-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Format: 1.8
Date: Thu, 12 Apr 2018 11:33:06 -0300
Source: redmine
Binary: redmine redmine-mysql redmine-pgsql redmine-sqlite
Architecture: source all
Version: 3.3.1-4+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Antonio Terceiro
Changed-By: Lucas Kanashiro
Description:
redmine- flexible project management web application
redmine-mysql - metapackage providing MySQL dependencies for Redmine
redmine-pgsql - metapackage providing PostgreSQL dependencies for Redmine
redmine-sqlite - metapackage providing sqlite dependencies for Redmine
Changes:
redmine (3.3.1-4+deb9u1) stretch-security; urgency=high
.
* Fix CVE-2017-15568: XSS exists in app/helpers/application_helper.rb via a
multi-value field with a crafted value that is mishandled during rendering
of issue history.
* Fix CVE-2017-15569: XSS exists in app/helpers/queries_helper.rb via a
multi-value field with a crafted value that is mishandled during rendering
of an issue list.
* Fix CVE-2017-15570: XSS exists in app/views/timelog/_list.html.erb via
crafted column data.
* Fix CVE-2017-15571: XSS exists in app/views/issues/_list.html.erb via
crafted column data.
* Fix CVE-2017-15572: remote attackers can obtain sensitive information
(password reset tokens) by reading a Referer log, because
account/lost_password does not use a redirect.
* Fix CVE-2017-15573: XSS exists because markup is mishandled in wiki
content.
* Fix CVE-2017-15574: stored XSS is possible by using an SVG document as an
attachment.
* Fix CVE-2017-15575: Redmine.pm lacks a check for whether the Repository
module is enabled in a project's settings, which might allow remote
attackers to obtain sensitive differences information or possibly have
unspecified other impact.
* Fix CVE-2017-15576: mishandle Time Entry rendering in activity views,
which allows remote attackers to obtain sensitive information.
* Fix CVE-2017-15577: mishandle the rendering of wiki links, which allows
remote attackers to obtain sensitive information.
* Fix CVE-2017-16804: the reminders function in app/models/mailer.rb does
not check whether an issue is visible, which allows remote authenticated
users to obtain sensitive information by reading e-mail reminder messages.
* Fix CVE-2017-18026: do not block the --config and --debugger flags to
the Mercurial hg program, which allows remote attackers to execute
arbitrary commands (through the Mercurial adapter) via vectors involving a
branch whose name begins with a --config= or --debugger= substring.
Checksums-Sha1:
da546ce2f61e872c61e5c27414e1db568e993384 2826 redmine_3.3.1-4+deb9u1.dsc
2845e0111a25f0275514ec2a966e23657b9aa35f 2350320 redmine_3.3.1.orig.tar.gz
6da322855d80ff17ebf478ec4050d2b4405e96f6 248680
redmine_3.3.1-4+deb9u1.debian.tar.xz
0719eae3325995a20aade0c5e034e1ebf651ccd5 87482
redmine-mysql_3.3.1-4+deb9u1_all.deb
bbd07e3dc53a4756e9f0e39ba0a490d3bb32983d 87450
redmine-pgsql_3.3.1-4+deb9u1_all.deb
2e55b721563c23e8714f326db398d71981c213da 87426
redmine-sqlite_3.3.1-4+deb9u1_all.deb
44f3a0bf0a287157a9415407cc54b6af3e3a344c 1222442 redmine_3.3.1-4+deb9u1_all.deb
568a266f4388bb7fdd9bd6027dd1ee601e2cd8a1 9839
redmine_3.3.1-4+deb9u1_amd64.buildinfo
Checksums-Sha256:
6109e279da5c0f64ef97fa8ef3dec5e05ef2d84897ddc99484c0d519b7ef5e5c 2826
redmine_3.3.1-4+deb9u1.dsc
89c5a3ee1d1a3a956795fe253e4dc0c5de886f5495ddb2a0f8b6634a104c07c8 2350320
redmine_3.3.1.orig.tar.gz
241ff487e2255f4f978593cda8ea4dbfd2f53641c225575efdff81672a797026 248680
redmine_3.3.1-4+deb9u1.debian.tar.xz
2ee6117bc415bb508ec93b2aec20a57ee3a0a3e9e71305db7c68f0f15d9f2b91 87482
redmine-mysql_3.3.1-4+deb9u1_all.deb
8719e15c5bbfa16786193a24c30a42e552a0af58b01c42657bca104161a15372 87450
redmine-pgsql_3.3.1-4+deb9u1_all.deb
9b0398372409457c63b4279d5e63d010a86fb57813830ec5b3a58868a3662d3b 87426
redmine-sqlite_3.3.1-4+deb9u1_all.deb
81324e194a4ae438d25baf8158bb2340980ef485e9fd1f86ae0d710c419fd3f4 1222442
redmine_3.3.1-4+deb9u1_all.deb
c9eff628e574e4adda202967e1bc05ee1f1f76474472f0fac630d6b09c8ad28c 9839
redmine_3.3.1-4+deb9u1_amd64.buildinfo
Files:
6b554521ce057f389805cfe0adf0194c 2826 web extra redmine_3.3.1-4+deb9u1.dsc
bfa69f3bb3d1792d7a503e0d0c940349 2350320 web extra redmine_3.3.1.orig.tar.gz
18c7fcf1f0b1bfb22b80f3851481a7b2 248680 web extra
redmine_3.3.1-4+deb9u1.debian.tar.xz
29a7e8aa8af2b858309d49c5e33eebde 87482 web extra
redmine-mysql_3.3.1-4+deb9u1_all.deb
b99cc8f0b842e0570c1e361fe06dea62 87450 web extra
redmine-pgsql_3.3.1-4+deb9u1_all.deb
99ab89410027c82918d933555801afe6 87426 web extra
redmine-sqlite_3.3.1-4+deb9u1_all.deb
c3dd29aed02bde2c798c59bcc53f8340 1222442 web extra
redmine_3.3.1-4+deb9u1_all.deb
1728712d9ea568dc47a948a5cdf19adc 9839 web extra
redmine_3.3.1-4+deb9u1_amd64.buildinfo
-BEGIN PGP SIGNATURE-
iQIzBAEBCAAdFiEEjtbD+LrJ23/