Your message dated Wed, 25 Jan 2023 01:19:51 +0000 with message-id <e1pkus7-001q4u...@fasolo.debian.org> and subject line Bug#1026048: fixed in redmine 5.0.4-1 has caused the Debian Bug report #1026048, regarding redmine: CVE-2022-44030 CVE-2022-44637 CVE-2022-44031 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1026048: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1026048 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: redmine X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for redmine. CVE-2022-44030[0]: | Redmine 5.x before 5.0.4 allows downloading of file attachments of any | Issue or any Wiki page due to insufficient permission checks. | Depending on the configuration, this may require login as a registered | user. https://www.redmine.org/projects/redmine/wiki/Security_Advisories CVE-2022-44637[1]: | Redmine before 4.2.9 and 5.0.x before 5.0.4 allows persistent XSS in | its Textile formatter due to improper sanitization in Redcloth3 | Textile-formatted fields. Depending on the configuration, this may | require login as a registered user. https://www.redmine.org/projects/redmine/wiki/Security_Advisories CVE-2022-44031[2]: | Redmine before 4.2.9 and 5.0.x before 5.0.4 allows persistent XSS in | its Textile formatter due to improper sanitization of the blockquote | syntax in Textile-formatted fields. https://www.redmine.org/projects/redmine/wiki/Security_Advisories If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-44030 https://www.cve.org/CVERecord?id=CVE-2022-44030 [1] https://security-tracker.debian.org/tracker/CVE-2022-44637 https://www.cve.org/CVERecord?id=CVE-2022-44637 [2] https://security-tracker.debian.org/tracker/CVE-2022-44031 https://www.cve.org/CVERecord?id=CVE-2022-44031 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: redmine Source-Version: 5.0.4-1 Done: Utkarsh Gupta <utka...@debian.org> We believe that the bug you reported is fixed in the latest version of redmine, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1026...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Utkarsh Gupta <utka...@debian.org> (supplier of updated redmine package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 16 Jan 2023 17:56:19 +0530 Source: redmine Architecture: source Version: 5.0.4-1 Distribution: unstable Urgency: medium Maintainer: Debian Ruby Team <pkg-ruby-extras-maintain...@lists.alioth.debian.org> Changed-By: Utkarsh Gupta <utka...@debian.org> Closes: 1022818 1026048 1027340 Changes: redmine (5.0.4-1) unstable; urgency=medium . * New upstream version 5.0.4. (Closes: #1022818) - Fixes CVE-2022-44030, CVE-2022-44031, and CVE-2022-44637. (Closes: #1026048) * Refresh d/patches. - Keep mocha in Gemfile. (Closes: #1027340) Checksums-Sha1: 0152b93987b7a0041bccd752e4bb092ba53c7443 3332 redmine_5.0.4-1.dsc 2cacdad65c92107403dc7825285a01af50193200 1882896 redmine_5.0.4.orig.tar.xz e458064ffd2bc776c05cedcbd543c44aff5ceedb 177588 redmine_5.0.4-1.debian.tar.xz ccdc33bae13e2141ecf6b9340d922e5eece842bd 14744 redmine_5.0.4-1_source.buildinfo Checksums-Sha256: 6991ec63107d539ab8c74bc55f27e22c2226450ba6b12d79f8fb0d211c5396f4 3332 redmine_5.0.4-1.dsc 6fccf53629e8beaa6b0c5020a24f5c66acbb7b546d4e6f3fb62974d5e9274ec6 1882896 redmine_5.0.4.orig.tar.xz f7040db061abe1d6fb605656684b85d0de3f72a6e4fae2449818d492b0c77fb7 177588 redmine_5.0.4-1.debian.tar.xz 71421f247fc45398b70e4d67f61e1896859512b70a7c0fe430a4a1a6d7e7a961 14744 redmine_5.0.4-1_source.buildinfo Files: 38267d0837057fb68a0b0b10a10ae1a5 3332 web optional redmine_5.0.4-1.dsc b260593aa05fd253f7742b856e061cde 1882896 web optional redmine_5.0.4.orig.tar.xz e85fdd7fe4524c542ced5a5ff041944f 177588 web optional redmine_5.0.4-1.debian.tar.xz 6fe31958ee9d3f9972514397c9f4e416 14744 web optional redmine_5.0.4-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJHBAEBCAAxFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmPQf3cTHHV0a2Fyc2hA ZGViaWFuLm9yZwAKCRCCPpZ2BsNLlvMnD/9Ud3wSR/KVsK5DeccOw5wFc3eOpBF+ 3IOreSODb6+Q/4nsAIBFqf/IbgusLxwRatm/tQp9aQd6BjFIj0usYLHcltaMx8eW tRyqzWfY0mpR1Z26m+tc1FgPCr2wnyre15zk/J1SwGgr2+JkoNSjY3nMwqGAKs44 vFGKweS2omkFKv6HNg0UiQm7m8wmiu5oEjFVbr+IVS1gZWJ7kfNCIxPQztJ4Zx8H 70cCUvHtRNwsbYaAyhH2d/bl9usonnhKlYLHw0HmtTZBYLWi9ca4kjtdjMMEXG21 jRgj00/U1N7vAS7pnF4ZpLJwf9I2cr0Z2NoA7dcr7Vdb7/P483OFezcKzD3GqrCa 7BFy9X7pUOvrFoUsywH7ZmYbPd4e3OQprEAlFmwVVP9r8K6PnODOr4ddLZsr9snK fSvWsyJFCHwiRXqNHrvm2VH1om0pZvYCwg8clvGlHWEjkCqSnNdTtEpLPQcllBfy x2WPRuH/YHXFnAAhWnd89khk3qEj42YhIIAtlorUk+d1U8XYbL0jE8P9o6vossOK pBotN/ACukKfTttngqG8Zo0AJ5mbJFIMufCUUxGy0gY5NtkbgcsCJ+oQ+e9eTK6R 02bD1z9qXM4f9/c+hTOMacr8o1UuiUDLnD9LoRQZZ4cfvRLzJ+xNYi1QIlYIE1vk qtrbr3muiEwZMw== =dMN1 -----END PGP SIGNATURE-----
--- End Message ---
