We released OpenProject 7.4.3. The release contains several bug fixes. We recommend the update to the current version.
Several security fixes have been made as part of the Ruby 2.4.4 release as well as in gems used by OpenProject. We urge users to update their Ruby installations. If you’re using the packaged installation, this package will contain all necessary fixes.
- Updates rails-html-sanitizer to 1.0.4 to address CVE-2018-3741
- Updates loofah to 2.2.2 to address CVE-2018-8048
- Updates Ruby 2.4.4 to address the following CVEs:
- CVE-2017-17742: HTTP response splitting in WEBrick
- CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
- CVE-2018-8777: DoS by large request in WEBrick
- CVE-2018-8778: Buffer under-read in String#unpack
- CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
- CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
For more information, please refer to the Ruby 2.4.4 release announcement.