Subscribe: Project News: ]project-open[ - Service Management
Added By: Feedage Forager Feedage Grade B rated
Language: English
hours  https  intranet timesheet  issue  open source  open  project open  project  projects  security  server  timesheet hours  users 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Project News: ]project-open[ - Service Management

Recent changes to news

Recent changes to news

Last Build Date: Fri, 19 Aug 2016 12:06:35 -0000


]po[ V4.x Security Advisory - Session ID Not Updated

Fri, 19 Aug 2016 12:06:35 -0000

Dear All,

Thanks for the feedback from a community member we have detected a security issue in the ]project-open[ authentication system in ]po[ V4.x and below.

Affected Versions:

This issue affects ]po[ V4.1 and all previous versions over unsecured (HTTP) connections. It does not affect ]po[ V5.0 and higher and does not affect users using exclusively secured (HTTPS) connections.


The bug allows a remote attacker to gain access to a ]po[ server by manipulating session identifiers.


Please see the following posting for details:

Exploitation status:

No exploit is known yet and no intrusion attempt has been observed yet.


The issue is fixed in OpenACS 5.9 / ]project-open[ V5.0. Also, the issue disappears if all users communicate with the server via HTTPS. Please contact for either installing certificates on your ]po[ server or for an upgrade to ]po[ V5.0.

Best regards

HEISE iX says: ]po[ is a serious alternative to MS Project Server

Wed, 15 Jun 2016 13:44:22 -0000

iX, Germany's #1 "enterprise IT" magazine writes about alternatives to Microsoft Project Server in it's special open-source edition calling ]project-open[ a "serious alternative". It continues: "]project-open[ excels with import and export options for desktop applications including MS Project, ProjectLibre and GanttProject". The special edition (in German) is available at They re-tweeted our statement at

Being a serious alternative to MS Project Server (and Oracle Primavera and CA Clarity) is our #1 objective for the upcoming V5.0 release (please see the roadmap, and yes, we are late again). New functionality includes a HTML5 Gantt Editor, a HTML5 Portfolio Planner and a number of high-level reports, including the option to create PowerPoint decks with charts etc. directly from within the system.

Please let us know if you want to get involved in the beta phase, we offer free upgrades and support. Otherwise just stay tuned. We'll announce the final release here on SourceForge, on Twitter @projop and on LinkedIn

]po[ - Issue with Financial Impact Advisory for All Versions

Wed, 29 Apr 2015 11:15:13 -0000

Dear All,

Thanks for the feedback from a customer we have today detected and fixed a bug in the ]project-open[ time sheet system.


The bug has an impact on the profit & loss calculation of projects and budget adherence. However, the bug does not impact financial documents towards customer, providers or employees. The bug does not apply to normal timesheet logging activities.


When moving hours from one project to another or when modifying the number of hours logged on a project using the /intranet-timesheet2/www/hours/one file as a supervisor, the logged hours will be moved or modified correctly. However, the time sheet cost item was not updated accordingly.
This issue appears only when a supervisor corrects the hours of other employees. It does not appear during normal time sheet logging activities using "Timeshett" -> Log hours for a day.


Fixes are available for all ]po[ versions since ]po[ V3.2. The ]po[ team will notify all customers with a support contract and fix the installed systems. Users without support contract may upgrade to the latest version from CVS or contact for a support agreement.

Best regards

]po[ - Security Advisory - ShellShock

Fri, 26 Sep 2014 13:24:50 -0000


Your ]project-open[ server may be affected by ShellShock.
Please continue to read the following discussion thread:


]po[ - Security Advisory - Weak SSL Ciphers in VMware Installer

Tue, 29 Apr 2014 15:08:59 -0000


Thanks to a security audit together with one of our customers, we have found that the default SSL configuration of our default VMware installer contains outdated ciphers that should be disabled.

This advisory only affects users who are using SSL encryption via the Pound reverse proxy.


Sophisticated attackers will be able to listen to HTTPS protected connections between browsers and the ]po[ server and possibly steal your password.


Please edit your /etc/pound.cfg file and add a "Ciphers" statement in the ListenHTTPS section similar to the one below:

    Port       443
    Cert       "/etc/pound/server.pem"
    Ciphers     "SSLv3:TLSv1:-LOW:-aNULL:-ADH:-EXP:-eNULL"


Maybe this is also a good moment to check some other security aspects of your ]po[ installation:

  • Port 22 (SSH): Did you change the default passwords for the users "root" and "projop"? Do you regularly change passwords?

  • Port 80 (HTTP): Is your port 80 accessible, allowing users to connect to the server without encryption? This may be suitable in protected small company networks, but is not suitable for larger organizations or the Internet because authentication tokens (and during login also your password) are sent in clear text over "the wire".

  • Port 443 (HTTPS): Do you have a valid certificate in place?

  • Port 2401 (PostgreSQL): Is PostgreSQL accessible from the outside (disabled by default)? Does your /var/lib/pgsql/data/pg_hba.conf require passwords in a secure way for incoming TCP connections? (

  • Are there any other ports open except for 22, 80, 443, 2401 and 8000? Please run "nmap" on your own server.

Please contact for questions and professional services concerning these issues.

Best regards,

]project-open[ amongst Top 10 open source projects

Tue, 31 Dec 2013 14:00:38 -0000

]project-open[ is featured amongst the top 10 open source projects 2013 of The top 10 list also includes Project Libre which is compatible with ]project-open[ and that can be used as a ]po[ Gantt front-end.

]project-open[ V4.0 Released - Integration with MS-Project

Fri, 03 May 2013 12:08:51 -0000

Dear All,

The ]project-open[ team is proud to announce the availability of ]project-open[ V4.0. This is the first major release in 24 month and contains more then 15 new modules. The biggest news however is the bidirectional "round-trip" integration with MS-Project allowing project managers to upload their project schedules and leave the communication and management accounting tasks to ]project-open[.

- List of new modules:
- Download - Installers are available for MS-Windows and CentOS Linux on VMware:
- Support, Enterprise Edition,... :

For questions and suggestions please contact our support team at or reply to this announcement.

Best regards

New Tutorial: Building mobile ]po[ apps for iPhone & Android using Sencha Touch

Tue, 16 Apr 2013 10:35:21 -0000


The following tutorial describes a 400 line sample app for listing, editing and creating "notes" using Sencha Touch as a front-end and the the ]project-open[ REST interface as a back-end. All development is done in JavaScript, you don't need to know TCL.


]po[ V4.0.3.Beta-01 Windows Installer Released

Fri, 18 Jan 2013 09:33:49 -0000


After a lot of testing and even more fixing we've just uploaded the first V4.0.3 "Beta" version of the Windows installer. This is the improved version of the last alpha-28 (

Most of the issues listed in the posting above have been fixed, except for:

  • Windows Permission Issues:
    Changes made by users in unprivileged mode can affect the ]po[ installation,
    including manual modifications of the "/servers/projop/filestorage" or running
    a "cvs update" in the /servers/projop/pacakges/ folder.
    We have not yet found any reasonable solution for this problem. Maybe you
    have got a good idea?
  • Server Restart and Logroll:
    The server still doesn't restart, so you need to manually restart the Windows
    service. We are looking into several options at the moment.
  • Application Issues:
    There is still an issues with cloning projects.

Please help us to test the Beta and tell us if something goes wrong (or if you successfully run the system).


]po[ - Security Advisory for ALL Versions

Mon, 10 Sep 2012 19:20:17 -0000

Hi, We have just been informed about a security issue in the time sheet logging functionality that allows any user with access to the HTTP port to see the names of users logging hours and the names of the tasks on which they have logged hours. The issue is already fixed in V3.5 and V4.0 \(please see below\). Here is the detailed information: Impact: The issue is rooted in a non-exiting permission check in a set of time sheet reports. The issue allows any unauthenticated user to: \- See the names \(no email or other information\) of users who have logged hours \- See the names \(no other information\) of the tasks or projects on which the users have logged hours. However, projects frequently contain the name of customers by convention, so there may be some exposure to names of customers. The issue does not allow the user to modify data or to see anything else then names, as far as we can see at the moment. We will perform a more thorough check soon. Affected Versions: The issue appears in all released version of \]po\[ since V1.0. The affected files are actually part of the ACS 3.2 "intranet" package from 2001 by the company ArsDigita. This code was the starting point for the development of \]po\[. Fixes: We have fixed the problem already in the following releases: \- \]po\[ V4. Please perform "cvs update" in the /packages/intranet-timesheet2/www/hours" folder \- \]po\[ V3.5: Please perform "cvs update -r b3-5-0-patches" in the /packages/intranet-timesheet2/www/hours" folder These fixes restrict the access to these reports to users with the privilege "view\_hours\_all", which should be the intended behavior. There are no fixes for older versions of \]po\[. User of V3.4 or V3.3 please upgrade to V3.5. As an alternative you could simply delete the following files: \- /packages/intranet-timesheet2/www/hours/project\* \- /packages/intranet-timesheet2/www/hours/total\* Bests, Frank