SQL injection and Persistent XSS in textile formatting
Bug #1853063 reported by
Lucas Kanashiro
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
redmine (Ubuntu) |
Fix Released
|
Undecided
|
Paulo Flabiano Smorigo | ||
Precise |
Invalid
|
Undecided
|
Unassigned | ||
Trusty |
Invalid
|
Undecided
|
Paulo Flabiano Smorigo | ||
Xenial |
Fix Released
|
Undecided
|
Paulo Flabiano Smorigo |
Bug Description
Two important CVEs were released and addressed by upstream:
* Redmine Defect #31520: Persistent XSS in textile formatting (CVE-2019-17427)
* Redmine Defect #32374: SQL injection vulnerability in Redmine < 3.4.0 (CVE-2019-18890)
Those vulnerabilities were fixed in version 3.3.10. Here is the upstream changelog: https:/
Here is the diff of my Debian Stretch security update: https:/
CVE References
Changed in redmine (Ubuntu): | |
assignee: | nobody → Paulo Flabiano Smorigo (pfsmorigo) |
Changed in redmine (Ubuntu Trusty): | |
assignee: | nobody → Paulo Flabiano Smorigo (pfsmorigo) |
Changed in redmine (Ubuntu Xenial): | |
assignee: | nobody → Paulo Flabiano Smorigo (pfsmorigo) |
Changed in redmine (Ubuntu Precise): | |
status: | New → Invalid |
Changed in redmine (Ubuntu Trusty): | |
status: | New → Invalid |
To post a comment you must log in.
This is my proposed debdiff to fix those CVEs in xenial.