Security release includes several security fixes, including a fix for a
permission bypass in Issues API and a fix for private project name that can
be leaked in issue journal details, so upgrading as soon as possible is
recommended. You can get more details in Security Advisories:
<https://redmine.org/projects/redmine/wiki/Security_Advisories>
4.0.8 (2021-03-21)
[Accounts / authentication]
* Defect #33926: Rake tasks "db:encrypt" and "db:decrypt" may fail due to
validation error
[Administration]
* Defect #33310: Warnings while running redmine:load_default_data rake task
* Patch #32341: Show tooltip when hovering on repeat-value link in Field
permission tab
[Attachments]
* Defect #33459: The order of thumbnails in journals does not match the
order of file name list
* Defect #33769: When creating more than two identical attachments in a
single db transaction, the first one always ends up unreadable
[Custom fields]
* Defect #33275: Possible values field in list format custom field form is
not marked as required
[Documentation]
* Defect #33939: Unnecessary translation of {{toc}} macros in Russian Wiki
formatting help
[Filters]
* Defect #34375: "is not" operator for Subproject filter incorrectly
excludes closed subprojects
[Gantt]
* Defect #33140: Gantt bar is not displayed if the due date is the leftmost
date or the start date is the rightmost date
* Defect #33175: Starting or ending marker is not displayed if they are on
the leftmost or rightmost boundary of the gantt
[Gems support]
* Patch #34461: Update Redcarpet to 3.5.1
[Issues]
* Defect #33576: Done ratio of a parent issue may be shown as 99% even
though all subtasks are completed
[Issues list]
* Defect #33548: Column header is clickable even when the column is not
actually sortable
* Defect #34297: Subprojects issues are not displayed on main project when
all subprojects are closed
[Projects]
* Defect #33889: Do not show list for custom fields without list entry on
project overview
[REST API]
* Defect #34615: 'Search' falsy parameters are not respected
[SEO]
* Defect #6734: robots.txt: disallow crawling issues list with a query string
[Security]
* Defect #33360: Names of private projects are leaked by issue journal
details that contain project_id changes
* Defect #33689: Issues API bypasses add_issue_notes permission
* Feature #33906: Upgrade Rails to 5.2.4.5
[Themes]
* Defect #8251: Classic Theme: Missed base line
[Translations]
* Defect #34447: Typo in translation string
'setting_issue_list_default_columns': s//Isuses/Issues
[UI]
* Patch #33958: Jump to end of line in editor when starting list or quote
Real changes are in devel/devel/ruby-activestorage61 only.
## Rails 6.1.3.1 (March 26, 2021) ##
* Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed
mime types data.
*George Claghorn*
Real changes are in devel/ruby-activestorage60 only.
## Rails 6.0.3.6 (March 26, 2021) ##
* Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed
mime types data.
*George Claghorn*
Real changes are in devel/ruby-activestorage52 only.
## Rails 5.2.5 (March 26, 2021) ##
* Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed
mime types data.
*George Claghorn*
* The Poppler PDF previewer renders a preview image using the original
document's crop box rather than its media box, hiding print margins. This
matches the behavior of the MuPDF previewer.
*Vincent Robert*
Ruby 3.0.1 Released (2021-04-05)
Ruby 3.0.1 has been released.
This release includes security fixes. Please check the topics below
for details.
* CVE-2021-28965: XML round-trip vulnerability in REXML
* CVE-2021-28966: Path traversal in Tempfile on Windows
See the commit logs for details.
Ruby 2.7.3 Released (2021-04-05)
This release includes security fixes. Please check the topics below for
details.
* CVE-2021-28965: XML round-trip vulnerability in REXML
* CVE-2021-28966: Path traversal in Tempfile on Windows
See the commit logs for details.
Ruby 2.6.7 Released (2021-04-05)
This release includes security fixes. Please check the topics below for
details.
* CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in
WEBrick
* CVE-2021-28965: XML round-trip vulnerability in REXML
See the commit logs for details.
By this release, we end the normal maintenance phase of Ruby 2.6, and Ruby
2.6 enters the security maintenance phase. This means that we will no
longer backport any bug fixes to Ruby 2.6 except security fixes. The term
of the security maintenance phase is scheduled for a year. Ruby 2.6 reaches
EOL and its official support ends by the end of the security maintenance
phase. Therefore, we recommend that you start to plan upgrade to Ruby 2.7
or 3.0.
Do not build on Ruby 3.0 since it contains the same version of rexml
gem and conflicts with this package.
Noted by private e-mail from wiz@, thank you!
Breaking changes:
-Make --map behave as function body (#468)
New features:
-Make preview var content streamable
-Improve bash and zsh widgets (#486)
Fixes:
-If command not found in cheatsh, report and return
-Make preview window show mapped values
Code quality:
-Fix warnings (#464)
-Fix all new warnings (#467)
-Move common helpers to src/ (#465)
-Bump all dependencies (#466)
-Remove unused code for global flag
-Correctly show preview var window for --multi (#472)
-Refactor finder packages (#473)
-Refactor terminal_width package
-Refactor core package (#476)
-Refactor fetcher packages (#477)
-Rename display package
-Add instructions for shell widget customization (#480)
-Use Pathbufs appropriately (#481)
-Use remove_dir_all crate (#482)
-Use crossterm instead of termion and terminal_width
-Refactor env_vars package (#485)
Pointed out in PR pkg/56092 by gutteridge@.
And convert to use OpenSSL TLS backend.
Recent devel/nss change, libsoftkn3.so uses MD5_Update()
from OpenSSL and it causes SIGSEGV.
Bump PKGREVISION.