Redmine 6.0.4, 5.1.7, 5.0.12 released

2025-03-14 • Tags: 6.0, 5.1, 5.0, news • KUROTANI Akihiro

Ad: My Redmine Global Edition: A simple cloud-based Redmine service

On March 11, 2025 (Central European Time), Redmine 6.0.4, 5.1.7 and 5.0.12 were released.

These are maintenance releases that include security vulnerability fixes.

What is Redmine:
Redmine is a versatile, open-source project management tool built on Ruby on Rails. It offers features like multi-project support, issue tracking, time tracking, and custom fields. Visit the official website at www.redmine.org to access a wealth of comprehensive information.

These releases include fixes for the following security vulnerabilities:

XSS in custom query
XSS in macros
ProjectQuery leaks details of private projects
/my/account does not correctly enforce sudo mode
Update Nokogiri to 1.18.3 to address CVE-2025-24928 and CVE-2024-56171

Please refer to the Redmine Security Advisories for the versions affected by each vulnerability.

Additionally, the issue "Redmine fails to start if the database adapter name "mysql" in config/database.yml"(42013) has been resolved in version 5.1.7 (#42245).

Changes

Common changes in 6.0.4, 5.1.7, 5.0.12 (2 changes)

Security

Defect #42194: /my/account does not correctly enforce sudo mode
"My account" view (/my/account) does not correctly enforce sudo mode
Patch #42333: Update Nokogiri to 1.18.3
Update Nokogiri to 1.18.3

Common changes in 6.0.4, 5.1.7 (6 changes)

Code cleanup/refactoring

Defect #42200: InlineAutocompleteSystemTest login test fails randomly
Login test in InlineAutocompleteSystemTest fails randomly
Patch #42244: Fix random failures in IssuesTest#test_bulk_copy due to StaleElementReferenceError
Fix random failures in IssuesTest#test_bulk_copy due to StaleElementReferenceError

Gems support

Defect #42245: 5.1-stable: Redmine fails to start with error: Unknown database adapter "mysql2" found in config/database.yml
Redmine fails to start if the database adapter name "mysql" in config/database.yml

No category

Feature #30069: Use GitHub Actions as a secondary CI solution to run tests through the existing mirroring
Use GitHub Actions as a secondary CI solution

Security

Defect #42326: Stored Cross-Site Scripting (XSS) in macros
Stored Cross-Site Scripting (XSS) in macros
Defect #42352: ProjectQuery leaks details of private project
ProjectQuery leaks details of private project

Changes only in 6.0.4 (9 changes)

Administration

Feature #42008: Expose default Rails health check endpoint "/up" for load balancers and uptime monitoring
Expose default Rails health check endpoint "/up"

Custom fields

Defect #42233: Float custom values with ',' as decimal separator are not converted to '.' and cause SQL errors when sorting or summing
Float custom values with ',' as decimal separator are not converted to '.'

Project settings

Defect #42192: Project settings members tab may raise ArgumentError if orphaned member records exist
Project settings members tab may raise ArgumentError if orphaned member records exist

Security

Defect #42238: Stored Cross-Site Scripting (XSS) in custom query
Stored Cross-Site Scripting (XSS) in custom query

Time tracking

Defect #42172: format\_hours method produces incorrect output for negative time values when Setting.timespan_format is "minutes"
format_hours method produces incorrect output for negative time values when Setting.timespan_format is "minutes"

Translations

Defect #42170: Fix Turkish translation of field_assignable
Fix Turkish translation of field_assignable
Patch #42239: Czech translation update for 6.0-stable
Czech translation update for 6.0-stable