Ubuntu
redmine package

SQL injection and Persistent XSS in textile formatting

  1. Xenial (16.04)
  2. Bug #1853063
Bug #1853063 reported by Lucas Kanashiro
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
redmine (Ubuntu)
Fix Released
Undecided
Paulo Flabiano Smorigo
Precise
Invalid
Undecided
Unassigned
Trusty
Invalid
Undecided
Paulo Flabiano Smorigo
Xenial
Fix Released
Undecided
Paulo Flabiano Smorigo

Bug Description

Two important CVEs were released and addressed by upstream:

* Redmine Defect #31520: Persistent XSS in textile formatting (CVE-2019-17427)
* Redmine Defect #32374: SQL injection vulnerability in Redmine < 3.4.0 (CVE-2019-18890)

Those vulnerabilities were fixed in version 3.3.10. Here is the upstream changelog: https://www.redmine.org/projects/redmine/wiki/Changelog_3_3

Here is the diff of my Debian Stretch security update: https://salsa.debian.org/ruby-team/redmine/compare/debian%2F3.3.1-4+deb9u2...debian%2F3.3.1-4+deb9u3

CVE References

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

This is my proposed debdiff to fix those CVEs in xenial.

Paulo Flabiano Smorigo (pfsmorigo)
Changed in redmine (Ubuntu):
assignee: nobody → Paulo Flabiano Smorigo (pfsmorigo)
Changed in redmine (Ubuntu Trusty):
assignee: nobody → Paulo Flabiano Smorigo (pfsmorigo)
Changed in redmine (Ubuntu Xenial):
assignee: nobody → Paulo Flabiano Smorigo (pfsmorigo)
Paulo Flabiano Smorigo (pfsmorigo)
Changed in redmine (Ubuntu Precise):
status: New → Invalid
Changed in redmine (Ubuntu Trusty):
status: New → Invalid
Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

I just marked precise and trusty as invalid since they are out of standard support. Xenial version will be uploaded soon.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package redmine - 3.2.1-2ubuntu0.2

---------------
redmine (3.2.1-2ubuntu0.2) xenial-security; urgency=medium

  * SECURITY UPDATE: persistent XSS exists due to textile formatting
    - debian/patches/0020-Fix-CVE-2019-17427.patch: improve the way
      that html tags are identified to be escaped. (LP: #1853063)
    - CVE-2019-17427
    - https://www.cvedetails.com/cve/CVE-2019-17427/
    - Redmine Defect #31520
  * SECURITY UPDATE: SQL injection vulnerability
    - debian/patches/0021-Fix-CVE-2019-18890.patch: use map instead of each
      because it casts the values to integer and return a new array.
      (LP: #1853063)
    - CVE-2019-18890
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18890
    - Redmine Defect #32374

 -- Lucas Kanashiro <email address hidden> Mon, 18 Nov 2019 18:15:09 -0300

Changed in redmine (Ubuntu Xenial):
status: New → Fix Released
Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

Hi Lucas, I published the new version with the fix. Thanks. I made two modifications in the changelog. The first was the version. Security update uses minor version naming, so 0.1, not 1. In this update I ended up using 0.2 because I made a mistake and had to upload the source again so I burned 0.1. Other change was to add the LP number to it so launchpad tracks it.

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Hey Paulo! Thanks for the fixes, I'll take more care next time regarding these details. I'm happy those fixes are released also in Ubuntu :-)

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package redmine - 3.4.4-1ubuntu0.1

---------------
redmine (3.4.4-1ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: persistent XSS exists due to textile formatting
    - debian/patches/0020-Fix-CVE-2019-17427.patch: improve the way
      that html tags are identified to be escaped. (LP: #1853063)
    - CVE-2019-17427
    - https://www.cvedetails.com/cve/CVE-2019-17427/
    - Redmine Defect #31520

 -- Paulo Flabiano Smorigo <email address hidden> Mon, 25 Nov 2019 20:17:10 +0000

Changed in redmine (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package redmine - 4.0.1-2ubuntu0.1

---------------
redmine (4.0.1-2ubuntu0.1) disco-security; urgency=medium

  * SECURITY UPDATE: persistent XSS exists due to textile formatting
    - debian/patches/0020-Fix-CVE-2019-17427.patch: improve the way
      that html tags are identified to be escaped. (LP: #1853063)
    - CVE-2019-17427
    - https://www.cvedetails.com/cve/CVE-2019-17427/
    - Redmine Defect #31520

 -- Paulo Flabiano Smorigo <email address hidden> Mon, 25 Nov 2019 20:20:08 +0000

Changed in redmine (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.