Summary: | www-apps/redmine: params parsing vulnerability (CVE-2013-0156) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Manuel Rüger (RETIRED) <mrueg> | ||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||
Status: | RESOLVED FIXED | ||||||||||
Severity: | trivial | CC: | aidar.kamalov, aidecoe, axiator, beschindler, cruzki123, david, eugene.shalygin, jdavid.ibp, kevin.bowling, mathieu, matsuu, mjo, orzel, pva, sabel, yac | ||||||||
Priority: | Normal | ||||||||||
Version: | unspecified | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
URL: | http://www.redmine.org/projects/redmine/wiki/Changelog | ||||||||||
Whiteboard: | ~1 [noglsa] | ||||||||||
Package list: | Runtime testing required: | --- | |||||||||
Bug Depends on: | 451078 | ||||||||||
Bug Blocks: | |||||||||||
Attachments: |
|
Description
Manuel Rüger (RETIRED)
2012-06-01 10:38:07 UTC
Redmine 2.0.3 released 2012-06-18 for rails-3.2.6 Created attachment 317754 [details]
redmine version bump
this ebuild works for me to upgrade redmine.
I'm using passenger and got "no such file to load -- /var/lib/redmine/config/environment" after upgrade. Adding this option to vhost helps:
PassengerDefaultUser redmine
if rails>=3.1, new redmine need prototype-rails gem Redmine 1.4.5 and 2.1.3 were released on Nov 17th 2012 http://www.redmine.org/projects/redmine/wiki/Changelog_1_4 http://www.redmine.org/projects/redmine/wiki/Changelog Redmne 2.2.0 released see http://www.redmine.org/versions/56 I think the maintainers is no longer interested in this project :( sorry for long long long delay. in cvs now. The ebuild for redmine 2.2.0 doesn't build because it depends on ~dev-ruby/rails-3.2.9:3.2 which is not in portage, but changing it to ~dev-ruby/rails-3.2.10:3.2 fixes the problem. Also the ebuild depends on >=dev-ruby/rack-openid-0.2.1 but I can't find this package in the tree? Should I file separate bugs for these? I've already filed a bug-report if you fon't mind. See https://bugs.gentoo.org/show_bug.cgi?id=451078 @mrueg do you care to reopen it with deps including bug above? reopening because of unresolved issues. A bunch of updates was released a couple of days ago: 1.4.6, 2.1.6, 2.2.1. 2.2.1 has fixes for CVE-2013-0156. Created attachment 336464 [details]
redmine-1.4.7.ebuild
Created attachment 336466 [details] redmine-2.2.2.ebuild For this ebuild you need another package rack-openid which is not in tree yet, but you can grab it from here: https://bugs.gentoo.org/show_bug.cgi?id=451078 Or simply grab all the stuff from my local repo at git://bonespirit.org/bonespirit.git This is security critical. Re-assigned to security@g.o such that this bug is at least tracked, I didn't spot the CVE code earlier so thanks for mentioning again; as far as I can see it is not clear whether MATSUU wants to continue maintaining the package. Raised importance to a better default as well, so this isn't seen as non-critical. Our Redmine should not have been affected by CVE-2013-0156, but: https://bugs.gentoo.org/show_bug.cgi?id=451078#c2 Matsuu, please bump the ebuild or rev-bump and fix as Hans recommended. More rails CVEs. Is there any reason to make this depend on a point release? redmine 2.x has been broken in the tree since it was commited.. For those who still using redmine 1.4.x be aware that 1.4 branch reached EOL and 1.4.7 is its last release. Here you can find a patch for it to fix CVE-2013-0333: http://www.redmine.org/news/78 This is pretty bad response time, shouldn't you remove it from the tree if nobody can update it? http://www.redmine.org/news/81 Redmine 2.3.0 and 2.2.4 released on 2013-03-19 *** Bug 413837 has been marked as a duplicate of this bug. *** 1.4.7 and 2.2.4 are in the tree. Please, test it and report if there are any problems. @security: there was no stable versions of redmine in the tree. Currently I think bug can be resolved. Vulnerable versions were dropped from the tree. Can this be closed? btw. I've just installed 2.2.4 and / renders fine for me. Fixed versions in tree, affected gone. Closing noglsa. |