From c28b95dcdbda20e5bcb5de625edeefa48a5c28f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Tue, 31 Mar 2026 08:46:00 +0200 Subject: [PATCH 01/19] Update security fixes --- docs/release-notes/16-6-10/README.md | 47 ++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 docs/release-notes/16-6-10/README.md diff --git a/docs/release-notes/16-6-10/README.md b/docs/release-notes/16-6-10/README.md new file mode 100644 index 00000000000..07158d8dd9b --- /dev/null +++ b/docs/release-notes/16-6-10/README.md @@ -0,0 +1,47 @@ +--- +title: OpenProject 16.6.10 +sidebar_navigation: + title: 16.6.10 +release_version: 16.6.10 +release_date: 2026-03-31 +--- + + # OpenProject 16.6.10 + + Release date: 2026-03-31 + + We released OpenProject [OpenProject 16.6.10](https://community.openproject.org/versions/2290). + The release contains several bug fixes and we recommend updating to the newest version. + Below you will find a complete list of all changes and bug fixes. + + + +## Security fixes + + + +### CVE-2026-34717 - SQL Injection in Cost Reporting =n Operator via parse_number_string + +The =n operator in cost reports did not appropriately treat user input + + + +This vulnerability was reported by user [Ochk0](https://github.com/Ochk0) through a GitHub security advisory. Thank you for responsibly disclosing your findings. + + + +For more information, please see the [GitHub advisory #GHSA-5rrm-6qmq-2364](https://github.com/opf/openproject/security/advisories/GHSA-5rrm-6qmq-2364) + + + + + + +## Bug fixes and changes + + + + + + + From 937100068d8be76d9166edd5e63f55a89bc672db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Tue, 31 Mar 2026 08:46:01 +0200 Subject: [PATCH 02/19] Add release-notes file --- docs/release-notes/README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/release-notes/README.md b/docs/release-notes/README.md index f9791832add..287d1213c73 100644 --- a/docs/release-notes/README.md +++ b/docs/release-notes/README.md @@ -13,6 +13,13 @@ Stay up to date and get an overview of the new features included in the releases +## 16.6.10 + +Release date: 2026-03-31 + +[Release Notes](16-6-10/) + + ## 16.6.9 Release date: 2026-03-16 From 53daf3c4993f0dea087fd0de0596aab8f968dbe6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Tue, 31 Mar 2026 08:46:01 +0200 Subject: [PATCH 03/19] Update publiccode.yml --- publiccode.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/publiccode.yml b/publiccode.yml index 98ce1ed14c6..8ba1abc207d 100644 --- a/publiccode.yml +++ b/publiccode.yml @@ -7,8 +7,8 @@ name: OpenProject applicationSuite: openDesk url: 'https://github.com/opf/openproject' roadmap: 'https://www.openproject.org/roadmap' -releaseDate: '2026-03-16' -softwareVersion: '16.6.9' +releaseDate: '2026-03-31' +softwareVersion: '16.6.10' developmentStatus: stable softwareType: standalone/web logo: 'publiccode_logo.svg' From 511bf519b409e9556a4ec532d898de3e3ab6a0b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Tue, 31 Mar 2026 08:46:03 +0200 Subject: [PATCH 04/19] Bumped version to 16.6.11 [ci skip] --- lib/open_project/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/open_project/version.rb b/lib/open_project/version.rb index ac504763220..6671a12a2b0 100644 --- a/lib/open_project/version.rb +++ b/lib/open_project/version.rb @@ -33,7 +33,7 @@ module OpenProject module VERSION # :nodoc: MAJOR = 16 MINOR = 6 - PATCH = 10 + PATCH = 11 class << self # Used by semver to define the special version (if any). From b626c34020a0e10829bf19a35e648bd25e0d7247 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Tue, 31 Mar 2026 08:48:13 +0200 Subject: [PATCH 05/19] Update hocuspocus image to openproject/hocuspocus:17.0.7 --- docker/prod/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/prod/Dockerfile b/docker/prod/Dockerfile index b437fa28592..2683e39dfd0 100755 --- a/docker/prod/Dockerfile +++ b/docker/prod/Dockerfile @@ -113,7 +113,7 @@ ENV PGDATA=/var/openproject/pgdata COPY --from=openproject/gosu /go/bin/gosu /usr/local/bin/gosu RUN chmod +x /usr/local/bin/gosu && gosu nobody true -COPY --from=openproject/hocuspocus:17.0.6 --chown=$APP_USER:$APP_USER /app /opt/hocuspocus +COPY --from=openproject/hocuspocus:17.0.7 --chown=$APP_USER:$APP_USER /app /opt/hocuspocus RUN ./docker/prod/setup/postinstall-onprem.sh && \ ln -s /app/docker/prod/setup/.irbrc /root/ From 9867c9458547abdd9f49ba0d879d61a092efee45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Tue, 31 Mar 2026 08:48:15 +0200 Subject: [PATCH 06/19] Update security fixes --- docs/release-notes/17-0-7/README.md | 47 +++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 docs/release-notes/17-0-7/README.md diff --git a/docs/release-notes/17-0-7/README.md b/docs/release-notes/17-0-7/README.md new file mode 100644 index 00000000000..0f6bcebb5fc --- /dev/null +++ b/docs/release-notes/17-0-7/README.md @@ -0,0 +1,47 @@ +--- +title: OpenProject 17.0.7 +sidebar_navigation: + title: 17.0.7 +release_version: 17.0.7 +release_date: 2026-03-31 +--- + + # OpenProject 17.0.7 + + Release date: 2026-03-31 + + We released OpenProject [OpenProject 17.0.7](https://community.openproject.org/versions/2291). + The release contains several bug fixes and we recommend updating to the newest version. + Below you will find a complete list of all changes and bug fixes. + + + +## Security fixes + + + +### CVE-2026-34717 - SQL Injection in Cost Reporting =n Operator via parse_number_string + +The =n operator in cost reports did not appropriately treat user input + + + +This vulnerability was reported by user [Ochk0](https://github.com/Ochk0) through a GitHub security advisory. Thank you for responsibly disclosing your findings. + + + +For more information, please see the [GitHub advisory #GHSA-5rrm-6qmq-2364](https://github.com/opf/openproject/security/advisories/GHSA-5rrm-6qmq-2364) + + + + + + +## Bug fixes and changes + + + + + + + From 3945dc3f6e12084ad20eeec27ea29b4595e115e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Tue, 31 Mar 2026 08:48:16 +0200 Subject: [PATCH 07/19] Add release-notes file --- docs/release-notes/README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/release-notes/README.md b/docs/release-notes/README.md index 0d72c4abe12..bae3a906be4 100644 --- a/docs/release-notes/README.md +++ b/docs/release-notes/README.md @@ -13,6 +13,13 @@ Stay up to date and get an overview of the new features included in the releases +## 17.0.7 + +Release date: 2026-03-31 + +[Release Notes](17-0-7/) + + ## 16.6.10 Release date: 2026-03-31 From d80c2d0e6deef76680120daee16f51a7a0bca55a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Tue, 31 Mar 2026 08:48:17 +0200 Subject: [PATCH 08/19] Update publiccode.yml --- publiccode.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/publiccode.yml b/publiccode.yml index 4033887296e..248e89ba5ad 100644 --- a/publiccode.yml +++ b/publiccode.yml @@ -7,8 +7,8 @@ name: OpenProject applicationSuite: openDesk url: 'https://github.com/opf/openproject' roadmap: 'https://www.openproject.org/roadmap' -releaseDate: '2026-03-16' -softwareVersion: '17.0.6' +releaseDate: '2026-03-31' +softwareVersion: '17.0.7' developmentStatus: stable softwareType: standalone/web logo: 'publiccode_logo.svg' From dede2beeb9e19ff42b88801ed1cfa435263319e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Tue, 31 Mar 2026 08:48:19 +0200 Subject: [PATCH 09/19] Bumped version to 17.0.8 [ci skip] --- lib/open_project/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/open_project/version.rb b/lib/open_project/version.rb index 69115eec5d5..33969e3bdb1 100644 --- a/lib/open_project/version.rb +++ b/lib/open_project/version.rb @@ -33,7 +33,7 @@ module OpenProject module VERSION # :nodoc: MAJOR = 17 MINOR = 0 - PATCH = 7 + PATCH = 8 class << self def revision From 950bb962e8404461658436a9f178a5433a28ef93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Tue, 31 Mar 2026 08:49:46 +0200 Subject: [PATCH 10/19] Update hocuspocus image to openproject/hocuspocus:17.1.4 --- docker/prod/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/prod/Dockerfile b/docker/prod/Dockerfile index c312595b02c..fd8b3582470 100755 --- a/docker/prod/Dockerfile +++ b/docker/prod/Dockerfile @@ -113,7 +113,7 @@ ENV PGDATA=/var/openproject/pgdata COPY --from=openproject/gosu /go/bin/gosu /usr/local/bin/gosu RUN chmod +x /usr/local/bin/gosu && gosu nobody true -COPY --from=openproject/hocuspocus:17.1.3 --chown=$APP_USER:$APP_USER /app /opt/hocuspocus +COPY --from=openproject/hocuspocus:17.1.4 --chown=$APP_USER:$APP_USER /app /opt/hocuspocus RUN ./docker/prod/setup/postinstall-onprem.sh && \ ln -s /app/docker/prod/setup/.irbrc /root/ From cc2ddb8d3bd201385c37bee1ff5e0617ad05bf9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Tue, 31 Mar 2026 08:49:48 +0200 Subject: [PATCH 11/19] Update security fixes --- docs/release-notes/17-1-4/README.md | 47 +++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 docs/release-notes/17-1-4/README.md diff --git a/docs/release-notes/17-1-4/README.md b/docs/release-notes/17-1-4/README.md new file mode 100644 index 00000000000..a555fde016e --- /dev/null +++ b/docs/release-notes/17-1-4/README.md @@ -0,0 +1,47 @@ +--- +title: OpenProject 17.1.4 +sidebar_navigation: + title: 17.1.4 +release_version: 17.1.4 +release_date: 2026-03-31 +--- + + # OpenProject 17.1.4 + + Release date: 2026-03-31 + + We released OpenProject [OpenProject 17.1.4](https://community.openproject.org/versions/2292). + The release contains several bug fixes and we recommend updating to the newest version. + Below you will find a complete list of all changes and bug fixes. + + + +## Security fixes + + + +### CVE-2026-34717 - SQL Injection in Cost Reporting =n Operator via parse_number_string + +The =n operator in cost reports did not appropriately treat user input + + + +This vulnerability was reported by user [Ochk0](https://github.com/Ochk0) through a GitHub security advisory. Thank you for responsibly disclosing your findings. + + + +For more information, please see the [GitHub advisory #GHSA-5rrm-6qmq-2364](https://github.com/opf/openproject/security/advisories/GHSA-5rrm-6qmq-2364) + + + + + + +## Bug fixes and changes + + + + + + + From 3548b4b6dfeb9348920ea83fc5617e1b296bdf55 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Tue, 31 Mar 2026 08:49:49 +0200 Subject: [PATCH 12/19] Add release-notes file --- docs/release-notes/README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/release-notes/README.md b/docs/release-notes/README.md index b647353dac5..b9cbb2a6c89 100644 --- a/docs/release-notes/README.md +++ b/docs/release-notes/README.md @@ -13,6 +13,13 @@ Stay up to date and get an overview of the new features included in the releases +## 17.1.4 + +Release date: 2026-03-31 + +[Release Notes](17-1-4/) + + ## 17.0.7 Release date: 2026-03-31 From cfd02ec9959ab3782608715baf25cd22e37a0375 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Tue, 31 Mar 2026 08:49:50 +0200 Subject: [PATCH 13/19] Update publiccode.yml --- publiccode.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/publiccode.yml b/publiccode.yml index 690b0121691..b1c5e96d049 100644 --- a/publiccode.yml +++ b/publiccode.yml @@ -7,8 +7,8 @@ name: OpenProject applicationSuite: openDesk url: 'https://github.com/opf/openproject' roadmap: 'https://www.openproject.org/roadmap' -releaseDate: '2026-03-16' -softwareVersion: '17.1.3' +releaseDate: '2026-03-31' +softwareVersion: '17.1.4' developmentStatus: stable softwareType: standalone/web logo: 'publiccode_logo.svg' From e37ae68d357dc0f75f21bf54a6306d32b04552a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Tue, 31 Mar 2026 08:49:52 +0200 Subject: [PATCH 14/19] Bumped version to 17.1.5 [ci skip] --- lib/open_project/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/open_project/version.rb b/lib/open_project/version.rb index ceea00c781b..dd6ac187ac5 100644 --- a/lib/open_project/version.rb +++ b/lib/open_project/version.rb @@ -33,7 +33,7 @@ module OpenProject module VERSION # :nodoc: MAJOR = 17 MINOR = 1 - PATCH = 4 + PATCH = 5 class << self def revision From 939b87b1e501dff37f6399d3d0741a158b902373 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Tue, 31 Mar 2026 08:52:24 +0200 Subject: [PATCH 15/19] Update hocuspocus image to openproject/hocuspocus:17.2.3 --- docker/prod/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/prod/Dockerfile b/docker/prod/Dockerfile index bc73fdc9e42..82419fa5fee 100755 --- a/docker/prod/Dockerfile +++ b/docker/prod/Dockerfile @@ -140,7 +140,7 @@ ENV PGDATA=/var/openproject/pgdata COPY --from=openproject/gosu /go/bin/gosu /usr/local/bin/gosu RUN chmod +x /usr/local/bin/gosu && gosu nobody true -COPY --from=openproject/hocuspocus:17.2.2 --chown=$APP_USER:$APP_USER /app /opt/hocuspocus +COPY --from=openproject/hocuspocus:17.2.3 --chown=$APP_USER:$APP_USER /app /opt/hocuspocus # Keep node/npm in all-in-one for bundled hocuspocus even when BIM support is disabled. COPY --from=build-base /usr/local/bin/node /usr/local/bin/node COPY --from=build-base /usr/local/lib/node_modules /usr/local/lib/node_modules From 373ef9172e304920c3935a2043933bc7453df881 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Tue, 31 Mar 2026 08:52:25 +0200 Subject: [PATCH 16/19] Update security fixes --- docs/release-notes/17-2-3/README.md | 47 +++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 docs/release-notes/17-2-3/README.md diff --git a/docs/release-notes/17-2-3/README.md b/docs/release-notes/17-2-3/README.md new file mode 100644 index 00000000000..ddeda64f106 --- /dev/null +++ b/docs/release-notes/17-2-3/README.md @@ -0,0 +1,47 @@ +--- +title: OpenProject 17.2.3 +sidebar_navigation: + title: 17.2.3 +release_version: 17.2.3 +release_date: 2026-03-31 +--- + + # OpenProject 17.2.3 + + Release date: 2026-03-31 + + We released OpenProject [OpenProject 17.2.3](https://community.openproject.org/versions/2287). + The release contains several bug fixes and we recommend updating to the newest version. + Below you will find a complete list of all changes and bug fixes. + + + +## Security fixes + + + +### CVE-2026-34717 - SQL Injection in Cost Reporting =n Operator via parse_number_string + +The =n operator in cost reports did not appropriately treat user input + + + +This vulnerability was reported by user [Ochk0](https://github.com/Ochk0) through a GitHub security advisory. Thank you for responsibly disclosing your findings. + + + +For more information, please see the [GitHub advisory #GHSA-5rrm-6qmq-2364](https://github.com/opf/openproject/security/advisories/GHSA-5rrm-6qmq-2364) + + + + + + +## Bug fixes and changes + + + + + + + From 9b0118fd5ac97eb4a41e321320dda6746347e79f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Tue, 31 Mar 2026 08:52:27 +0200 Subject: [PATCH 17/19] Add release-notes file --- docs/release-notes/README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/release-notes/README.md b/docs/release-notes/README.md index ae24f91df5b..e42849aa557 100644 --- a/docs/release-notes/README.md +++ b/docs/release-notes/README.md @@ -13,6 +13,13 @@ Stay up to date and get an overview of the new features included in the releases +## 17.2.3 + +Release date: 2026-03-31 + +[Release Notes](17-2-3/) + + ## 17.1.4 Release date: 2026-03-31 From bcee06c89f9ae19512f992dc8f72f21093e0b722 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Tue, 31 Mar 2026 08:52:27 +0200 Subject: [PATCH 18/19] Update publiccode.yml --- publiccode.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/publiccode.yml b/publiccode.yml index a4c4f9261bf..3e4be88d4fa 100644 --- a/publiccode.yml +++ b/publiccode.yml @@ -7,8 +7,8 @@ name: OpenProject applicationSuite: openDesk url: 'https://github.com/opf/openproject' roadmap: 'https://www.openproject.org/roadmap' -releaseDate: '2026-03-17' -softwareVersion: '17.2.2' +releaseDate: '2026-03-31' +softwareVersion: '17.2.3' developmentStatus: stable softwareType: standalone/web logo: 'publiccode_logo.svg' From 8081e2d9c917277c56ae69f5ad03d02423a63e8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20G=C3=BCnther?= Date: Tue, 31 Mar 2026 08:52:30 +0200 Subject: [PATCH 19/19] Bumped version to 17.2.4 [ci skip] --- lib/open_project/version.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/open_project/version.rb b/lib/open_project/version.rb index 17808308b57..d1d6c08394e 100644 --- a/lib/open_project/version.rb +++ b/lib/open_project/version.rb @@ -33,7 +33,7 @@ module OpenProject module VERSION # :nodoc: MAJOR = 17 MINOR = 2 - PATCH = 3 + PATCH = 4 class << self def revision