Debian Bug report logs -
#806376
redmine: CVE-2015-8346: Data disclosure on the time logging form
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 26 Nov 2015 19:09:02 UTC
Severity: grave
Tags: fixed-upstream, patch, security, upstream
Found in versions redmine/1.0.1-1, redmine/1.0.1-2, redmine/3.0~20140825-8
Fixed in versions redmine/1.0.1-2+deb6u11, redmine/3.2.0-1, redmine/3.0~20140825-8~deb8u2
Done: Antonio Terceiro <terceiro@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jérémy Lal <kapouer@melix.org>:
Bug#806376; Package src:redmine.
(Thu, 26 Nov 2015 19:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Jérémy Lal <kapouer@melix.org>.
(Thu, 26 Nov 2015 19:09:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: redmine
Version: 3.0~20140825-8
Severity: grave
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for redmine.
CVE-2015-8346[0]:
Data disclosure on the time logging form
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-8346
[1] https://github.com/redmine/redmine/commit/c096dde88ff02872ba35edc4dc403c80a7867b5c
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Marked as found in versions redmine/1.0.1-2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 26 Nov 2015 19:15:03 GMT) (full text, mbox, link).
Marked as fixed in versions redmine/1.0.1-2+deb6u11.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 26 Nov 2015 19:15:04 GMT) (full text, mbox, link).
Marked as found in versions redmine/1.0.1-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 28 Nov 2015 15:36:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Antonio Terceiro <terceiro@debian.org>:
Bug#806376; Package src:redmine.
(Tue, 23 Feb 2016 11:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Jörg-Volker Peetz <jvpeetz@web.de>:
Extra info received and forwarded to list. Copy sent to Antonio Terceiro <terceiro@debian.org>.
(Tue, 23 Feb 2016 11:45:04 GMT) (full text, mbox, link).
Message #16 received at 806376@bugs.debian.org (full text, mbox, reply):
AFAICT, this bug is fixed since version 3.2.0-1 although not mentioned in the
changelog.
The reason I replied to these bugs is that in the Package Tracker
(https://security-tracker.debian.org/tracker/source-package/redmine ) version
3.2.0-2 of redmine is still marked as vulnerable.
Regards,
Jörg-Volker.
Marked as fixed in versions redmine/3.2.0-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 23 Feb 2016 17:03:06 GMT) (full text, mbox, link).
Reply sent
to Antonio Terceiro <terceiro@debian.org>:
You have taken responsibility.
(Thu, 24 Mar 2016 23:21:18 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 24 Mar 2016 23:21:18 GMT) (full text, mbox, link).
Message #23 received at 806376-close@bugs.debian.org (full text, mbox, reply):
Source: redmine
Source-Version: 3.0~20140825-8~deb8u2
We believe that the bug you reported is fixed in the latest version of
redmine, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 806376@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Antonio Terceiro <terceiro@debian.org> (supplier of updated redmine package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 19 Mar 2016 20:31:15 -0300
Source: redmine
Binary: redmine redmine-mysql redmine-pgsql redmine-sqlite
Architecture: source all
Version: 3.0~20140825-8~deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Jérémy Lal <kapouer@melix.org>
Changed-By: Antonio Terceiro <terceiro@debian.org>
Description:
redmine - flexible project management web application
redmine-mysql - metapackage providing MySQL dependencies for Redmine
redmine-pgsql - metapackage providing PostgreSQL dependencies for Redmine
redmine-sqlite - metapackage providing sqlite dependencies for Redmine
Closes: 806376 807272 807345 807826
Changes:
redmine (3.0~20140825-8~deb8u2) jessie-security; urgency=high
.
* Security update. Includes fixes for the following vulnerabilities:
- CVE-2015-8346: Data disclosure on the time logging form
(Closes: #806376)
- CVE-02015-8474: open redirect vulnerability
(Closes: #807272)
- CVE-2015-8473: Issues API may disclose changeset messages that are not
visible
(Closes: #807345)
- CVE-2015-8537: Data disclosure in atom feed
(Closes: #807826)
Checksums-Sha1:
e9d262854135764a2629adf598a6bdbd355ae4f9 2294 redmine_3.0~20140825-8~deb8u2.dsc
03ad5b379dc0999f03c41fad9545fac037bf4546 2193559 redmine_3.0~20140825.orig.tar.gz
598d17cab03ab1beb81296183c47109024fd5400 243076 redmine_3.0~20140825-8~deb8u2.debian.tar.xz
67f7492cbd476907af89aa7b888c16639e583085 4653870 redmine_3.0~20140825-8~deb8u2_all.deb
bc8f6c3295ffd013b056bdc9156b1546ab9e9e90 70740 redmine-mysql_3.0~20140825-8~deb8u2_all.deb
71d531067b9775598780f02dbad2c449ba4c6245 70708 redmine-pgsql_3.0~20140825-8~deb8u2_all.deb
e636590af4f6599adc6295b416419c50605c2094 70692 redmine-sqlite_3.0~20140825-8~deb8u2_all.deb
Checksums-Sha256:
8bf344cf9333253ec55e59b68f77af0da5e3dc4406e314b562861ba4f585c3ea 2294 redmine_3.0~20140825-8~deb8u2.dsc
97accde569350973ff9ba1c1ca5118726dd4fb7f1d47526f902c66d0dc88bc68 2193559 redmine_3.0~20140825.orig.tar.gz
8b461d493aa9fb4aa8f0e63b35165b4fe18188f885fc75d1ba133739bd78a340 243076 redmine_3.0~20140825-8~deb8u2.debian.tar.xz
edcce602747d1e9240fcdba65e5040981d90ac49d2f9030cef28c37d2c1295a7 4653870 redmine_3.0~20140825-8~deb8u2_all.deb
70461c0d62acd0198b5441bbfea261fedf564e8762cd8645493e14d6cc27a0c2 70740 redmine-mysql_3.0~20140825-8~deb8u2_all.deb
c0a4d7ade48c6608c7fbbd614c6072816c88577d5155f5270250304251895397 70708 redmine-pgsql_3.0~20140825-8~deb8u2_all.deb
7fa4aae57ba37f94526a47a157b3582d69e9236c29543dd10d89e4bec316c552 70692 redmine-sqlite_3.0~20140825-8~deb8u2_all.deb
Files:
4867f7033ee33c5359ab34e06b589ac1 2294 web extra redmine_3.0~20140825-8~deb8u2.dsc
d40022d37b8b13b3aa4059efd96e33af 2193559 web extra redmine_3.0~20140825.orig.tar.gz
fb95747357eaf9d75f89828d6d4d855f 243076 web extra redmine_3.0~20140825-8~deb8u2.debian.tar.xz
cc207649fcc55b8f3469ab8297e3883f 4653870 web extra redmine_3.0~20140825-8~deb8u2_all.deb
b595c751ea76bce43782d669c649f787 70740 web extra redmine-mysql_3.0~20140825-8~deb8u2_all.deb
dd22331b1b13cae0820fbd7da808967a 70708 web extra redmine-pgsql_3.0~20140825-8~deb8u2_all.deb
0d12d1473c648668c664214503a48f71 70692 web extra redmine-sqlite_3.0~20140825-8~deb8u2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJW7zs5AAoJEPwNsbvNRgve0c0QAIKYMP8AU5dcBY6RTEKZewLp
C92XHE6vj0zBp+SGoJm4x0wc4nQRsuwdcVdtSGXbSsU7cwvuH0ftgZq2YlX9uE2h
7qv20jA5SZKL9vzYvPo0rhHb4QyPOepBUDCqXdRT6Ik6J4bOcQF3D0dDVXHCwUmU
bOvHlOxn0UJibpn9ynb7BS4ZDLUrgzxhOSDWuVr2Lfea1v7XiMGi43n7nXYpmF/0
lwa505gHYs09FTjk2XC396jyL18djDq+/mySZv8/YYbeaYMFK9WSfxAYtwbIqGqZ
jcK3V2tCSDSle+WYUKoMw4U0IzkH/bariyYeaTd03WVKPAHqQTwUABvmrhKVLYTi
G93PAF7T3k3lC6clFsaYuRsn4bjYzsUDLhpGQJCHvysTiacqN1PS+dJpWj1I1W+f
N4s8p36hK+XnE1ddXVNzu4n45JEWZG1pihg2OThaOnS4QyGPZsitHw+WkDhlyjRo
Cv6Hcc218p9Y1Lp9cL9TugrGB3tZ2JlKHs4NIRpSOiP4O04ir7flLFlIg95T/Zho
MEIRFcc85mwzS/VznX4dog5EgHtfR6+KsA5U+Wd3FmYAbPur+GfjrrctFCyciqFt
GxudeoXkEfnLAkcbx451EMdnYug4JPX87gnFJJBrS1YPTt80vlvxnB2HmGVP0CyE
hduAi4luiuXIjJYKSLP9
=mAhI
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 01 May 2016 07:51:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:22:24 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon