- security fix: XSS was possible on task link attachments and comment link attachments
- security fix: XSS was possible on task details and task comment when syntax_plugin='none'
Main changes since Flyspray 1.0 RC1
- security hotfix: deactivated fetch.php of dokuwiki syntax plugin due 2 reported security problems (probably all previous Flyspray versions)
- bugfix: user with only modify_own_tasks wasn't able to update tasks due too strict form checks (v1.0-rc1 was affected)
- security improvement: use crypt() instead md5 as default config setting at installation
- security fix: added missing permission checks for RSS/Atom feeds
- security fix (3rd library): The .zip contains now ADOdb 5.20.7 .
- security fix (3rd library): The .zip for php5.6 with 3rd libraries included now contains guzzle in a fixed version after httpoxy . (The others below php5.6 were not affected, because only guzzle since 4.0 was affected by httpoxy vulnerability.)
- bugfix: better settings possible combined with anonymous task creation feature
- bugfix: dokuwiki: geshi syntax highlighting working (task description, comments, project and flyspray info boxes)
- feature: language chinese traditional:taiwan/HongKong added
Changes since Flyspray 1.0 RC:
- bugfix: It was possible that quickedit checked user permissions against the default project, not the project of the task.
- bugfix: accept priority with id 6 again
- bugfix: 0 effort entries in effort tracking are now ignored and not shown as "in progress"
- feature: mysqli db connect to a local socket, workaround a missing adodb driver functionality.
- bugfix: preinstall check for exif extension
- enhancement: updated finnish translation
Changes since Flyspray 1.0 Beta2:
- bugfix: notifications were sent to all users under some circumstances
- bugfix: search filters couldn't be deleted
This is a security release that can't wait any longer.
Affected: all versions
Github Flyspray dev versions between 1.0 alphax and 1.0-beta:
- an accidently introduced bug lead to the possiblity of getting flyspray admin, detected by flyspray devs.
All versions before 1.0 alphax:
- now HttpOnly cookies and secure cookies (for servers with a valid ssl cert)
- Anti-CSRF system implemented
Both make it harder to takeover a user session or trick an authenticated flyspray user to execute damaging actions in Flyspray. (like deleting himself for instance ;-))
- 1300 commits in 2015 mainly targeting completing existing features and bug fixes.
Peoples testing this version and giving detailed feedback on bugs.flyspray.org.