OpenProject 10.0.2

We released OpenProject 10.0.2. The release contains a security related fix and we urge updating to the newest version.

[CVE-2019-17092] XSS injection vulnerability in projects listing in versions before 9.0.4, 10.0.2

An XSS vulnerability in project list in OpenProject before 9.0.4 and 10.x before 10.0.2 allows remote attackers to inject arbitrary web script or HTML via the sortBy parameter because error messages are mishandled.

This vulnerability has been assigned the CVE identifier CVE-2019-17092.

Versions Affected: Versions <= 9.0.3, 10.0.1 Fixed Versions: 9.0.4, 10.0.2

Credits Thanks to David Haintz from the SEC Consult Vulnerability Lab (https://www.sec-consult.com) for identifying and responsibly disclosing the identified issues.

####

Incorrect setting results in slow application and RAM usage

The environment variable WEB_CONCURRENCY has been used by OpenProject for some time to control the number of web workers to be spawned by the Unicorn application server. It is defaulting to 4 workers which should account to around 1 - 1.2GB of RAM usage.

In the upgrade to OpenProject 10, a buildpack from Heroku was updated to control the packaging of the frontend and its assets (our Angular frontend), which appears to be using the same variable for setting internal workers that are unrelated to our setup. This has resulted in the WEB_CONCURRENCY value to be set to a number that would exhaust many servers being set up for OpenProject and in turn resulting in bad performance of OpenProject and any other service.

This has been fixed in this release. We now use the environment variable OPENPROJECT_WEB_WORKERS to control the same setting. If you previously set WEB_CONCURRENCY in your application to a lower or higher number, please also set the OPENPROJECT_WEB_WORKERS variable to the same value.

####

OtherBug fixes and changes

Fixed: Inconsistent row heights when resizing widgets [#31048]
Fixed: In Budgets projected unit costs and labor cost is not shown [#31247]
Fixed: Restart puma workers to cope with potential memory leaks [#31262]
Fixed: “Enterprise Edition” blue bar would be nicer horizontally [#31265]

####

Contributions

Thanks to David Haintz from SEC Consult Vulnerability Lab for identifying and responsibly disclosing the identified issues.

A big thanks to community members for reporting bugs and helping us identifying and providing fixes.

Special thanks for reporting and finding bugs go to Andrea Pistai

Help and feedback

If you did not find what you were looking for

SEARCH THE DOCS

If you need help from the community or want to support others

POST ON OPENPROJECT FORUM

If you are eligible for professional support and have more questions

REQUEST SUPPORT

If you find an easily fixable error or need for improvement in the documentation for the stable release

EDIT THIS PAGE

If you would like to suggest bigger updates or improvements to this documentation

CREATE AN ISSUE

If you want to contribute to translate this documentation to another language

TRANSLATE ON CROWDIN

If there's something you don't like or understand about this feature

CREATE AN ISSUE

If you want to propose a new feature that OpenProject does not offer yet

SUBMIT FEATURE PROPOSAL

To further help OpenProject to shape and test new features

JOIN BETA TESTING

To view OpenProject premium features and pricing

VIEW PRICING PAGE

If you want to try all premium features in the OpenProject Cloud Edition 14 days for free

Free trial OpenProject Cloud Edition

If you want to try all premium features in your on premise Community installation 14 days for free

Free trial OpenProject Enterprise Edition (on premise)