[DRE-maint] Bug#608397: redmine: security issues in 1.0.1 (fixed in 1.0.5)

Jérémy Lal kapouer at melix.org
Wed Feb 23 14:04:10 UTC 2011


Hi,

Redmine package 1.0.1-1 is affected by several security issues :
* Info leak in journals controller
* Persistent XSS in wiki
* Command Execution in SCM adapter

I prefer not to disclose here the full description.
Ask me if needed, or find it in the encrypted email i sent to
the security team (05/01/2011 00:58).

Could you consider either of the following ?

1. Propose an update to redmine 1.0.5-1

It's been a while in testing, and is a good candidate to a
proposed update, fixing the issues.


2. Use the attached security update

The diff to redmine-1.0.1-2 is attached. It backports only the security fixes,
and i verified it does not introduce new bugs.


Best regards,
Jérémy Lal

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: redmine_1.0.1-1_1.0.1-2.debdiff
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20110223/dcf27a39/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-ruby-extras-maintainers/attachments/20110223/dcf27a39/attachment.pgp>


More information about the Pkg-ruby-extras-maintainers mailing list