Redmine 0.8.7 Released

Added by Eric Davis on November 16, 2009 in Home Community

Redmine 0.8.7 was just released yesterday, November 15th. This is a point release which fixes a major security vulnerability. If you're running a public Redmine server, it's highly recommended that you upgrade as soon as possible.

CSRF Security Vulnerability

The Redmine security team was contacted by p0deje about a potential CSRF vulnerability with some example code to exploit it. After reviewing it, we created a fix and rushed out 0.8.7 to address the vulnerability.

Hide the paragraph terminator on HTML exports

On the wiki pages there is a paragraph terminator (ΒΆ) after each heading to make it easy to link to a specific section of the page. As of r3026, this will now be hidden on the HTML export of the page until the heading is hovered over. Issue #4194.

Start date not included in the spent time report with SQLite

0.8.7 includes a fix for the Spent Time report with SQLite. It appears that the starting date was using the time of "00:00:00" with the dates which caused SQLite to exclude today in the range. This should be fixed in r3009, Issue #3112

Preformatted tags with <pre would be incorrectly formatted

You can now enter tags starting with pre into a <pre> block. There was a bug where Redmine would think that the content should have another <pre> tag added instead of just rendering the tag as it was entered. For example if you enter some xml inside a pre sections like:

    <prepared-statement>Some xml</prepared-statement>

Redmine was seeing the inner pre in prepared-statement and thought it was another preformatted block. This is now fixed in r3030, Issue #4125

Password field on the login page was styled differently

On the login page for Redmine, the password field was styled differently on the alternative theme than any other text fields. r3032 adds some styling rules so the fields will match. Issue #3845.

To see more details about all of the changes in 0.8.7, check out the Changelog posted to

Eric Davis