Your message dated Tue, 12 Apr 2022 10:04:14 +0000
with message-id <[email protected]>
and subject line Bug#990792: fixed in redmine 5.0.0-1
has caused the Debian Bug report #990792,
regarding redmine: CVE-2021-31863 CVE-2021-31864 CVE-2021-31865 CVE-2021-31866
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
990792: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990792
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: redmine
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for redmine.
CVE-2021-31863[0]:
| Insufficient input validation in the Git repository integration of
| Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1
| allows Redmine users to read arbitrary local files accessible by the
| application server process.
https://www.redmine.org/news/131
https://www.redmine.org/projects/redmine/repository/revisions/20854
CVE-2021-31864[1]:
| Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1
| allows attackers to bypass the add_issue_notes permission requirement
| by leveraging the incoming mail handler.
https://www.redmine.org/news/131
https://www.redmine.org/projects/redmine/repository/revisions/20946
CVE-2021-31865[2]:
| Redmine before 4.0.9, 4.1.x before 4.1.3, and 4.2.x before 4.2.1
| allows users to circumvent the allowed filename extensions of uploaded
| attachments.
https://www.redmine.org/news/131
https://www.redmine.org/projects/redmine/repository/revisions/20970
CVE-2021-31866[3]:
| Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to
| learn the values of internal authentication keys by observing timing
| differences in string comparison operations within SysController and
| MailHandlerController.
https://www.redmine.org/news/131
https://www.redmine.org/projects/redmine/repository/revisions/20962
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-31863
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31863
[1] https://security-tracker.debian.org/tracker/CVE-2021-31864
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31864
[2] https://security-tracker.debian.org/tracker/CVE-2021-31865
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31865
[3] https://security-tracker.debian.org/tracker/CVE-2021-31866
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31866
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: redmine
Source-Version: 5.0.0-1
Done: Marc Dequènes (Duck) <[email protected]>
We believe that the bug you reported is fixed in the latest version of
redmine, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marc Dequènes (Duck) <[email protected]> (supplier of updated redmine package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 12 Apr 2022 18:39:20 +0900
Source: redmine
Architecture: source
Version: 5.0.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Team
<[email protected]>
Changed-By: Marc Dequènes (Duck) <[email protected]>
Closes: 952417 956365 961630 969206 986800 988449 990792 998417
Changes:
redmine (5.0.0-1) unstable; urgency=medium
.
* New upstream version: (Closes: #990792, #998417, #986800, #956365,
#969206, #961630)
+ updated Files-Excluded.
+ refreshed/adapted patches.
+ removed gantt_jquery3_fix.patch, applied upstream.
+ removed openid_optional.patch, OpenID support removed.
+ removed openid_hardcoded.patch, OpenID support removed.
+ update missing source.
* Fix import issue with tmp directory (Thanks Andre Heider) (Closes:
#952417).
* Bumped Standards-Version to 4.6.0 (no changes required).
* Minor package updates suggested by dh-make-ruby.
* Add upstream metadata.
* Switch to watch format 4.
* Update watch URL.
* Ensure database choice match installed redmine-<db> packages.
* Set Rules-Requires-Root to 'no'.
* Remove obsolete Breaks and Conflicts.
* Update lintian overrides.
* Fix Passenger restart file location in example Apache config (thanks
Pierre-Louis Bonicoli).
* doc: async_smtp method was removed in 4.0.0.
* Add lintian overrides for doc included in the UI.
* Update copyright info.
* Enable test suite at build time (courtesy of Emilio Pozuelo Monfort)
(Closes: #988449).
Checksums-Sha1:
66e677e577b8a2e073dd42f97ce12b6a91eb4184 3278 redmine_5.0.0-1.dsc
a7e6773372172f5ecccec75293cbf51ebd4ba541 1927476 redmine_5.0.0.orig.tar.xz
fc312ae2c3dfdbcb9b9c95b6c63034bb81dbfae2 176508 redmine_5.0.0-1.debian.tar.xz
00400c272d1b981bbbf838ce728d93d95295d7dc 13704 redmine_5.0.0-1_amd64.buildinfo
Checksums-Sha256:
3c8eb6c25c778c4107527b4756fdd383c41c91f3dba8f38177820b8db8569d3c 3278
redmine_5.0.0-1.dsc
a207362260a1afd53fe3b66743bfe261030a5a4f94c494dcfe3010cfef1a6d58 1927476
redmine_5.0.0.orig.tar.xz
db814beff77ecadfacc5d0504907c824c96334ae33943e00657b0d834cd45623 176508
redmine_5.0.0-1.debian.tar.xz
c970a7899b1466ac1ec4ed8c2277876f4d9be568f23307c3b7fbab62a228c961 13704
redmine_5.0.0-1_amd64.buildinfo
Files:
e48d66ba3cb27a410e841365080fd626 3278 web optional redmine_5.0.0-1.dsc
2582478f361a36c7a24853e3d431725f 1927476 web optional redmine_5.0.0.orig.tar.xz
f19c8a21552f5b6b30b0fefe1eabd905 176508 web optional
redmine_5.0.0-1.debian.tar.xz
84788dd4a85919d6b9ed7bf85259164f 13704 web optional
redmine_5.0.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEcpcqg+UmRT3yiF+BVen596wcRD8FAmJVSl0ACgkQVen596wc
RD8g7g//TFEd00aEmkpTdCgWrob8qwOrWBO9QvKQKSrYuQY5xtED1zS+IB2UUlIE
Wk9RDIk4yOmtdQISx4W6DQgMfp+IVYPPZ7GM0IqE8JLPs67+pQWknsO4nTna7EsJ
I+gCQYhLB2loZhPPcKjwGomTo0y1OsJ7bImVEMcy7r4CoWMJ44zVdqvdOquyKO+W
+4T49NTXKBW4GO++CdUuwg/jDYW9YdfV1MMiY8YqhFWbS09mkpJwL6qX1skbVCZC
9S0/CDA4Yfz6NWzXNpvzCaA7x9L3+PhFCQHXs9Jc6V0/W9jCV6ORiU+6S8WODqwq
FNNPu2MTbH133Zt4bCf3lFn43SApipFazXVzHidIW7JkszDD8wOmx+l3QSHMICIS
O4ULmSE0Tjs2TPFU71Tz9ploNPyUKVjww1rFRN521BS2IwBV6naoCCxDUPUNwkBG
lq85qd3BvSkZAzCRpGjOdGsH731YUXo0UKs+Pd28m8uZ9VRq5Q4q8tvkE/eEilN/
3BJ50GKCEt2V5+mh6rjjEwgjK+H5lXRpB/a54vD1NBlqObHGZKPLKeBHnyMLnEuN
uZ9EMxt7X7LF8nwDfZfidFr2kgQm/7T5y1CVHHPY5L1B/CBZjyvT3KxyhVdRWRPB
w492khPeg9qhll0hnKsup4tEFwsQjRTyl7aeKSLv7QQY28/P/Gk=
=D561
-----END PGP SIGNATURE-----
--- End Message ---
