redmine 3.3.1-4+deb9u1build0.17.10.1 source package in Ubuntu
Changelog
redmine (3.3.1-4+deb9u1build0.17.10.1) artful-security; urgency=medium * fake sync from Debian redmine (3.3.1-4+deb9u1) stretch-security; urgency=high * Fix CVE-2017-15568: XSS exists in app/helpers/application_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of issue history. * Fix CVE-2017-15569: XSS exists in app/helpers/queries_helper.rb via a multi-value field with a crafted value that is mishandled during rendering of an issue list. * Fix CVE-2017-15570: XSS exists in app/views/timelog/_list.html.erb via crafted column data. * Fix CVE-2017-15571: XSS exists in app/views/issues/_list.html.erb via crafted column data. * Fix CVE-2017-15572: remote attackers can obtain sensitive information (password reset tokens) by reading a Referer log, because account/lost_password does not use a redirect. * Fix CVE-2017-15573: XSS exists because markup is mishandled in wiki content. * Fix CVE-2017-15574: stored XSS is possible by using an SVG document as an attachment. * Fix CVE-2017-15575: Redmine.pm lacks a check for whether the Repository module is enabled in a project's settings, which might allow remote attackers to obtain sensitive differences information or possibly have unspecified other impact. * Fix CVE-2017-15576: mishandle Time Entry rendering in activity views, which allows remote attackers to obtain sensitive information. * Fix CVE-2017-15577: mishandle the rendering of wiki links, which allows remote attackers to obtain sensitive information. * Fix CVE-2017-16804: the reminders function in app/models/mailer.rb does not check whether an issue is visible, which allows remote authenticated users to obtain sensitive information by reading e-mail reminder messages. * Fix CVE-2017-18026: do not block the --config and --debugger flags to the Mercurial hg program, which allows remote attackers to execute arbitrary commands (through the Mercurial adapter) via vectors involving a branch whose name begins with a --config= or --debugger= substring. -- Steve Beattie <email address hidden> Thu, 03 May 2018 22:36:26 -0700
Upload details
- Uploaded by:
- Steve Beattie
- Uploaded to:
- Artful
- Original maintainer:
- Antonio Terceiro
- Architectures:
- all
- Section:
- web
- Urgency:
- Very Urgent
See full publishing history Publishing
Series | Published | Component | Section |
---|
Downloads
File | Size | SHA-256 Checksum |
---|---|---|
redmine_3.3.1.orig.tar.gz | 2.2 MiB | 89c5a3ee1d1a3a956795fe253e4dc0c5de886f5495ddb2a0f8b6634a104c07c8 |
redmine_3.3.1-4+deb9u1build0.17.10.1.debian.tar.xz | 243.0 KiB | d41583c24b45e1f94ff39b6c8de1c0b1a67e69d07f3f8555d611a984990e29e2 |
redmine_3.3.1-4+deb9u1build0.17.10.1.dsc | 2.8 KiB | bd7a95b087f83549547dab2b5504b1cae99687cf99448e18c83efe9aae40b174 |
Available diffs
Binary packages built by this source
- redmine: No summary available for redmine in ubuntu artful.
No description available for redmine in ubuntu artful.
- redmine-mysql: No summary available for redmine-mysql in ubuntu artful.
No description available for redmine-mysql in ubuntu artful.
- redmine-pgsql: No summary available for redmine-pgsql in ubuntu artful.
No description available for redmine-pgsql in ubuntu artful.
- redmine-sqlite: No summary available for redmine-sqlite in ubuntu artful.
No description available for redmine-sqlite in ubuntu artful.