Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 692890

Summary: <www-apps/redmine-4.0.4: persistent XSS vulnerability in the Redmine Textile formatter
Product: Gentoo Security Reporter: Jonas Stein <jstein>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: azamat.hackimov, jstein, proxy-maint
Priority: Normal Keywords: PullRequest, SECURITY
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=677986
https://github.com/gentoo/gentoo/pull/12807
Whiteboard: ~4 [noglsa cve]
Package list:
Runtime testing required: ---

Description Jonas Stein gentoo-dev 2019-08-26 16:07:17 UTC 
http://www.redmine.org/news/123

"Security: these 2 release include a fix for a persistent XSS vulnerability found in the Redmine Textile formatter. This issue was discovered and reported to the security team by Глеб Будило and fixed by Holger Just on behalf on Planio. People who uses Textile formatting should upgrade as soon as possible. Those who use Markdown or no text formatting are not vulnerable."

http://www.redmine.org/projects/redmine/wiki/Security_Advisories
Comment 1 Larry the Git Cow gentoo-dev 2019-12-08 08:41:23 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3d1200385e2bab7d8b2c4adc469819519f4470f

commit c3d1200385e2bab7d8b2c4adc469819519f4470f
Author:     Azamat H. Hackimov <azamat.hackimov@gmail.com>
AuthorDate: 2019-08-28 18:16:25 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2019-12-08 08:41:06 +0000

    www-apps/redmine: remove vulnerable versions
    
    Closes: https://bugs.gentoo.org/692890
    Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com>
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Closes: https://github.com/gentoo/gentoo/pull/12807
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-apps/redmine/Manifest                          |   2 -
 .../files/redmine-3.3.7_gemfile_versions.patch     |  44 ----
 .../files/redmine-3.4.5_gemfile_versions.patch     |  41 ----
 www-apps/redmine/redmine-3.3.7.ebuild              | 224 ---------------------
 www-apps/redmine/redmine-3.4.5.ebuild              | 224 ---------------------
 5 files changed, 535 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e163dc22eecc5f00721fa11ee1645b0079031301

commit e163dc22eecc5f00721fa11ee1645b0079031301
Author:     Azamat H. Hackimov <azamat.hackimov@gmail.com>
AuthorDate: 2019-08-28 17:53:46 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2019-12-08 08:41:05 +0000

    www-apps/redmine: update to 4.0.5
    
    Implementing GLEP81, fixes #677986 and #692890.
    
    Fixes strict dependencies and adds additional fcgi gem (#657156), fixes
    error with /var/log/redmine permission changes. Clear Gemfile.lock in
    config phase to clean up and update dependencies (#660252).
    
    Closes: https://bugs.gentoo.org/677986
    Closes: https://bugs.gentoo.org/692890
    Closes: https://bugs.gentoo.org/657156
    Closes: https://bugs.gentoo.org/660252
    Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com>
    Package-Manager: Portage-2.3.69, Repoman-2.3.16
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-apps/redmine/Manifest                          |   1 +
 .../files/redmine-4.0.5_gemfile_versions.patch     |  76 +++++++
 www-apps/redmine/redmine-4.0.5.ebuild              | 224 +++++++++++++++++++++
 3 files changed, 301 insertions(+)