Flyspray 1.0-rc4

@peterdd peterdd released this Nov 18, 2016 · 2 commits to v1.0-rc4 since this release

security release

  • security fix: XSS was possible on task link attachments and comment link attachments
  • security fix: XSS was possible on task details and task comment when syntax_plugin='none'


Flyspray 1.0-rc3 (hotfix)

@peterdd peterdd released this Oct 4, 2016 · 141 commits to master since this release

Main changes since Flyspray 1.0 RC1

  • security hotfix: deactivated fetch.php of dokuwiki syntax plugin due 2 reported security problems (probably all previous Flyspray versions)
  • bugfix: user with only modify_own_tasks wasn't able to update tasks due too strict form checks (v1.0-rc1 was affected)
  • security improvement: use crypt() instead md5 as default config setting at installation
  • security fix: added missing permission checks for RSS/Atom feeds
  • security fix (3rd library): The .zip contains now ADOdb 5.20.7 .
  • security fix (3rd library): The .zip for php5.6 with 3rd libraries included now contains guzzle in a fixed version after httpoxy . (The others below php5.6 were not affected, because only guzzle since 4.0 was affected by httpoxy vulnerability.)
  • bugfix: better settings possible combined with anonymous task creation feature
  • bugfix: dokuwiki: geshi syntax highlighting working (task description, comments, project and flyspray info boxes)
  • feature: language chinese traditional:taiwan/HongKong added


Flyspray 1.0 RC1

@peterdd peterdd released this Apr 10, 2016

Changes since Flyspray 1.0 RC:

  • bugfix: It was possible that quickedit checked user permissions against the default project, not the project of the task.
  • bugfix: accept priority with id 6 again
  • bugfix: 0 effort entries in effort tracking are now ignored and not shown as "in progress"
  • feature: mysqli db connect to a local socket, workaround a missing adodb driver functionality.
  • bugfix: preinstall check for exif extension
  • enhancement: updated finnish translation


Flyspray 1.0 RC

@peterdd peterdd released this Mar 23, 2016 · 349 commits to master since this release

Changes since Flyspray 1.0 Beta2:


Flyspray 1.0 Beta2

@peterdd peterdd released this Oct 12, 2015

Changes since Flyspray Beta:

  • bugfix online version check
  • bugfix and enhancement of activity charts
  • bugfix for uploads when unlimited php size settings exists
  • feature: project dropdown now shows active projects first, then inactive


Flyspray 1.0 Beta

@peterdd peterdd released this Oct 7, 2015 · 801 commits to master since this release

This is a security release that can't wait any longer.

Affected: all versions

Github Flyspray dev versions between 1.0 alphax and 1.0-beta:

  • an accidently introduced bug lead to the possiblity of getting flyspray admin, detected by flyspray devs.

All versions before 1.0 alphax:

  • now HttpOnly cookies and secure cookies (for servers with a valid ssl cert)
  • Anti-CSRF system implemented

Both make it harder to takeover a user session or trick an authenticated flyspray user to execute damaging actions in Flyspray. (like deleting himself for instance ;-))

  • 1300 commits in 2015 mainly targeting completing existing features and bug fixes.


Peoples testing this version and giving detailed feedback on