Last Build Date: Fri, 19 Aug 2016 12:06:35 -0000
Fri, 19 Aug 2016 12:06:35 -0000
Thanks for the feedback from a community member we have detected a security issue in the ]project-open[ authentication system in ]po[ V4.x and below.
This issue affects ]po[ V4.1 and all previous versions over unsecured (HTTP) connections. It does not affect ]po[ V5.0 and higher and does not affect users using exclusively secured (HTTPS) connections.
The bug allows a remote attacker to gain access to a ]po[ server by manipulating session identifiers.
Please see the following posting for details:
No exploit is known yet and no intrusion attempt has been observed yet.
The issue is fixed in OpenACS 5.9 / ]project-open[ V5.0. Also, the issue disappears if all users communicate with the server via HTTPS. Please contact email@example.com for either installing certificates on your ]po[ server or for an upgrade to ]po[ V5.0.
Wed, 15 Jun 2016 13:44:22 -0000
iX, Germany's #1 "enterprise IT" magazine writes about alternatives to Microsoft Project Server in it's special open-source edition calling ]project-open[ a "serious alternative". It continues: "]project-open[ excels with import and export options for desktop applications including MS Project, ProjectLibre and GanttProject". The special edition (in German) is available at https://shop.heise.de/katalog/ix-special-open-source-2016. They re-tweeted our statement at https://twitter.com/iX.
Being a serious alternative to MS Project Server (and Oracle Primavera and CA Clarity) is our #1 objective for the upcoming V5.0 release (please see the roadmap, and yes, we are late again). New functionality includes a HTML5 Gantt Editor, a HTML5 Portfolio Planner and a number of high-level reports, including the option to create PowerPoint decks with charts etc. directly from within the system.
Please let us know if you want to get involved in the beta phase, we offer free upgrades and support. Otherwise just stay tuned. We'll announce the final release here on SourceForge, on Twitter @projop and on LinkedIn
Wed, 29 Apr 2015 11:15:13 -0000
Thanks for the feedback from a customer we have today detected and fixed a bug in the ]project-open[ time sheet system.
The bug has an impact on the profit & loss calculation of projects and budget adherence. However, the bug does not impact financial documents towards customer, providers or employees. The bug does not apply to normal timesheet logging activities.
When moving hours from one project to another or when modifying the number of hours logged on a project using the /intranet-timesheet2/www/hours/one file as a supervisor, the logged hours will be moved or modified correctly. However, the time sheet cost item was not updated accordingly.
This issue appears only when a supervisor corrects the hours of other employees. It does not appear during normal time sheet logging activities using "Timeshett" -> Log hours for a day.
Fixes are available for all ]po[ versions since ]po[ V3.2. The ]po[ team will notify all customers with a support contract and fix the installed systems. Users without support contract may upgrade to the latest version from CVS or contact firstname.lastname@example.org for a support agreement.
Fri, 26 Sep 2014 13:24:50 -0000
Your ]project-open[ server may be affected by ShellShock.
Please continue to read the following discussion thread:
Tue, 29 Apr 2014 15:08:59 -0000
Thanks to a security audit together with one of our customers, we have found that the default SSL configuration of our default VMware installer contains outdated ciphers that should be disabled.
This advisory only affects users who are using SSL encryption via the Pound reverse proxy.
Sophisticated attackers will be able to listen to HTTPS protected connections between browsers and the ]po[ server and possibly steal your password.
Please edit your /etc/pound.cfg file and add a "Ciphers" statement in the ListenHTTPS section similar to the one below:
ListenHTTPS Address 0.0.0.0 Port 443 Cert "/etc/pound/server.pem" Ciphers "SSLv3:TLSv1:-LOW:-aNULL:-ADH:-EXP:-eNULL" End
Maybe this is also a good moment to check some other security aspects of your ]po[ installation:
Port 22 (SSH): Did you change the default passwords for the users "root" and "projop"? Do you regularly change passwords?
Port 80 (HTTP): Is your port 80 accessible, allowing users to connect to the server without encryption? This may be suitable in protected small company networks, but is not suitable for larger organizations or the Internet because authentication tokens (and during login also your password) are sent in clear text over "the wire".
Port 443 (HTTPS): Do you have a valid certificate in place?
Port 2401 (PostgreSQL): Is PostgreSQL accessible from the outside (disabled by default)? Does your /var/lib/pgsql/data/pg_hba.conf require passwords in a secure way for incoming TCP connections? (http://www.postgresql.org/docs/8.4/static/auth-pg-hba-conf.html)
Are there any other ports open except for 22, 80, 443, 2401 and 8000? Please run "nmap" on your own server.
Please contact email@example.com for questions and professional services concerning these issues.
Tue, 31 Dec 2013 14:00:38 -0000
]project-open[ is featured amongst the top 10 open source projects 2013 of Opensource.com. The top 10 list also includes Project Libre which is compatible with ]project-open[ and that can be used as a ]po[ Gantt front-end.
Fri, 03 May 2013 12:08:51 -0000
The ]project-open[ team is proud to announce the availability of ]project-open[ V4.0. This is the first major release in 24 month and contains more then 15 new modules. The biggest news however is the bidirectional "round-trip" integration with MS-Project allowing project managers to upload their project schedules and leave the communication and management accounting tasks to ]project-open[.
- List of new modules:
- Download - Installers are available for MS-Windows and CentOS Linux on VMware:
- Support, Enterprise Edition,... :
For questions and suggestions please contact our support team at mailto:firstname.lastname@example.org or reply to this announcement.
Tue, 16 Apr 2013 10:35:21 -0000
Fri, 18 Jan 2013 09:33:49 -0000
After a lot of testing and even more fixing we've just uploaded the first V4.0.3 "Beta" version of the Windows installer. This is the improved version of the last alpha-28 (https://sourceforge.net/p/project-open/discussion/295937/thread/e7a1e4e9/).
Most of the issues listed in the posting above have been fixed, except for:
Please help us to test the Beta and tell us if something goes wrong (or if you successfully run the system).
Mon, 10 Sep 2012 19:20:17 -0000Hi, We have just been informed about a security issue in the time sheet logging functionality that allows any user with access to the HTTP port to see the names of users logging hours and the names of the tasks on which they have logged hours. The issue is already fixed in V3.5 and V4.0 \(please see below\). Here is the detailed information: Impact: The issue is rooted in a non-exiting permission check in a set of time sheet reports. The issue allows any unauthenticated user to: \- See the names \(no email or other information\) of users who have logged hours \- See the names \(no other information\) of the tasks or projects on which the users have logged hours. However, projects frequently contain the name of customers by convention, so there may be some exposure to names of customers. The issue does not allow the user to modify data or to see anything else then names, as far as we can see at the moment. We will perform a more thorough check soon. Affected Versions: The issue appears in all released version of \]po\[ since V1.0. The affected files are actually part of the ACS 3.2 "intranet" package from 2001 by the company ArsDigita. This code was the starting point for the development of \]po\[. Fixes: We have fixed the problem already in the following releases: \- \]po\[ V18.104.22.168.0: Please perform "cvs update" in the /packages/intranet-timesheet2/www/hours" folder \- \]po\[ V3.5: Please perform "cvs update -r b3-5-0-patches" in the /packages/intranet-timesheet2/www/hours" folder These fixes restrict the access to these reports to users with the privilege "view\_hours\_all", which should be the intended behavior. There are no fixes for older versions of \]po\[. User of V3.4 or V3.3 please upgrade to V3.5. As an alternative you could simply delete the following files: \- /packages/intranet-timesheet2/www/hours/project\* \- /packages/intranet-timesheet2/www/hours/total\* Bests, Frank