ArchLinux: 202105-1: redmine: multiple issues
Summary
- CVE-2021-29274 (cross-site scripting)
Redmine 4.1.x before 4.1.2 allows cross-site scripting (XSS) because an
issue's subject is mishandled in the auto complete tip.
- CVE-2021-30163 (information disclosure)
Redmine before 4.1.2 allows attackers to discover the names of private
projects if issue-journal details exist that have changes to project_id
values.
- CVE-2021-30164 (access restriction bypass)
Redmine before 4.1.2 allows attackers to bypass the add_issue_notes
permission requirement by leveraging the Issues API.
- CVE-2021-31863 (arbitrary filesystem access)
Insufficient input validation in the Git repository integration of
Redmine before 4.2.1 allows Redmine users to read arbitrary local files
accessible by the application server process.
- CVE-2021-31864 (access restriction bypass)
Redmine before 4.2.1 allows attackers to bypass the add_issue_notes
permission requirement by leveraging the incoming mail handler.
- CVE-2021-31865 (arbitrary file upload)
Redmine before 4.2.1 allows users to circumvent the allowed filename
extensions of uploaded attachments.
- CVE-2021-31866 (information disclosure)
Redmine before 4.1.3 allows an attacker to learn the values of internal
authentication keys by observing timing differences in string
comparison operations within SysController and MailHandlerController.
Resolution
Upgrade to 4.2.1-1.
# pacman -Syu "redmine>=4.2.1-1"
The problems have been fixed upstream in version 4.2.1.
References
https://bugs.archlinux.org/task/70203 https://www.redmine.org/projects/redmine/wiki/Security_Advisories https://www.redmine.org/issues/33846 https://github.com/redmine/redmine/commit/bbfade972865e78e4d865af2cdb93e6cb57d5a45 https://www.redmine.org/login https://github.com/redmine/redmine/commit/0d96c4ebdb1cceeb6cac8f940a11b5407a0a5211 https://www.redmine.org/login https://github.com/redmine/redmine/commit/a7b9fa99966e8d59bd88548248ab11400ea48e5e https://www.redmine.org/login https://github.com/redmine/redmine/commit/45461bfe51e9492d607f7204120f49ce3396a0cf https://www.redmine.org/issues/35045 https://github.com/redmine/redmine/commit/d03a718e6efca0493d8b42bd4ba356d736a77f49 https://www.redmine.org/issues/34367 https://github.com/redmine/redmine/commit/56979912c9bb041aac3fc5b88bf8275b743b0e28 https://www.redmine.org/login https://github.com/redmine/redmine/commit/23e09ef64e26d6f63dcdcd624827440d9ad05f93 https://security.archlinux.org/CVE-2021-29274 https://security.archlinux.org/CVE-2021-30163 https://security.archlinux.org/CVE-2021-30164 https://security.archlinux.org/CVE-2021-31863 https://security.archlinux.org/CVE-2021-31864 https://security.archlinux.org/CVE-2021-31865 https://security.archlinux.org/CVE-2021-31866
Workaround
None.