Debian Bug report logs -
#887307
redmine: CVE-2017-18026
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>:
Bug#887307; Package src:redmine.
(Sun, 14 Jan 2018 19:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>.
(Sun, 14 Jan 2018 19:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: redmine
Version: 3.3.1-1
Severity: important
Tags: security upstream
Forwarded: https://www.redmine.org/issues/27516
Hi,
the following vulnerability was published for redmine.
CVE-2017-18026[0]:
| Redmine before 3.2.9, 3.3.x before 3.3.6, and 3.4.x before 3.4.4 does
| not block the --config and --debugger flags to the Mercurial hg
| program, which allows remote attackers to execute arbitrary commands
| (through the Mercurial adapter) via vectors involving a branch whose
| name begins with a --config= or --debugger= substring, a related issue
| to CVE-2017-17536.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-18026
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18026
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Marc Dequènes (Duck) <Duck@DuckCorp.org>:
You have taken responsibility.
(Mon, 02 Apr 2018 09:21:17 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 02 Apr 2018 09:21:17 GMT) (full text, mbox, link).
Message #10 received at 887307-close@bugs.debian.org (full text, mbox, reply):
Source: redmine
Source-Version: 3.4.4-1
We believe that the bug you reported is fixed in the latest version of
redmine, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 887307@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marc Dequènes (Duck) <Duck@DuckCorp.org> (supplier of updated redmine package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 02 Apr 2018 13:52:08 +0900
Source: redmine
Binary: redmine redmine-mysql redmine-pgsql redmine-sqlite
Architecture: source all
Version: 3.4.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@lists.alioth.debian.org>
Changed-By: Marc Dequènes (Duck) <Duck@DuckCorp.org>
Description:
redmine - flexible project management web application
redmine-mysql - metapackage providing MySQL dependencies for Redmine
redmine-pgsql - metapackage providing PostgreSQL dependencies for Redmine
redmine-sqlite - metapackage providing sqlite dependencies for Redmine
Closes: 857952 882544 882545 882547 882548 883919 887307
Changes:
redmine (3.4.4-1) unstable; urgency=medium
.
[ Marc Dequènes (Duck) ]
* New upstream release:
+ refreshed patches.
+ fix CVE-2017-15568 (Closes: #882544)
+ fix CVE-2017-15569 (Closes: #882545)
+ fix CVE-2017-15570 (Closes: #882547)
+ fix CVE-2017-15571 (Closes: #882548)
+ fix CVE-2017-18026 (Closes: #887307)
* Add missing dependency on 'libjs-raphael' (Closes: #857952).
* Updated Russian translation of debconf template, thanks Lev Lamberov
(Closes: #883919)
* Updated VCS URLs (Alioth->Salsa).
.
[ Lucas Kanashiro ]
* Bump debhelper compatibility level to 10
* Declare compliance with Debian Policy 4.1.3
Checksums-Sha1:
ffe04689984362287816182b4d1ab1c1d11b2ae5 2817 redmine_3.4.4-1.dsc
e2892fa72645deb584038cc81bb13d171a729788 2394068 redmine_3.4.4.orig.tar.gz
8718f077a0b42078518c1814a9eb838a23e06b1b 238540 redmine_3.4.4-1.debian.tar.xz
991e0964dec1e8dba06d1230016b2f4a0fecf867 95236 redmine-mysql_3.4.4-1_all.deb
12d0646c912f31fc84626fed56d16fe4d1cd3edb 95212 redmine-pgsql_3.4.4-1_all.deb
8fd9f02575abb53a6fd857f959f0a25ecf642c22 95196 redmine-sqlite_3.4.4-1_all.deb
a7ec6cc93f50c23a2186178b08ad3e70032a5011 1256812 redmine_3.4.4-1_all.deb
7dc7530b3796a356c9a8250b53678756474bbadb 9481 redmine_3.4.4-1_amd64.buildinfo
Checksums-Sha256:
fab592b7d3d06df8fb9a727b91123d813600ea5dea890eaddc4eeee1585302a3 2817 redmine_3.4.4-1.dsc
69c06704b7fbd7a403ff440d117c6aa5a87af92329910a0c983d045e8e23f3c4 2394068 redmine_3.4.4.orig.tar.gz
e41dfa0c79cc333a016e23699a6752cdcff72797557bd13b0b45d4c180ef914f 238540 redmine_3.4.4-1.debian.tar.xz
0461e7f2a61befd740cbea37b5cb853f6a4888f8df280444c43fdee98ee9befb 95236 redmine-mysql_3.4.4-1_all.deb
65a4f727189a37c839e9724d3385170ece8ac001ca3a9d717ab7aaad38b245d4 95212 redmine-pgsql_3.4.4-1_all.deb
69fe0db512dd2faa0f07fa6dd69a3557f25992c5423673807f0413b0843a609b 95196 redmine-sqlite_3.4.4-1_all.deb
eb85cff61e935f231b3050c6db24336692760bb8718c7820e1accf8887449ffe 1256812 redmine_3.4.4-1_all.deb
1f22c868f29d9848e03e2117cea3f0041bbb6698573cc2e5c23ec8012f6cb8ab 9481 redmine_3.4.4-1_amd64.buildinfo
Files:
a20a517b86b554c374137bb07d8b6123 2817 web optional redmine_3.4.4-1.dsc
13fa48bf41bcd9dccb3e929f846d1416 2394068 web optional redmine_3.4.4.orig.tar.gz
052effbe01fae700152a05926d187077 238540 web optional redmine_3.4.4-1.debian.tar.xz
0e4fa74b121a8e5a6d64823258af52a6 95236 web optional redmine-mysql_3.4.4-1_all.deb
e15bc7630fb164b1924111a9393b07b5 95212 web optional redmine-pgsql_3.4.4-1_all.deb
36ebb4fdeb0667167d9032f1141e12b5 95196 web optional redmine-sqlite_3.4.4-1_all.deb
bb8a72f3578a1c5e8ff1884b9cefd9f0 1256812 web optional redmine_3.4.4-1_all.deb
e759e29c3efef02d9f3f65e73067eea2 9481 web optional redmine_3.4.4-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEcpcqg+UmRT3yiF+BVen596wcRD8FAlrB7rsACgkQVen596wc
RD9UCQ/+KK3UaJjwhIYVj42Ldlu6dZuVwipzmhvSOQytyh6otWOcvyouTiV+BeDj
7ufJS3GaJSumKdhmf3Pal3Lp3LY3GqOQKMsXhZOl7noC5S7c8W+HKgiWBeUBar8w
EzoElT27/rg8Ch0Xpj4qImbUGbCQ4rNgQ4NiAyxLnAjRn7x/zVbJZYQdQmwKu2tv
Imm6pmKcrS6dAwaVWIszNDHQDgWI/1NS9ocPCCH4fBpTCfG88lYcb6hu8ocnUKs/
JCC6+1dRYCTRsLMkTwLf/3YNySlPSW3DBOL8oJbARxgaaHVm+9hWOuGMDzaXEttD
z5fOieqUE9DBa6N42URUwI9XxSYrxeuP+E3HqyhxyBdiaQ3CR3oKntJRR6a1lJGb
6QmnP4R+4i6985BbyqVbCTJyfXO7AWDwcXjW9AKVN6C4aoUIjUNG6BUnJIIK4Gv5
B5W+/wln3mVwTRv9qGfSsAq2bh9VNOLFBuSweb2/O/zo8WG70KuxOqKxjcuMp/RY
PlLbSt8adACT1JhGZxnPqcdBjhqecc4A+ZvhDL6jD0VOt/FECg2rN6Ng09cgTHHs
YTVfX72XFvTjsAlDvxsfEkmSOZmDJasUesl5tbrA618JHsiF3ReNR2yzw0IADOq8
rDMFOIcgGeDVIxR0zpJohTvvVUrlbpPI+O1r15/OqLxHCxz+IVY=
=751k
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 14 May 2018 07:25:58 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:38:55 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon