Ubuntu
redmine package

Change logs for redmine source package in Artful

  1. Artful (17.10)
  2. Change log 
  • redmine (3.3.1-4+deb9u1build0.17.10.1) artful-security; urgency=medium

  * fake sync from Debian

redmine (3.3.1-4+deb9u1) stretch-security; urgency=high

  * Fix CVE-2017-15568: XSS exists in app/helpers/application_helper.rb via a
    multi-value field with a crafted value that is mishandled during rendering
    of issue history.
  * Fix CVE-2017-15569: XSS exists in app/helpers/queries_helper.rb via a
    multi-value field with a crafted value that is mishandled during rendering
    of an issue list.
  * Fix CVE-2017-15570: XSS exists in app/views/timelog/_list.html.erb via
    crafted column data.
  * Fix CVE-2017-15571: XSS exists in app/views/issues/_list.html.erb via
    crafted column data.
  * Fix CVE-2017-15572: remote attackers can obtain sensitive information
    (password reset tokens) by reading a Referer log, because
    account/lost_password does not use a redirect.
  * Fix CVE-2017-15573: XSS exists because markup is mishandled in wiki
    content.
  * Fix CVE-2017-15574: stored XSS is possible by using an SVG document as an
    attachment.
  * Fix CVE-2017-15575: Redmine.pm lacks a check for whether the Repository
    module is enabled in a project's settings, which might allow remote
    attackers to obtain sensitive differences information or possibly have
    unspecified other impact.
  * Fix CVE-2017-15576: mishandle Time Entry rendering in activity views,
    which allows remote attackers to obtain sensitive information.
  * Fix CVE-2017-15577: mishandle the rendering of wiki links, which allows
    remote attackers to obtain sensitive information.
  * Fix CVE-2017-16804: the reminders function in app/models/mailer.rb does
    not check whether an issue is visible, which allows remote authenticated
    users to obtain sensitive information by reading e-mail reminder messages.
  * Fix CVE-2017-18026: do not block the --config and --debugger flags to
    the Mercurial hg program, which allows remote attackers to execute
    arbitrary commands (through the Mercurial adapter) via vectors involving a
    branch whose name begins with a --config= or --debugger= substring.

 -- Steve Beattie <email address hidden>  Thu, 03 May 2018 22:36:26 -0700
  • redmine (3.3.1-4) unstable; urgency=medium

  [ Antonio Terceiro ]
  * debian/tests/install-purge-install: let autopkgtest handle the first
    installation. This improves the reliability of the test because
    autopkgtest handles temporary download failures in APT for us

  [ Jonatan Nyberg ]
  * Swedish translation update (Closes: #855367)

  [ Helge Kreutzmann ]
  * German translation update (Closes: #857527)

 -- Antonio Terceiro <email address hidden>  Tue, 07 Mar 2017 15:54:28 +0100