Bug 884793 (CVE-2022-39209, CVE-2022-44030, CVE-2022-44031, CVE-2022-44637)

Summary:	<www-apps/redmine-{4.2.9, 5.0.4}: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	azamat.hackimov, proxy-maint
Priority:	Normal	Keywords:	PullRequest
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.redmine.org/projects/redmine/wiki/Security_Advisories
See Also:	https://github.com/gentoo/gentoo/pull/28612
Whiteboard:	~4 [noglsa]
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2022-12-08 01:37:02 UTC

Several vulnerabilities affecting Gentoo's versions of
redmine, including several XSS vulnerabilities and CVE-2022-44030:

"Redmine 5.x before 5.0.4 allows downloading of file attachments of
any Issue or any Wiki page due to insufficient permission
checks. Depending on the configuration, this may require login as a
registered user."

Please bump to 5.0.4 and 4.2.9.

Comment 1 Larry the Git Cow gentoo-dev

2022-12-24 07:42:46 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c88e7e9b7e2698e9bfad3df18d43d344a80a603d

commit c88e7e9b7e2698e9bfad3df18d43d344a80a603d
Author:     Azamat H. Hackimov <azamat.hackimov@gmail.com>
AuthorDate: 2022-12-09 13:00:06 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-24 07:41:38 +0000

    www-apps/redmine: add 4.2.9, 5.0.4
    
    Fixes security issue CVE-2022-44030.
    
    Closes: https://bugs.gentoo.org/864827
    Bug: https://bugs.gentoo.org/884793
    Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com>
    Signed-off-by: Sam James <sam@gentoo.org>

 www-apps/redmine/Manifest             |   2 +
 www-apps/redmine/redmine-4.2.9.ebuild | 240 ++++++++++++++++++++++++++++++++
 www-apps/redmine/redmine-5.0.4.ebuild | 254 ++++++++++++++++++++++++++++++++++
 3 files changed, 496 insertions(+)