Redmine插件中文站

These 3 maintenance releases are available for [[download]], you can review the changes in the [[Changelog]].

Security: these 3 releases include 4 security fixes, including a critical fix for an arbitrary file read in Git adapter, so upgrading as soon as possible is highly recommended. For those who cannot update immediately, another method to mitigate the critical risk is to update the Git version from the server to at least 2.22.0. You can get more details in [[Security Advisories]].

Many thanks to niubl from TSRC (Tencent Security Response Center) for reporting this issue to the Redmine security team, to Holger Just from www.plan.io for the hard working on these security issues and to Go Maeda who made these releases possible.

Beside this, these new versions clarify and properly fix some inconsistent permissions for issue_edit and add_issue_notes. Before version:“3.3.0”, users only with issue_edit permission were allowed to add notes to issues by design, but this behaviour changed when tracker role-based permissions were added (#285) and the add_issue_notes was explicitly required in the UI. version:4.0.8 extended this behaviour to API and version:4.0.9 to mail handler. Please check your roles settings if you have the incoming email configured.

Please note that version:4.0.9 is the last release for 4.0 series, you should upgrade to Redmine 4.1 or 4.2 to get the future maintenance updates. Next major version is version:5.0.0.