OpenProject 3.0.3

The release of OpenProject 3.0.2 was postponed due to a critical security issue, which was fixed in Ruby on Rails. So we skipped 3.0.2 and bring you 3.0.3 with this issue resolved.

If you want to know more about the vulnerability check out Rafael França’s blog post about the Rails release.

In addition we fixed a possible cross-site scripting attack that involved tricking OpenProject with a faked MIME type when uploading attachments.

In conclusion it is strongly recommended to upgrade your 3.0 based deployments to version 3.0.3 as soon as possible. The OpenProject 3.0.3 tag and the dev branches both include the security fixes.

Bug Fixes

There was a regression in MRI Ruby 2.1.1 that changed some return values of Ruby’s internal class Hash and led to several failing tests. This change is intended for Ruby 2.2 but due to their semantic versioning scheme shouldn’t have been incorporated in 2.1.1. Check out this blog post if you want to know more about it.

From now on we consider version 1 of our API as deprecated. It will be completely removed with the next major release of OpenProject. Please update any client libraries accordingly. As a heads up: we are actively working on version 3 of our API and will deprecate version 2 rather sooner than later as well.

We also brought back the ability to use the database to store your session data. Even though the feature has always been inside Rails’ source code it was difficult to configure it in OpenProject. You can now use your configuration.yml as well as the respective environment variable to configure the session store. See config/configuration.yml.example if you want to know how to do that exactly.

And here is the full changelog 3.0.3