http://www.redmine.org/news/123 "Security: these 2 release include a fix for a persistent XSS vulnerability found in the Redmine Textile formatter. This issue was discovered and reported to the security team by Глеб Будило and fixed by Holger Just on behalf on Planio. People who uses Textile formatting should upgrade as soon as possible. Those who use Markdown or no text formatting are not vulnerable." http://www.redmine.org/projects/redmine/wiki/Security_Advisories
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3d1200385e2bab7d8b2c4adc469819519f4470f commit c3d1200385e2bab7d8b2c4adc469819519f4470f Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2019-08-28 18:16:25 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2019-12-08 08:41:06 +0000 www-apps/redmine: remove vulnerable versions Closes: https://bugs.gentoo.org/692890 Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com> Package-Manager: Portage-2.3.69, Repoman-2.3.16 Closes: https://github.com/gentoo/gentoo/pull/12807 Signed-off-by: Joonas Niilola <juippis@gentoo.org> www-apps/redmine/Manifest | 2 - .../files/redmine-3.3.7_gemfile_versions.patch | 44 ---- .../files/redmine-3.4.5_gemfile_versions.patch | 41 ---- www-apps/redmine/redmine-3.3.7.ebuild | 224 --------------------- www-apps/redmine/redmine-3.4.5.ebuild | 224 --------------------- 5 files changed, 535 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e163dc22eecc5f00721fa11ee1645b0079031301 commit e163dc22eecc5f00721fa11ee1645b0079031301 Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2019-08-28 17:53:46 +0000 Commit: Joonas Niilola <juippis@gentoo.org> CommitDate: 2019-12-08 08:41:05 +0000 www-apps/redmine: update to 4.0.5 Implementing GLEP81, fixes #677986 and #692890. Fixes strict dependencies and adds additional fcgi gem (#657156), fixes error with /var/log/redmine permission changes. Clear Gemfile.lock in config phase to clean up and update dependencies (#660252). Closes: https://bugs.gentoo.org/677986 Closes: https://bugs.gentoo.org/692890 Closes: https://bugs.gentoo.org/657156 Closes: https://bugs.gentoo.org/660252 Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com> Package-Manager: Portage-2.3.69, Repoman-2.3.16 Signed-off-by: Joonas Niilola <juippis@gentoo.org> www-apps/redmine/Manifest | 1 + .../files/redmine-4.0.5_gemfile_versions.patch | 76 +++++++ www-apps/redmine/redmine-4.0.5.ebuild | 224 +++++++++++++++++++++ 3 files changed, 301 insertions(+)