Summary: | <www-apps/redmine{3.2.9,3.3.6,3.4.3}: remote execution of arbitrary commands through the Mercurial adapter | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Azamat H. Hackimov <azamat.hackimov> |
Component: | Current packages | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | trivial | CC: | azamat.hackimov, jstein, proxy-maint |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/gentoo/gentoo/pull/6520 | ||
Whiteboard: | ~1 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Azamat H. Hackimov
2018-01-12 15:24:32 UTC
CVE-2017-18026 (https://nvd.nist.gov/vuln/detail/CVE-2017-18026): Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary commands (through the Mercurial adapter) via vectors involving a branch whose name begins with a --config= or --debugger= substring, a related issue to CVE-2017-17536. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6edaba168aac7d45d58d0c4797c7a7a3d438cd88 commit 6edaba168aac7d45d58d0c4797c7a7a3d438cd88 Author: Azamat H. Hackimov <azamat.hackimov@gmail.com> AuthorDate: 2018-01-25 23:43:46 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-01-26 00:19:53 +0000 www-apps/redmine: bump to 3.2.9, 3.3.6, 3.4.3 Closes remote vulnerability CVE-2017-18026 (#644314). Closes: https://github.com/gentoo/gentoo/pull/6520 Bug: https://bugs.gentoo.org/644314 Package-Manager: Portage-2.3.13, Repoman-2.3.3 www-apps/redmine/Manifest | 6 +++--- www-apps/redmine/{redmine-3.2.8.ebuild => redmine-3.2.9.ebuild} | 2 +- www-apps/redmine/{redmine-3.3.5.ebuild => redmine-3.3.6.ebuild} | 2 +- www-apps/redmine/{redmine-3.4.3.ebuild => redmine-3.4.4.ebuild} | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-)} |