CVE-2017-15568 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15568): In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/helpers/application_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of issue history. References: https://github.com/redmine/redmine/commit/94f7cfbf990028348b9262578acbc53a94fce448 https://www.redmine.org/issues/27186 https://www.redmine.org/projects/redmine/wiki/Security_Advisories CVE-2017-15569 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15569): In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/helpers/queries_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of an issue list. References: https://github.com/redmine/redmine/commit/56c8ee0440d8555aa7822d947ba9091c8a791508 https://www.redmine.org/issues/27186 https://www.redmine.org/projects/redmine/wiki/Security_Advisories CVE-2017-15570 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15570): In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/timelog/_list.html.erb via crafted column data. References: https://github.com/redmine/redmine/commit/1a0976417975a128b0a932ba1552c37e9414953b https://www.redmine.org/issues/27186 https://www.redmine.org/projects/redmine/wiki/Security_Advisories CVE-2017-15571 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15571): In Redmine before 3.2.8, 3.3.x before 3.3.5, and 3.4.x before 3.4.3, XSS exists in app/views/issues/_list.html.erb via crafted column data. References: https://github.com/redmine/redmine/commit/273dd9cb3bcfb1e0a0b90570b3b34eafa07d67aa https://www.redmine.org/issues/27186 https://www.redmine.org/projects/redmine/wiki/Security_Advisories @ Maintainer(s): Please provide an updated ebuild, all issues have been fixed there.
PR sent https://github.com/gentoo/gentoo/pull/5976
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7924ffe3202f0f64383a958582e2a0f71c35688f commit 7924ffe3202f0f64383a958582e2a0f71c35688f Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2017-10-18 05:04:50 +0000 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: 2017-10-27 21:02:14 +0000 www-apps/redmine: remove old versions. Bug: https://bugs.gentoo.org/634602 Package-Manager: Portage-2.3.8, Repoman-2.3.3 www-apps/redmine/Manifest | 3 - www-apps/redmine/redmine-3.2.7-r1.ebuild | 215 ------------------------------ www-apps/redmine/redmine-3.2.7.ebuild | 215 ------------------------------ www-apps/redmine/redmine-3.3.4-r1.ebuild | 221 ------------------------------- www-apps/redmine/redmine-3.3.4.ebuild | 221 ------------------------------- www-apps/redmine/redmine-3.4.2-r1.ebuild | 221 ------------------------------- www-apps/redmine/redmine-3.4.2.ebuild | 221 ------------------------------- 7 files changed, 1317 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9695e19b1513f292dbb1e40019163a7d3f727373 commit 9695e19b1513f292dbb1e40019163a7d3f727373 Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2017-10-18 05:02:53 +0000 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: 2017-10-27 21:02:12 +0000 www-apps/redmine: security updates for all versions. Update to 3.2.8, 3.3.5, 3.4.3 and fix multiple XSS vulnerabilities. Bug: https://bugs.gentoo.org/634602 Package-Manager: Portage-2.3.8, Repoman-2.3.3 Closes: https://github.com/gentoo/gentoo/pull/5976 www-apps/redmine/Manifest | 3 + www-apps/redmine/redmine-3.2.8.ebuild | 215 +++++++++++++++++++++++++++++++++ www-apps/redmine/redmine-3.3.5.ebuild | 221 ++++++++++++++++++++++++++++++++++ www-apps/redmine/redmine-3.4.3.ebuild | 221 ++++++++++++++++++++++++++++++++++ 4 files changed, 660 insertions(+)}
