OpenProject 7.4.3
Several security fixes have been made as part of the Ruby 2.4.4 release as well as in gems used by OpenProject. We urge users to update their Ruby installations. If you’re using the packaged installation, this package will contain all necessary fixes.
Security fixes
- Updates rails-html-sanitizer to 1.0.4 to address CVE-2018-3741
- Updates loofah to 2.2.2 to address CVE-2018-8048
- Updates Ruby 2.4.4 to address the following CVEs:
- CVE-2017-17742: HTTP response splitting in WEBrick
- CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
- CVE-2018-8777: DoS by large request in WEBrick
- CVE-2018-8778: Buffer under-read in String#unpack
- CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
- CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
For more information, please refer to the Ruby 2.4.4 release announcement.
Changes
- A separate icon has been included for the Two-factor authentication plugin (#27150)
- SMTP authentication none can now be configured through the system settings. (#27284)
- For further information on the 7.4.3 release, please refer to the Changelog v7.4.3 or take a look at GitHub.