redmine (3.3.1-4+deb9u1build0.17.10.1) artful-security; urgency=medium
* fake sync from Debian
redmine (3.3.1-4+deb9u1) stretch-security; urgency=high
* Fix CVE-2017-15568: XSS exists in app/helpers/application_helper.rb via a
multi-value field with a crafted value that is mishandled during rendering
of issue history.
* Fix CVE-2017-15569: XSS exists in app/helpers/queries_helper.rb via a
multi-value field with a crafted value that is mishandled during rendering
of an issue list.
* Fix CVE-2017-15570: XSS exists in app/views/timelog/_list.html.erb via
crafted column data.
* Fix CVE-2017-15571: XSS exists in app/views/issues/_list.html.erb via
crafted column data.
* Fix CVE-2017-15572: remote attackers can obtain sensitive information
(password reset tokens) by reading a Referer log, because
account/lost_password does not use a redirect.
* Fix CVE-2017-15573: XSS exists because markup is mishandled in wiki
content.
* Fix CVE-2017-15574: stored XSS is possible by using an SVG document as an
attachment.
* Fix CVE-2017-15575: Redmine.pm lacks a check for whether the Repository
module is enabled in a project's settings, which might allow remote
attackers to obtain sensitive differences information or possibly have
unspecified other impact.
* Fix CVE-2017-15576: mishandle Time Entry rendering in activity views,
which allows remote attackers to obtain sensitive information.
* Fix CVE-2017-15577: mishandle the rendering of wiki links, which allows
remote attackers to obtain sensitive information.
* Fix CVE-2017-16804: the reminders function in app/models/mailer.rb does
not check whether an issue is visible, which allows remote authenticated
users to obtain sensitive information by reading e-mail reminder messages.
* Fix CVE-2017-18026: do not block the --config and --debugger flags to
the Mercurial hg program, which allows remote attackers to execute
arbitrary commands (through the Mercurial adapter) via vectors involving a
branch whose name begins with a --config= or --debugger= substring.
-- Steve Beattie <email address hidden> Thu, 03 May 2018 22:36:26 -0700