Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 884793 (CVE-2022-39209, CVE-2022-44030, CVE-2022-44031, CVE-2022-44637) - <www-apps/redmine-{4.2.9, 5.0.4}: multiple vulnerabilities
Summary: <www-apps/redmine-{4.2.9, 5.0.4}: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-39209, CVE-2022-44030, CVE-2022-44031, CVE-2022-44637
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://www.redmine.org/projects/redm...
Whiteboard: ~4 [noglsa]
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2022-12-08 01:37 UTC by John Helmert III
Modified: 2022-12-24 07:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-08 01:37:02 UTC
Several vulnerabilities affecting Gentoo's versions of
redmine, including several XSS vulnerabilities and CVE-2022-44030:

"Redmine 5.x before 5.0.4 allows downloading of file attachments of
any Issue or any Wiki page due to insufficient permission
checks. Depending on the configuration, this may require login as a
registered user."

Please bump to 5.0.4 and 4.2.9.
Comment 1 Larry the Git Cow gentoo-dev 2022-12-24 07:42:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c88e7e9b7e2698e9bfad3df18d43d344a80a603d

commit c88e7e9b7e2698e9bfad3df18d43d344a80a603d
Author:     Azamat H. Hackimov <azamat.hackimov@gmail.com>
AuthorDate: 2022-12-09 13:00:06 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-24 07:41:38 +0000

    www-apps/redmine: add 4.2.9, 5.0.4
    
    Fixes security issue CVE-2022-44030.
    
    Closes: https://bugs.gentoo.org/864827
    Bug: https://bugs.gentoo.org/884793
    Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 www-apps/redmine/Manifest             |   2 +
 www-apps/redmine/redmine-4.2.9.ebuild | 240 ++++++++++++++++++++++++++++++++
 www-apps/redmine/redmine-5.0.4.ebuild | 254 ++++++++++++++++++++++++++++++++++
 3 files changed, 496 insertions(+)