group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1853063] [NEW] SQL injection and Persistent XSS in textile formatting

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Lucas Kanashiro <1853063@xxxxxxxxxxxxxxxxxx>
Date: Mon, 18 Nov 2019 22:54:53 -0000
Reply-to: Bug 1853063 <1853063@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Two important CVEs were released and addressed by upstream:

* Redmine Defect #31520: Persistent XSS in textile formatting (CVE-2019-17427)
* Redmine Defect #32374: SQL injection vulnerability in Redmine < 3.4.0 (CVE-2019-18890)

Those vulnerabilities were fixed in version 3.3.10. Here is the upstream
changelog: https://www.redmine.org/projects/redmine/wiki/Changelog_3_3

Here is the diff of my Debian Stretch security update:
https://salsa.debian.org/ruby-
team/redmine/compare/debian%2F3.3.1-4+deb9u2...debian%2F3.3.1-4+deb9u3

** Affects: redmine (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: redmine (Ubuntu Precise)
     Importance: Undecided
         Status: New

** Affects: redmine (Ubuntu Trusty)
     Importance: Undecided
         Status: New

** Affects: redmine (Ubuntu Xenial)
     Importance: Undecided
         Status: New

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-17427

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-18890

** Also affects: redmine (Ubuntu Xenial)
   Importance: Undecided
       Status: New

** Also affects: redmine (Ubuntu Precise)
   Importance: Undecided
       Status: New

** Also affects: redmine (Ubuntu Trusty)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1853063

Title:
  SQL injection and Persistent XSS in textile formatting

Status in redmine package in Ubuntu:
  New
Status in redmine source package in Precise:
  New
Status in redmine source package in Trusty:
  New
Status in redmine source package in Xenial:
  New

Bug description:
  Two important CVEs were released and addressed by upstream:

  * Redmine Defect #31520: Persistent XSS in textile formatting (CVE-2019-17427)
  * Redmine Defect #32374: SQL injection vulnerability in Redmine < 3.4.0 (CVE-2019-18890)

  Those vulnerabilities were fixed in version 3.3.10. Here is the
  upstream changelog:
  https://www.redmine.org/projects/redmine/wiki/Changelog_3_3

  Here is the diff of my Debian Stretch security update:
  https://salsa.debian.org/ruby-
  team/redmine/compare/debian%2F3.3.1-4+deb9u2...debian%2F3.3.1-4+deb9u3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/redmine/+bug/1853063/+subscriptions

Follow ups

[Bug 1853063] Re: SQL injection and Persistent XSS in textile formatting
From: Launchpad Bug Tracker, 2019-11-25
[Bug 1853063] Re: SQL injection and Persistent XSS in textile formatting
From: Launchpad Bug Tracker, 2019-11-25
[Bug 1853063] Re: SQL injection and Persistent XSS in textile formatting
From: Paulo Flabiano Smorigo, 2019-11-21