I wanted to post a quick update here in case someone isn’t subscribed to the ChiliProject Blog.
A few minutes ago I released two security releases for ChiliProject, 1.5.2 and 2.1.1. These fix many major XSS bugs we discovered while doing a security audit of the code base. I think somewhere around 94 potential XSS vulnerabilities were fixed, many from older Redmine code (we even found one introduced on r1 of Redmine).
Redmine’s security team has been notified of vulnerabilities and some similar fixes were committed to their repository late last Saturday (July 30th). I do not know when the full set of fixes will be committed or when Redmine will do a security release. If you want to manually patch your installation, you can try to use our patch (one or the other should work, depending on your version):
- https://github.com/chiliproject/chiliproject/commit/2c4641167817fd37e945f1761fa8733d5fbc5852
- https://github.com/chiliproject/chiliproject/commit/e950862d801c744c26577be025581a389abf7809
These kinds of bugs are really bad and hopefully everyone can upgrade without incident, both ChiliProject and Redmine. I’m going to see if we (ChiliProject) can try to collaborate with Redmine on security updates in the future.