← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1853063] Re: SQL injection and Persistent XSS in textile formatting

 

This bug was fixed in the package redmine - 3.4.4-1ubuntu0.1

---------------
redmine (3.4.4-1ubuntu0.1) bionic-security; urgency=medium

  * SECURITY UPDATE: persistent XSS exists due to textile formatting
    - debian/patches/0020-Fix-CVE-2019-17427.patch: improve the way
      that html tags are identified to be escaped. (LP: #1853063)
    - CVE-2019-17427
    - https://www.cvedetails.com/cve/CVE-2019-17427/
    - Redmine Defect #31520

 -- Paulo Flabiano Smorigo <pfsmorigo@xxxxxxxxxxxxx>  Mon, 25 Nov 2019
20:17:10 +0000

** Changed in: redmine (Ubuntu)
       Status: New => Fix Released

** Changed in: redmine (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1853063

Title:
  SQL injection and Persistent XSS in textile formatting

Status in redmine package in Ubuntu:
  Fix Released
Status in redmine source package in Precise:
  Invalid
Status in redmine source package in Trusty:
  Invalid
Status in redmine source package in Xenial:
  Fix Released

Bug description:
  Two important CVEs were released and addressed by upstream:

  * Redmine Defect #31520: Persistent XSS in textile formatting (CVE-2019-17427)
  * Redmine Defect #32374: SQL injection vulnerability in Redmine < 3.4.0 (CVE-2019-18890)

  Those vulnerabilities were fixed in version 3.3.10. Here is the
  upstream changelog:
  https://www.redmine.org/projects/redmine/wiki/Changelog_3_3

  Here is the diff of my Debian Stretch security update:
  https://salsa.debian.org/ruby-
  team/redmine/compare/debian%2F3.3.1-4+deb9u2...debian%2F3.3.1-4+deb9u3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/redmine/+bug/1853063/+subscriptions


References