From ${URL} : Description A weakness has been reported in Redmine, which can be exploited by malicious people to conduct spoofing attacks. Certain unspecified input is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain. The weakness is reported in versions prior to 2.5.1 and 2.4.5. Solution: Update to version 2.5.1 or 2.4.5. Provided and/or discovered by: Reported by the vendor. Original Advisory: http://www.redmine.org/projects/redmine/wiki/Changelog http://www.redmine.org/projects/redmine/wiki/Changelog_2_4 @maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
redmine-2.4.5.ebuild was added to the tree. Old and vulnerable versions dropped.
CVE-2014-1985 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1985): Open redirect vulnerability in the redirect_back_or_default function in app/controllers/application_controller.rb in Redmine before 2.4.5 and 2.5.x before 2.5.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the back url (back_url parameter).
(In reply to Peter Volkov from comment #1) > redmine-2.4.5.ebuild was added to the tree. Old and vulnerable versions > dropped. Thank you, Peter. Closing noglsa for ~arch only.