[DRE-maint] Bug#990792: redmine: CVE-2021-31863 CVE-2021-31864 CVE-2021-31865 CVE-2021-31866

Moritz Mühlenhoff jmm at inutil.org
Wed Jul 7 16:41:06 BST 2021 

Source: redmine
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for redmine.

CVE-2021-31863[0]:
| Insufficient input validation in the Git repository integration of
| Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1
| allows Redmine users to read arbitrary local files accessible by the
| application server process.

https://www.redmine.org/news/131
https://www.redmine.org/projects/redmine/repository/revisions/20854


CVE-2021-31864[1]:
| Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1
| allows attackers to bypass the add_issue_notes permission requirement
| by leveraging the incoming mail handler.

https://www.redmine.org/news/131
https://www.redmine.org/projects/redmine/repository/revisions/20946


CVE-2021-31865[2]:
| Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1
| allows users to circumvent the allowed filename extensions of uploaded
| attachments.

https://www.redmine.org/news/131
https://www.redmine.org/projects/redmine/repository/revisions/20970


CVE-2021-31866[3]:
| Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to
| learn the values of internal authentication keys by observing timing
| differences in string comparison operations within SysController and
| MailHandlerController.

https://www.redmine.org/news/131
https://www.redmine.org/projects/redmine/repository/revisions/20962


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-31863
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31863
[1] https://security-tracker.debian.org/tracker/CVE-2021-31864
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31864
[2] https://security-tracker.debian.org/tracker/CVE-2021-31865
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31865
[3] https://security-tracker.debian.org/tracker/CVE-2021-31866
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31866

Please adjust the affected versions in the BTS as needed.

More information about the Pkg-ruby-extras-maintainers mailing list