717784 – www-apps/redmine: Multiple vulnerabilities

Bug 717784 - www-apps/redmine: Multiple vulnerabilities

Summary: www-apps/redmine: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial (vote)
Assignee:	Gentoo Security

URL:	https://www.redmine.org/projects/redm...
Whiteboard:	~4 [noglsa]
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2020-04-17 03:50 UTC by Sam James
Modified:	2020-05-13 19:56 UTC (History)
CC List:	4 users (show)

See Also:	717518 https://github.com/gentoo/gentoo/pull/15423
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2020-04-17 03:50:28 UTC

* XSS vulnerability due to missing back_url validation (#32850)
Fixed in: 4.1.1 and 4.0.7

* Persistent XSS vulnerabilities in textile inline links (#32934) 		Fixed in: 4.1.1 and 4.0.7

* Time entries CSV export may disclose subjects of issues that are not visible 
Fixed in: 4.1.1 and 4.0.7

*Improper markup sanitization in Textile formatting (#25742)
Fixed in: 4.0.6 and 3.4.13

Comment 1 Sam James archtester

2020-04-17 03:51:14 UTC

@maintainer(s), please create an appropriate ebuild

Comment 2 Azamat H. Hackimov 2020-04-19 22:02:16 UTC

Hello.

Added PR: https://github.com/gentoo/gentoo/pull/15423

Comment 3 Larry the Git Cow gentoo-dev

2020-05-13 13:17:25 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dd07e304958f28de7853f10ead8b241bee88c3a4

commit dd07e304958f28de7853f10ead8b241bee88c3a4
Author:     Azamat H. Hackimov <azamat.hackimov@gmail.com>
AuthorDate: 2020-04-19 21:51:23 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-05-13 13:16:46 +0000

    www-apps/redmine: remove old versions
    
    Remove old versions (#717784)
    Bug: https://bugs.gentoo.org/717784
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/15423
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-apps/redmine/Manifest                          |   1 -
 .../files/redmine-4.0.5_gemfile_versions.patch     |  76 -------
 www-apps/redmine/redmine-4.0.5-r1.ebuild           | 228 ---------------------
 www-apps/redmine/redmine-4.0.5.ebuild              | 224 --------------------
 4 files changed, 529 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=92c5abf0c96deef57d16c4677b03437a49ad8628

commit 92c5abf0c96deef57d16c4677b03437a49ad8628
Author:     Azamat H. Hackimov <azamat.hackimov@gmail.com>
AuthorDate: 2020-04-19 21:29:35 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-05-13 13:16:46 +0000

    www-apps/redmine: update to 4.1.1 (security fix)
    
    Updated dependencies and supported USE_RUBY targets
    Closes: https://bugs.gentoo.org/710262
    Closes: https://bugs.gentoo.org/717518
    Closes: https://bugs.gentoo.org/717604
    Bug: https://bugs.gentoo.org/717784
    Package-Manager: Portage-2.3.89, Repoman-2.3.20
    Signed-off-by: Azamat H. Hackimov <azamat.hackimov@gmail.com>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 www-apps/redmine/Manifest             |   1 +
 www-apps/redmine/redmine-4.1.1.ebuild | 229 ++++++++++++++++++++++++++++++++++
 2 files changed, 230 insertions(+)

Comment 4 Sam James archtester

2020-05-13 19:56:59 UTC

All done. Thanks!