@peterdd peterdd released this Jul 16, 2018

Assets 3

Main Changes:

  • PHP 7.2 compatible
  • better password hashes using password_hash()
  • also Google reCaptcha configurable
  • a new basic checks tab in admin area
  • more fields chooseable in admin editallusers view
  • last_login field in user table

flyspray-1.0-rc7.tgz has all 3rd party libraries included.

Assets 2

Security release

Several security issues were reported and fixed with this release.

@peterdd peterdd released this Nov 18, 2016 · 2 commits to v1.0-rc4 since this release

Assets 5

security release

  • security fix: XSS was possible on task link attachments and comment link attachments
  • security fix: XSS was possible on task details and task comment when syntax_plugin='none'

@peterdd peterdd released this Oct 4, 2016 · 418 commits to master since this release

Assets 2

Main changes since Flyspray 1.0 RC1

  • security hotfix: deactivated fetch.php of dokuwiki syntax plugin due 2 reported security problems (probably all previous Flyspray versions)
  • bugfix: user with only modify_own_tasks wasn't able to update tasks due too strict form checks (v1.0-rc1 was affected)
  • security improvement: use crypt() instead md5 as default config setting at installation
  • security fix: added missing permission checks for RSS/Atom feeds
  • security fix (3rd library): The .zip contains now ADOdb 5.20.7 .
  • security fix (3rd library): The .zip for php5.6 with 3rd libraries included now contains guzzle in a fixed version after httpoxy . (The others below php5.6 were not affected, because only guzzle since 4.0 was affected by httpoxy vulnerability.)
  • bugfix: better settings possible combined with anonymous task creation feature
  • bugfix: dokuwiki: geshi syntax highlighting working (task description, comments, project and flyspray info boxes)
  • feature: language chinese traditional:taiwan/HongKong added
Oct 4, 2016
switch off mod_speling in .htaccess

@peterdd peterdd released this Apr 10, 2016

Assets 2

Changes since Flyspray 1.0 RC:

  • bugfix: It was possible that quickedit checked user permissions against the default project, not the project of the task.
  • bugfix: accept priority with id 6 again
  • bugfix: 0 effort entries in effort tracking are now ignored and not shown as "in progress"
  • feature: mysqli db connect to a local socket, workaround a missing adodb driver functionality.
  • bugfix: preinstall check for exif extension
  • enhancement: updated finnish translation

@peterdd peterdd released this Mar 23, 2016 · 626 commits to master since this release

Assets 2

Changes since Flyspray 1.0 Beta2:


@peterdd peterdd released this Oct 12, 2015

Assets 2

Changes since Flyspray Beta:

  • bugfix online version check
  • bugfix and enhancement of activity charts
  • bugfix for uploads when unlimited php size settings exists
  • feature: project dropdown now shows active projects first, then inactive

@peterdd peterdd released this Oct 7, 2015 · 1078 commits to master since this release

Assets 2

This is a security release that can't wait any longer.

Affected: all versions

Github Flyspray dev versions between 1.0 alphax and 1.0-beta:

  • an accidently introduced bug lead to the possiblity of getting flyspray admin, detected by flyspray devs.

All versions before 1.0 alphax:

  • now HttpOnly cookies and secure cookies (for servers with a valid ssl cert)
  • Anti-CSRF system implemented

Both make it harder to takeover a user session or trick an authenticated flyspray user to execute damaging actions in Flyspray. (like deleting himself for instance ;-))

  • 1300 commits in 2015 mainly targeting completing existing features and bug fixes.


Peoples testing this version and giving detailed feedback on bugs.flyspray.org.