Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 507052 (CVE-2014-1985) - <www-apps/redmine-2.4.5: Unspecified Open Redirection Weakness (CVE-2014-1985)
Summary: <www-apps/redmine-2.4.5: Unspecified Open Redirection Weakness (CVE-2014-1985)
Status: RESOLVED FIXED
Alias: CVE-2014-1985
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/57524/
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-04-07 15:59 UTC by Agostino Sarubbo
Modified: 2016-08-11 11:17 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-04-07 15:59:22 UTC
From ${URL} :

Description

A weakness has been reported in Redmine, which can be exploited by malicious people to conduct spoofing 
attacks.

Certain unspecified input is not properly verified before being used to redirect users. This can be 
exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to 
the affected script hosted on a trusted domain.

The weakness is reported in versions prior to 2.5.1 and 2.4.5.


Solution:
Update to version 2.5.1 or 2.4.5.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.redmine.org/projects/redmine/wiki/Changelog
http://www.redmine.org/projects/redmine/wiki/Changelog_2_4


@maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Peter Volkov (RETIRED) gentoo-dev 2014-06-01 18:11:39 UTC
redmine-2.4.5.ebuild was added to the tree. Old and vulnerable versions dropped.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-06-01 19:19:54 UTC
CVE-2014-1985 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1985):
  Open redirect vulnerability in the redirect_back_or_default function in
  app/controllers/application_controller.rb in Redmine before 2.4.5 and 2.5.x
  before 2.5.1 allows remote attackers to redirect users to arbitrary web
  sites and conduct phishing attacks via a URL in the back url (back_url
  parameter).
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2014-06-01 19:20:54 UTC
(In reply to Peter Volkov from comment #1)
> redmine-2.4.5.ebuild was added to the tree. Old and vulnerable versions
> dropped.

Thank you, Peter. 

Closing noglsa for ~arch only.