Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 692890 - <www-apps/redmine-4.0.4: persistent XSS vulnerability in the Redmine Textile formatter
Summary: <www-apps/redmine-4.0.4: persistent XSS vulnerability in the Redmine Textile ...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~4 [noglsa cve]
Keywords: PullRequest, SECURITY
Depends on:
Blocks:
 
Reported: 2019-08-26 16:07 UTC by Jonas Stein
Modified: 2020-04-17 21:12 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jonas Stein gentoo-dev 2019-08-26 16:07:17 UTC
http://www.redmine.org/news/123

"Security: these 2 release include a fix for a persistent XSS vulnerability found in the Redmine Textile formatter. This issue was discovered and reported to the security team by Глеб Будило and fixed by Holger Just on behalf on Planio. People who uses Textile formatting should upgrade as soon as possible. Those who use Markdown or no text formatting are not vulnerable."

http://www.redmine.org/projects/redmine/wiki/Security_Advisories
Comment 1 Larry the Git Cow gentoo-dev 2019-12-08 08:41:23 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3d1200385e2bab7d8b2c4adc469819519f4470f

commit c3d1200385e2bab7d8b2c4adc469819519f4470f
Author:     Azamat H. Hackimov <azamat.hackimov@gmail.com>
AuthorDate: 2019-08-28 18:16:25 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2019-12-08 08:41:06 +0000

    www-apps/redmine: remove vulnerable versions
    
    Closes: https://bugs.gentoo.org/692890
    Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com>
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Closes: https://github.com/gentoo/gentoo/pull/12807
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-apps/redmine/Manifest                          |   2 -
 .../files/redmine-3.3.7_gemfile_versions.patch     |  44 ----
 .../files/redmine-3.4.5_gemfile_versions.patch     |  41 ----
 www-apps/redmine/redmine-3.3.7.ebuild              | 224 ---------------------
 www-apps/redmine/redmine-3.4.5.ebuild              | 224 ---------------------
 5 files changed, 535 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e163dc22eecc5f00721fa11ee1645b0079031301

commit e163dc22eecc5f00721fa11ee1645b0079031301
Author:     Azamat H. Hackimov <azamat.hackimov@gmail.com>
AuthorDate: 2019-08-28 17:53:46 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2019-12-08 08:41:05 +0000

    www-apps/redmine: update to 4.0.5
    
    Implementing GLEP81, fixes #677986 and #692890.
    
    Fixes strict dependencies and adds additional fcgi gem (#657156), fixes
    error with /var/log/redmine permission changes. Clear Gemfile.lock in
    config phase to clean up and update dependencies (#660252).
    
    Closes: https://bugs.gentoo.org/677986
    Closes: https://bugs.gentoo.org/692890
    Closes: https://bugs.gentoo.org/657156
    Closes: https://bugs.gentoo.org/660252
    Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com>
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-apps/redmine/Manifest                          |   1 +
 .../files/redmine-4.0.5_gemfile_versions.patch     |  76 +++++++
 www-apps/redmine/redmine-4.0.5.ebuild              | 224 +++++++++++++++++++++
 3 files changed, 301 insertions(+)