are added to description
• Defect #15714: Notification on loosing assignment does not work
• Defect #15735: OpenID login fails due to CSRF verification
• Defect #15741: Multiple scrollbars in project selection tree
• Patch #9442: Russian wiki syntax help translations
• Patch #15524: Japanese translation update (r12278)
• Patch #15601: Turkish translation update
• Patch #15688: Spanish translation updated
• Patch #15696: Russian translation update

2.4.1 (2013-11-23)

• Defect #15401: Wiki syntax "bold italic" is incorrect
• Defect #15414: Empty sidebar should not be displayed in project overview
• Defect #15427: REST API POST and PUT broken
• Patch #15376: Traditional Chinese translation (to r12295)
• Patch #15395: German "ImageMagick convert available" translation
• Patch #15400: Czech Wiki syntax traslation
• Patch #15402: Czech translation for 2.4-stable

2.4.0 (2013-11-17)

• Defect #1983: statistics get rather cramped with more than 15 or so contributers
• Defect #7335: Sorting issues in gantt by date, not by id
• Defect #12681: Treat group assignments as assigned to me
• Defect #12824: Useless "edit" link in workflow menu
• Defect #13260: JQuery Datepicker popup is missing multiple month/year modifiers
• Defect #13537: Filters will show issues with unused custom fields.
• Defect #13829: Favicon bug in IE8
• Defect #13949: Handling of attachment uploads when 'Maximum attachment size' is set to 0
• Defect #13989: Trac and Mantis importers reset global notification settings
• Defect #13990: Trac importer breaks on exotic filenames and ruby 1.9+
• Defect #14028: Plugins Gemfiles loading breaks
• FILE
• Defect #14086: Better handling of issue start date validation
• Defect #14206: Synchronize the lang attribute of the HTML with the display language
• Defect #14403: No error message if notification mail could not delivered
• Defect #14516: Missing Sort Column Label and Center Align on Admin-Enumerations
• Defect #14517: Missing Html Tile on Admin (Groups, LDAP and Plugins)
• Defect #14598: Wrong test with logger.info in model mail_handler
• Defect #14615: Warn me when leaving a page with unsaved text doesn't work when editing an update note
• Defect #14621: AJAX call on the issue form resets data entered during the request
• Defect #14657: Wrong German translation for member inheritance
• Defect #14773: ActiveRecord::Acts::Versioned::ActMethods#next_version Generates ArgumentError
• Defect #14819: Newlines in attachment filename causes crash
• Defect #14986: 500 error when viewing a wiki page without WikiContent
• Defect #14995: Japanese "notice_not_authorized" translation is incorrect
• Defect #15044: Patch for giving controller_issues_edit_after_save api hook the correct context
• Defect #15050: redmine:migrate_from_mantis fails to migrate projects with all upper case name
• Defect #15058: Project authorization EnabledModule N+1 queries
• Defect #15113: The mail method should return a Mail::Message
• Defect #15135: Issue#update_nested_set_attributes comparing nil with empty string
• Defect #15191: HTML 5 validation failures
• Defect #15227: Custom fields in issue form - splitting is incorrect
• Defect #15307: HTML 5 deprecates width and align attributes
• Feature #1005: Add the addition/removal/change of related issues to the history
• Feature #1019: Role based custom queries
• Feature #1391: Ability to force user to change password
• Feature #2199: Ability to clear dates and text fields when bulk editing issues
• Feature #2427: Document horizontal rule syntax
• Feature #2795: Add a "Cancel" button to the "Delete" project page when deleting a project.
• Feature #2865: One click filter in search view
• Feature #3413: Exclude attachments from incoming emails based on file name
• Feature #3872: New user password - better functionality
• Feature #4911: Multiple issue update rules with different keywords in commit messages
• Feature #5037: Role-based issue custom field visibility
• Feature #7590: Different commit Keywords for each tracker
• Feature #7836: Ability to save Gantt query filters
• Feature #8253: Update CodeRay to 1.1 final
• Feature #11159: REST API for getting CustomField definitions
• Feature #12293: Add links to attachments in new issue email notification
• Feature #12912: Issue-notes Redmine links: append actual note reference to rendered links
• Feature #13157: Link on "My Page" to view all my spent time
• Feature #13746: Highlighting of source link target line
• Feature #13943: Better handling of validation errors when bulk editing issues
• Feature #13945: Disable autofetching of repository changesets if projects are closed
• Feature #14024: Default of issue start and due date
• Feature #14060: Enable configuration of OpenIdAuthentication.store
• Feature #14228: Registered users should have a way to get a new action email
• Feature #14614: View hooks for user preferences
• Feature #14630: wiki_syntax.html per language (wiki help localization mechanism)
• Feature #15136: Activate Custom Fields on a selection of projects directly from Custom fields page
• Feature #15182: Return to section anchor after wiki section edit
• Feature #15218: Update Rails 3.2.15
• Feature #15311: Add an indication to admin/info whether or not ImageMagick convert is available
• Patch #6689: Document project-links in parse_redmine_links
• Patch #13460: All translations: RSS -> Atom
• Patch #13482: Do not add empty header/footer to notification emails
• Patch #13528: Traditional Chinese "label_total_time" translation
• Patch #13551: update Dutch translations - March 2013
• Patch #13577: Japanese translation improvement ("done ratio")
• Patch #13646: Fix handling multiple text parts in email
• Patch #13674: Lithuanian translation
• Patch #13687: Favicon bug in opera browser
• Patch #13697: Back-button on diff page is not working when I'm directed from email
• Patch #13745: Correct translation for member save button
• Patch #13808: Changed Bulgarian "label_statistics" translation
• Patch #13825: German translation: jquery.ui.datepicker-de.js
• Patch #13900: Update URL when changing tab
• Patch #13931: Error and inconsistencies in Croatian translation
• Patch #13948: REST API should return user.status
• Patch #13988: Enhanced Arabic translation
• Patch #14138: Output changeset comment in html title
• Patch #14180: Improve pt-BR translation
• Patch #14222: German translation: grammar + spelling
• Patch #14223: Fix icon transparency issues
• Patch #14360: Slovene language translation
• Patch #14767: More CSS classes on various fields
• Patch #14901: Slovak translation
• Patch #14920: Russian numeric translation
• Patch #14981: Italian translation
• Patch #15072: Optimization of issues journal custom fields display
• Patch #15073: list custom fields : multiple select filter wider
• Patch #15075: Fix typo in the Dutch "label_user_mail_option_all" translation
• Patch #15277: Accept custom field format added at runtime
• Patch #15295: Log error messages when moving attachements in sub-directories
• Patch #15369: Bulgarian translation (r12278)

Files (0)

Updated by Jean-Philippe Lang over 11 years ago · 5 revisions

LOCKED