redmine 3.3.1-4+deb9u1build0.17.10.1 source package in Ubuntu
Changelog
redmine (3.3.1-4+deb9u1build0.17.10.1) artful-security; urgency=medium
* fake sync from Debian
redmine (3.3.1-4+deb9u1) stretch-security; urgency=high
* Fix CVE-2017-15568: XSS exists in app/helpers/application_helper.rb via a
multi-value field with a crafted value that is mishandled during rendering
of issue history.
* Fix CVE-2017-15569: XSS exists in app/helpers/queries_helper.rb via a
multi-value field with a crafted value that is mishandled during rendering
of an issue list.
* Fix CVE-2017-15570: XSS exists in app/views/timelog/_list.html.erb via
crafted column data.
* Fix CVE-2017-15571: XSS exists in app/views/issues/_list.html.erb via
crafted column data.
* Fix CVE-2017-15572: remote attackers can obtain sensitive information
(password reset tokens) by reading a Referer log, because
account/lost_password does not use a redirect.
* Fix CVE-2017-15573: XSS exists because markup is mishandled in wiki
content.
* Fix CVE-2017-15574: stored XSS is possible by using an SVG document as an
attachment.
* Fix CVE-2017-15575: Redmine.pm lacks a check for whether the Repository
module is enabled in a project's settings, which might allow remote
attackers to obtain sensitive differences information or possibly have
unspecified other impact.
* Fix CVE-2017-15576: mishandle Time Entry rendering in activity views,
which allows remote attackers to obtain sensitive information.
* Fix CVE-2017-15577: mishandle the rendering of wiki links, which allows
remote attackers to obtain sensitive information.
* Fix CVE-2017-16804: the reminders function in app/models/mailer.rb does
not check whether an issue is visible, which allows remote authenticated
users to obtain sensitive information by reading e-mail reminder messages.
* Fix CVE-2017-18026: do not block the --config and --debugger flags to
the Mercurial hg program, which allows remote attackers to execute
arbitrary commands (through the Mercurial adapter) via vectors involving a
branch whose name begins with a --config= or --debugger= substring.
-- Steve Beattie <email address hidden> Thu, 03 May 2018 22:36:26 -0700
Upload details
- Uploaded by:
- Steve Beattie
- Uploaded to:
- Artful
- Original maintainer:
- Antonio Terceiro
- Architectures:
- all
- Section:
- web
- Urgency:
- Very Urgent
See full publishing history Publishing
| Series | Published | Component | Section |
|---|
Downloads
| File | Size | SHA-256 Checksum |
|---|---|---|
| redmine_3.3.1.orig.tar.gz | 2.2 MiB | 89c5a3ee1d1a3a956795fe253e4dc0c5de886f5495ddb2a0f8b6634a104c07c8 |
| redmine_3.3.1-4+deb9u1build0.17.10.1.debian.tar.xz | 243.0 KiB | d41583c24b45e1f94ff39b6c8de1c0b1a67e69d07f3f8555d611a984990e29e2 |
| redmine_3.3.1-4+deb9u1build0.17.10.1.dsc | 2.8 KiB | bd7a95b087f83549547dab2b5504b1cae99687cf99448e18c83efe9aae40b174 |
Available diffs
Binary packages built by this source
- redmine: No summary available for redmine in ubuntu artful.
No description available for redmine in ubuntu artful.
- redmine-mysql: No summary available for redmine-mysql in ubuntu artful.
No description available for redmine-mysql in ubuntu artful.
- redmine-pgsql: No summary available for redmine-pgsql in ubuntu artful.
No description available for redmine-pgsql in ubuntu artful.
- redmine-sqlite: No summary available for redmine-sqlite in ubuntu artful.
No description available for redmine-sqlite in ubuntu artful.
