Redmine Release Notes

Security Fixes

All three versions (6.1.2, 6.0.9, and 5.1.12) include the following security fixes:

• Defect #43661: Unsafe eval usage in AttachmentsHelper
• Defect #43690: Directory Traversal via Backslash-Separated Paths in Filesystem SCM
• Defect #43691: DOM (Stored) XSS in @mention autocomplete via unescaped user name
• Defect #43692: LDAP Injection (Unescaped Input in LDAP Search Filter)
• Defect #43694: DOM XSS: HTML Injection via Custom Field Name in Query Filter Generation
• Defect #43830: User who is allowed to view only their own time entries can retrieve other users’ time entry details by directly specifying the TimeEntry ID via the REST API
• Defect #43864 / #43840: Update Nokogiri to 1.18.9 (5.1.12) or 1.19.1 (6.1.2 and 6.0.9).

Maintenance Improvements

Redmine 6.1.2 includes a significant number of maintenance fixes (30 in total).

• A new series of fixes for RTL languages
• SVG Icons: Theme developers can now override the default icons sprite, please see #43087 for details
• recent_pages macro supports now include_subprojects parameter

Download and Changelog

You can find the new versions in the Download section. For a complete list of changes, please review the detailed Changelog for each version.

Many thanks to all the contributors who helped with these releases, especially those who responsibly reported the security issues (Sho Odagiri and kaminuma).

Original source

Code cleanup/refactoring

• Patch #43872: Update GitHub Actions workflow dependencies

Database

• Patch #43668: Serialize address limit checks during email_addresses#create

Issues

• Feature #43837: Add a hint to the issue relation add form that clarifies multiple comma-separated issue IDs are accepted

Issues filter

• Patch #43736: author.group filter test fix

Issues list

• Defect #31972: An empty group_count badge is displayed when grouped with created_on

Permissions and roles

• Feature #43659: Set minimum width for Permission column in permission report

Security

• Defect #43661: Unsafe eval usage in AttachmentsHelper
• Defect #43690: Directory Traversal via Backslash-Separated Paths in Filesystem SCM
• Defect #43691: DOM (Stored) XSS in @mention autocomplete via unescaped user name
• Defect #43692: LDAP Injection (Unescaped Input in LDAP Search Filter)
• Defect #43694: DOM XSS: HTML Injection via Custom Field Name in Query Filter Generation
• Defect #43830: User who is allowed to view only their own time entries can retrieve other users’ time entry details by directly specifying the TimeEntry ID via the REST API
• Defect #43840: Update Nokogiri to 1.19.1

Text formatting

• Defect #40918: Wiki "Edit this section" does not extract SeText headings correctly in CommonMark Markdown

UI

• Defect #43804: Custom field preview does not work on bulk issue edit
• Defect #43869: Default assignee selected by category is not shown in UI

Original source

Calendar

• Defect #43718: Issue beginning/ending arrows should be flipped in RTL calendars

Code cleanup/refactoring

• Patch #43649: Remove MySQL 5.7-related comments from database.yml.example
• Patch #43713: Add missing entries "apps" and "shield-check" to icon_source.yml
• Patch #43872: Update GitHub Actions workflow dependencies

Database

• Patch #43668: Serialize address limit checks during email_addresses#create

Issues

• Defect #33610: Submitting the issue edit form without changes unexpectedly updates updated_on
• Feature #43837: Add a hint to the issue relation add form that clarifies multiple comma-separated issue IDs are accepted

Issues filter

• Patch #43736: author.group filter test fix

Issues list

• Defect #31972: An empty group_count badge is displayed when grouped with created_on

Performance

• Defect #43651: Searching issues with searchable custom fields causes a performance regression on MySQL

Permissions and roles

• Feature #43659: Set minimum width for Permission column in permission report

Security

• Defect #43661: Unsafe eval usage in AttachmentsHelper
• Defect #43690: Directory Traversal via Backslash-Separated Paths in Filesystem SCM
• Defect #43691: DOM (Stored) XSS in @mention autocomplete via unescaped user name
• Defect #43692: LDAP Injection (Unescaped Input in LDAP Search Filter)
• Defect #43694: DOM XSS: HTML Injection via Custom Field Name in Query Filter Generation
• Defect #43830: User who is allowed to view only their own time entries can retrieve other users’ time entry details by directly specifying the TimeEntry ID via the REST API
• Defect #43840: Update Nokogiri to 1.19.1

Text formatting

• Defect #40918: Wiki "Edit this section" does not extract SeText headings correctly in CommonMark Markdown
• Defect #43662: Cursor may move to incorrect position when pasting inline images from clipboard

Themes

• Feature #43087: Allow to change icons sprites from theme

UI

• Defect #43664: Project menu tab left/right buttons are broken in RTL layout
• Defect #43672: Indent icons for subtasks and subprojects in list tables are misplaced in RTL layout
• Defect #43674: Unintended global ol styling in changeset CSS
• Defect #43675: "Add filter" dropdown in query form appears on the wrong side in RTL layout
• Defect #43714: Arrow buttons for Available/Selected columns are misleading in the issues query form on RTL layouts
• Defect #43715: Project selector does not indent subprojects in RTL layout
• Defect #43804: Custom field preview does not work on bulk issue edit
• Defect #43869: Default assignee selected by category is not shown in UI

Wiki

• Feature #43631: Add "include_subprojects" parameter to recent_pages macro to include pages from subprojects

Original source

6.1.2

CLOSED

2026-03-15

closed: 100%
100%

14 issues (14 closed — 0 open)

Issues by Tracker

• Defect 100% 10/10
• 10/10
• Feature 100% 2/2
• 2/2
• Patch 100% 2/2
• 2/2

Related issues

• Defect #33610: Submitting the issue edit form without changes unexpectedly updates updated_on
• Defect #43651: Searching issues with searchable custom fields causes a performance regression on MySQL
• Defect #43662: Cursor may move to incorrect position when pasting inline images from clipboard
• Defect #43664: Project menu tab left/right buttons are broken in RTL layout
• Defect #43672: Indent icons for subtasks and subprojects in list tables are misplaced in RTL layout
• Defect #43674: Unintended global ol styling in changeset CSS
• Defect #43675: "Add filter" dropdown in query form appears on the wrong side in RTL layout
• Defect #43714: Arrow buttons for Available/Selected columns are misleading in the issues query form on RTL layouts
• Defect #43715: Project selector does not indent subprojects in RTL layout
• Defect #43718: Issue beginning/ending arrows should be flipped in RTL calendars
• Feature #43087: Allow to change icons sprites from theme
• Feature #43631: Add "include_subprojects" parameter to recent_pages macro to include pages from subprojects
• Patch #43649: Remove MySQL 5.7-related comments from database.yml.example
• Patch #43713: Add missing entries "apps" and "shield-check" to icon_source.yml

Powered by Redmine © 2006-2023 Jean-Philippe Lang

Original source

6.0.8

CLOSED

100%

9 issues (9 closed — 0 open)

Issues by Tracker

• Defect
  • 100% 6/6
  • 6/6
• Patch
  • 100% 3/3
  • 3/3

Related issues

• Defect #43283: Overdue due date text does not turn light gray when issue is selected
• Defect #43378: Column headers are slightly shifted to the right in tables in list views
• Defect #43521: Saving a custom field fails with 500 when regular expression is invalid
• Defect #43525: "label_added" is not translated in the repository revision view legend
• Defect #43527: Login and Email columns are unexpectedly center-aligned on the Users page since Redmine 5.1
• Defect #43612: Inline code rendering does not preserve multiple spaces
• Patch #43275: Remove continue-on-error: true from the system test job in GitHub CI
• Patch #43490: Japanese translation update (jstoolbar-ja.js) for 6.0-stable
• Patch #43633: Update Rails to 7.2.3

Original source

6.1.1

CLOSED

closed: 100%

100%
36 issues (36 closed — 0 open)

Issues by Tracker

• Defect
  100% 22/22
  22/22

• Feature
  100% 3/3
  3/3

• Patch
  100% 11/11
  11/11

Related issues

• Defect #41680: Incorrect label/value order on the issue view in RTL layout
• Defect #43265: Automatic list marker does not work for task list items
• Defect #43282: Locked users are not shown in gray in the user list
• Defect #43409: Progress bar custom field shows only "%" instead of "0%" when value is nil
• Defect #43420: Markdown alerts are missing styling in email notifications
• Defect #43422: File format custom fields use legacy download icon instead of SVG icon
• Defect #43491: Fix incorrect link for the Japanese CommonMark Quick Reference
• Defect #43492: Initials avatar shrink in the Activity view when event titles are long
• Defect #43504: Unexpected file name shown when hovering over a link in the Files column
• Defect #43507: Markdown alerts do not respect RTL text direction
• Defect #43509: Avatar in issue view is positioned incorrectly in RTL layout
• Defect #43510: Reaction buttons are positioned incorrectly in RTL layout
• Defect #43511: "Lost password" link in login form is positioned incorrectly in RTL layout
• Defect #43512: Copy button on code blocks is positioned incorrectly in RTL layout
• Defect #43514: Legacy icons still displayed alongside new SVG icons on some RTL pages
• Defect #43520: Repository browser does not indent directory hierarchy in RTL layout
• Defect #43522: "Ratio interval" custom field label is not localized
• Defect #43523: Avatar layout breaks for initials icon in user import completion page
• Defect #43526: When using the include macro in the project description, an execution error occurs in the project list (list view)
• Defect #43591: Context menu is hidden behind sidebar in RTL layout
• Defect #43592: Ajax indicator is broken in RTL layouts
• Defect #43603: Delete link is missing from the context menu when using a relative URL root
• Feature #43234: Enable CJK-friendly emphasis extension for CommonMark
• Feature #43280: Improve visual distinction of link presence in SVG icons
• Feature #43425: Update colors of Markdown "Warning" and "Caution" alerts to be consistent with standards
• Patch #43257: Remove unused files related to the quote reply feature
• Patch #43326: Bulgarian translation update for 6.1-stable
• Patch #43328: List marker missing when regular items and task list items are mixed
• Patch #43370: Russian translation update for 6.1-stable
• Patch #43372: Allow macro recent_pages to display pages from a specific project
• Patch #43379: Localize default commonmark alert titles (note, tip, warning, caution and important)
• Patch #43400: Japanese translation update for 6.1-stable
• Patch #43433: Persian translation update for 6.1-stable
• Patch #43493: Japanese translation update (field_ratio_interval and setting_issue_done_ratio_interval)
• Patch #43620: Italian translation update for 6.1-stable
• Patch #43630: Traditional Chinese translation update for 6.1-stable

Original source

New maintenance releases for the Redmine 6.1, 6.0, and 5.1 series are now available to Download. These releases address three security vulnerabilities along with various bug fixes and improvements.

Security Fixes

All three versions (6.1.1, 6.0.8, and 5.1.11) include the following security fixes:

• Defect #43451: PostScript disguised as PDF can lead to arbitrary file operations via thumbnail generation
• Defect #43634: Authorization bypass in Redmine allows modification of attachment metadata on invisible issues
• Defect #43635: Authorization bypass in Redmine allows deletion of attachment on invisible issues

Maintenance Improvements

Redmine 6.1.1 includes a significant number of maintenance fixes (34 in total), with a particular focus on the user interface:

• RTL Support: Numerous fixes for RTL layouts, including corrected positioning for reaction buttons, copy buttons, and avatars.
• Text Formatting: Improvements to CommonMark alerts, including localized titles (note, tip, warning, etc.), a new CJK-friendly emphasis extension and automatic list markers support for task list items (#43234, #43379, #43265).
• SVG Icons: Continued refinement of the new SVG icon system and visual consistency.

Download and Changelog

You can find the new versions in the Download section. For a complete list of changes, please review the detailed Changelog for each version.

Many thanks to all the contributors who helped with these releases, especially those who responsibly reported the security issues (Elweth from YesWeHack and to Abor).

Happy New Year!

Original source