==========================================================================
Ubuntu Security Notice USN-4200-1
November 26, 2019
redmine vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 19.04
– Ubuntu 18.04 LTS
– Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in redmine.
Software Description:
– redmine: flexible project management web application
Details:
It was discovered that Redmine incorrectly handle certain inputs that could
cause textile formatting errors. An attacker could possibly use this issue to
cause a XSS attack. (CVE-2019-17427)
It was discovered that an SQL injection could allow users to access protected
information via a crafted object query. (CVE-2019-18890)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.04:
redmine 4.0.1-2ubuntu0.1
redmine-mysql 4.0.1-2ubuntu0.1
redmine-pgsql 4.0.1-2ubuntu0.1
redmine-sqlite 4.0.1-2ubuntu0.1
Ubuntu 18.04 LTS:
redmine 3.4.4-1ubuntu0.1
redmine-mysql 3.4.4-1ubuntu0.1
redmine-pgsql 3.4.4-1ubuntu0.1
redmine-sqlite 3.4.4-1ubuntu0.1
Ubuntu 16.04 LTS:
redmine 3.2.1-2ubuntu0.2
redmine-mysql 3.2.1-2ubuntu0.2
redmine-pgsql 3.2.1-2ubuntu0.2
redmine-sqlite 3.2.1-2ubuntu0.2
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4200-1
CVE-2019-17427, CVE-2019-18890
Package Information:
https://launchpad.net/ubuntu/+source/redmine/4.0.1-2ubuntu0.1
https://launchpad.net/ubuntu/+source/redmine/3.4.4-1ubuntu0.1
https://launchpad.net/ubuntu/+source/redmine/3.2.1-2ubuntu0.2
—–BEGIN PGP SIGNATURE—–
iQIzBAEBCgAdFiEEkCdEQ5T6DutSveCybUp5kL3izGYFAl3cgFoACgkQbUp5kL3i
zGZYHBAAhak2X7uQ6ivqKvmZHe5te3yA2aE5p3Y7FkXNx2qEZxZZpbWDCZJbwjVy
9EiDuf16nynFc6d+ZZlxqXwSgFII2+rkEJ59wQiOUCgalALD+ZeKmQeV63kh4clq
rpeBpNqxfZcFtcwGGZDstOsx1ni7ll/feDQsZOBQItLKd3ReLE7zbhfy9bV+/j2i
iBjZJzUUMket+rAkP2pG11NrvanhZAnaLmAZs1dTmj/3T5iSZFbi/DQWmDqH7/cS
hUm6ZUp9KAFCarS0ux2Kp/zKG4Soq9DunztmZYHk7BCj5nCtWx9jQAJv+upwZ2HA
L3ZImSX7oZQrLgNwQbhMKTaMxPKWPUEOHVT1Jp9Xxv4nwG/hkitKKiG/h9p/g9z/
OBKE8BpoviEP0ATenyUxWuk7Wy0d/sHhoF8c/PFvtGwpQA+wG0JyXcAI0f4VfbkU
kq6T1/0PAm4WbdnTOBR0E5K47mXCLgVWZ0i4OiRpDlbNJaVbLrFow2hCOalzpCDm
ltHUGAvfl7yPX9Z2toIMkd+jvGJpdswfCnLC3eiJwqwQr2P5q05ghj7g1/6QfvCg
0zhErYLM4iZQm7ArzeLo4JqeLO83zqRNZ/s7twRWuV/wzw/UZlnU1NDGMSy6s+33
2HCpUIgIO/w9bF9T+C0Ty1uvaWeHhAXmZe3MIKbnw/IwhrS5uek=
=oYN1
—–END PGP SIGNATURE—–
—