Debian Bug report logs -
#743828
redmine: security: CVE-2014-1985: open redirector issue
Reported by: Paul Wise <pabs@debian.org>
Date: Sun, 6 Apr 2014 23:45:01 UTC
Severity: serious
Tags: security, wheezy
Found in versions redmine/1.4.4+dfsg1-2+deb7u1, redmine/1.0.1-2, redmine/2.4.2-1~bpo70+1
Fixed in version redmine/2.5.1-1
Done: Balint Reczey <balint@balintreczey.hu>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Jérémy Lal <kapouer@melix.org>:
Bug#743828; Package redmine.
(Sun, 06 Apr 2014 23:45:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Wise <pabs@debian.org>:
New Bug report received and forwarded. Copy sent to Jérémy Lal <kapouer@melix.org>.
(Sun, 06 Apr 2014 23:45:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: redmine
Severity: serious
Tags: security
Quoting from:
http://www.openwall.com/lists/oss-security/2014/04/06/1
> Redmine versions 2.4.5 and 2.5.1 fixed an open redirector issue. The
> code verifying the redirection URIs accepted scheme-relative URIs
> which can lead to different hosts:
>
> http://www.redmine.org/projects/redmine/wiki/Security_Advisories
> http://www.redmine.org/projects/redmine/wiki/Changelog
> https://github.com/redmine/redmine/commit/7567c3d8b21fe67e5f04e6839c1fce061600f2f3.patch
This issue is present in all redmine versions.
--
bye,
pabs
http://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]
Changed Bug title to 'redmine: security: CVE-2014-1985: open redirector issue' from 'redmine: security: open redirector issue'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 10 Apr 2014 19:00:11 GMT) (full text, mbox, link).
Reply sent
to Ondřej Surý <ondrej@debian.org>:
You have taken responsibility.
(Tue, 29 Apr 2014 09:24:12 GMT) (full text, mbox, link).
Notification sent
to Paul Wise <pabs@debian.org>:
Bug acknowledged by developer.
(Tue, 29 Apr 2014 09:24:13 GMT) (full text, mbox, link).
Message #12 received at 743828-close@bugs.debian.org (full text, mbox, reply):
Source: redmine
Source-Version: 2.5.1-1
We believe that the bug you reported is fixed in the latest version of
redmine, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 743828@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ondřej Surý <ondrej@debian.org> (supplier of updated redmine package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 29 Apr 2014 09:38:26 +0200
Source: redmine
Binary: redmine redmine-mysql redmine-pgsql redmine-sqlite
Architecture: source all
Version: 2.5.1-1
Distribution: unstable
Urgency: medium
Maintainer: Jérémy Lal <kapouer@melix.org>
Changed-By: Ondřej Surý <ondrej@debian.org>
Description:
redmine - flexible project management web application
redmine-mysql - metapackage providing MySQL dependencies for Redmine
redmine-pgsql - metapackage providing PostgreSQL dependencies for Redmine
redmine-sqlite - metapackage providing sqlite dependencies for Redmine
Closes: 743828
Changes:
redmine (2.5.1-1) unstable; urgency=medium
.
* Add ruby-i18n (>= 0.6.9-1~) dependency to unbreak upgrades in backports
* New upstream version 2.5.1 (Closes: #743828)
* Refresh patches for 2.5.1 release
Checksums-Sha1:
ad55b769723547855d0ed47a876edfc7e1a6aaf4 2247 redmine_2.5.1-1.dsc
215a21c850d48ff5c7399b5c3192961e2e591c0f 2147272 redmine_2.5.1.orig.tar.gz
f3add40c5785172122939ec001ad052b157a6ac1 36076 redmine_2.5.1-1.debian.tar.xz
97517f02308843ab33c5bf53ad554ea0efb3dba8 4622318 redmine_2.5.1-1_all.deb
ac2ce6b743f3610661d52eb690e20e298f7800b2 67698 redmine-mysql_2.5.1-1_all.deb
806660b5b56ea185bbf00136e1da8cfd8951c2ab 67660 redmine-pgsql_2.5.1-1_all.deb
30247504edb3c3e7f57a315e8ca0a0c2cd3cf171 67646 redmine-sqlite_2.5.1-1_all.deb
Checksums-Sha256:
4113bbd94dccf56f4f3455e7f4c75f947355f135ab7d39d7baa85a66afe2e671 2247 redmine_2.5.1-1.dsc
4c423ba583991d2f484c0f552bb3f6d80efa680f69b7f3a1da4d3aba0c4be0a3 2147272 redmine_2.5.1.orig.tar.gz
beebfc73df213e9d321eaaf9f90d5ce0b5800eb8830b93632b57559c40967177 36076 redmine_2.5.1-1.debian.tar.xz
452e2dc50af22524e2168842eb3cc31ebda5998dfa4c79e931f08bfbab73ea60 4622318 redmine_2.5.1-1_all.deb
cdcb1fac92356affcdfda3f149a5cf57901023027e773fefc7ef07926474ee7c 67698 redmine-mysql_2.5.1-1_all.deb
4a463b0eb18e22fe4d9512c5e20d2ede9ce3651780a0fec97c4974912bd533c8 67660 redmine-pgsql_2.5.1-1_all.deb
92981212b08648caa41ffac07c14da147dcd7d6a1fb2ad81092bbfb1fe32c262 67646 redmine-sqlite_2.5.1-1_all.deb
Files:
0e39a43f671e6d0cc8186a3c7b52f43b 4622318 web extra redmine_2.5.1-1_all.deb
8fa30f87307c3f8ebbdf8a2f777273a0 67698 web extra redmine-mysql_2.5.1-1_all.deb
62b06262d5c81661c590c9af732146fd 67660 web extra redmine-pgsql_2.5.1-1_all.deb
420996c31e0aa2601100124a0c036e95 67646 web extra redmine-sqlite_2.5.1-1_all.deb
1c64c016e07de1103910b9651c40761b 2247 web extra redmine_2.5.1-1.dsc
fa2d871e478b37b35b0dabadf1192335 2147272 web extra redmine_2.5.1.orig.tar.gz
809d263c0a58f52ddd5decdabb9d04e0 36076 web extra redmine_2.5.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJTX124AAoJEAyZtw70/LsHtJ0QAIVPXSqSSNo8tL30LoHN3CWo
Pwk87CUYM1S6b2xjcF9g0J517Lk8N5p65YlWY+00jx+IvW0QjLSmZ2Lt3ux8MhV1
aGnj8z70taUR/IKq1VLg1nWI8eXoIqgAPhVufjAylef7q+v5iulJ2Yvy36ivJ0F/
7Z//yQIqyHSaYmrgVmWy6ssQNNs2J5Ky5Vkq9clfNH1nDVnSKDZ5d6BA6v0Qw93R
JwH6cgnQHLUMCqFRPThXylmwWZ7iyUjYLt2+8kwaV6CNW7OT1KxquG0YHfbkKEr4
Er8EYganh0sd38x6z45rodY+Dyd/5F6b4gg9yo73sjkxOi81hSud8T9dzmZP6Agh
6sLot1bXrIn3nKsQTY1H/OceNIi1CuwhvZxvOpwtXPsfpqX6TfrWZcgi5+Fq4A4G
YuBGNOc35toyor3X32IyPuyHCq1vQ/JD7b2nzAJO6W1S+iWgLXrKz/3q7LsH6y8n
KyvuVJsJ5qL9J/YkHMXB6Udkvb/tCDRAWSLTfGLHiNdzvnbk6tv+KtWzgl0/DcSk
zsq6fQRhnGASKE8+4Ao4/u+UlEV61y/wITAkikH/MGOJWeO1augYxBfquuQ4pbko
d6n5sBtxx9vh/Lp5Dt3+GxdMzLJ2TNQfK9Obd4/GjLvdTEFvkKbWMZm8TRMnTl1R
h4z8jihh5Yc3KeTrdsG1
=ZL/0
-----END PGP SIGNATURE-----
Bug reopened
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Tue, 29 Apr 2014 09:51:16 GMT) (full text, mbox, link).
No longer marked as fixed in versions redmine/2.5.1-1.
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Tue, 29 Apr 2014 09:51:16 GMT) (full text, mbox, link).
Marked as found in versions redmine/1.4.4+dfsg1-2+deb7u1.
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Tue, 29 Apr 2014 09:51:17 GMT) (full text, mbox, link).
Marked as found in versions redmine/2.4.2-1~bpo70+1.
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Tue, 29 Apr 2014 09:51:18 GMT) (full text, mbox, link).
Marked as found in versions redmine/1.0.1-2.
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Tue, 29 Apr 2014 09:51:19 GMT) (full text, mbox, link).
Added tag(s) wheezy.
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Wed, 28 May 2014 12:21:08 GMT) (full text, mbox, link).
Marked as fixed in versions redmine/2.5.1-1.
Request was from Ondřej Surý <ondrej@debian.org>
to control@bugs.debian.org.
(Wed, 28 May 2014 12:21:09 GMT) (full text, mbox, link).
Reply sent
to Balint Reczey <balint@balintreczey.hu>:
You have taken responsibility.
(Wed, 31 Dec 2014 15:39:11 GMT) (full text, mbox, link).
Notification sent
to Paul Wise <pabs@debian.org>:
Bug acknowledged by developer.
(Wed, 31 Dec 2014 15:39:11 GMT) (full text, mbox, link).
Message #31 received at 743828-done@bugs.debian.org (full text, mbox, reply):
Closing bug since it has been fixed in unstable.
Older versions are still affected.
Cheers,
Balint
On Wed, 28 May 2014 14:08:04 +0200 =?UTF-8?Q?Ond=C5=99ej?=
=?UTF-8?Q?_Sur=C3=BD?= <ondrej@debian.org> wrote:
> tags 743828 + wheezy
> fixed 743828 redmine/2.5.1-1
> thanks
Message #32 received at 743828-close@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Dear Customer,
UPS courier was unable to contact you for your parcel delivery.
Postal label is enclosed to this e-mail. Please check the attachment!
Thank you,
Sam Webb,
UPS Support Agent.
[UPS-Parcel-ID-03275193.zip (application/zip, attachment)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 21 Jun 2017 07:26:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:28:20 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon