Debian Bug report logs - #608397
redmine: security issues in 1.0.1 (fixed in 1.0.5)

version graph

Package: redmine; Maintainer for redmine is Jérémy Lal <kapouer@melix.org>; Source for redmine is src:redmine.

Reported by: Hideki Yamane <henrich@debian.or.jp>

Date: Thu, 30 Dec 2010 14:57:01 UTC

Severity: grave

Tags: squeeze-ignore

Found in version redmine/1.0.1-1

Fixed in versions redmine/1.0.5-1, redmine/1.0.1-2

Done: Jérémy Lal <kapouer@melix.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jérémy Lal <kapouer@melix.org>:
Bug#608397; Package redmine. (Thu, 30 Dec 2010 14:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Hideki Yamane <henrich@debian.or.jp>:
New Bug report received and forwarded. Copy sent to Jérémy Lal <kapouer@melix.org>. (Thu, 30 Dec 2010 14:57:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Hideki Yamane <henrich@debian.or.jp>
To: submit@bugs.debian.org
Subject: redmine: security issues in 1.0.1 (fixed in 1.0.5)
Date: Thu, 30 Dec 2010 23:55:42 +0900
Package: redmine
Version: 1.0.1-1
Severity: grave
Tag: security

Hi,

 I found the article that describes redmine 1.0.5 fixes 3 security issues.
 See http://www.redmine.org/news/49

 You've already uploaded it to unstable, that's good. However, unfortunately 
 the package in Squeeze is still vulnerable. So, could you provide security
 fix for that, please?


-- 
Regards,

 Hideki Yamane     henrich @ debian.or.jp/org
 http://wiki.debian.org/HidekiYamane




Bug Marked as fixed in versions redmine/1.0.5-1. Request was from Hideki Yamane <henrich@debian.or.jp> to control@bugs.debian.org. (Thu, 30 Dec 2010 15:03:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jérémy Lal <kapouer@melix.org>:
Bug#608397; Package redmine. (Fri, 31 Dec 2010 22:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jérémy Lal <jerry@edagames.com>:
Extra info received and forwarded to list. Copy sent to Jérémy Lal <kapouer@melix.org>. (Fri, 31 Dec 2010 22:57:03 GMT) Full text and rfc822 format available.

Message #12 received at 608397@bugs.debian.org (full text, mbox):

From: Jérémy Lal <jerry@edagames.com>
To: debian-release@lists.debian.org
Cc: 608397@bugs.debian.org
Subject: redmine security issues fixed in 1.0.5
Date: Fri, 31 Dec 2010 23:53:11 +0100
Hi,
i'd need some tip about how to manage the situation with redmine package :
version 1.0.1-1 is in testing, version 1.0.5-1 in unstable (my bad, i should
have uploaded it to experimental).
I would like to see either redmine 1.0.5-1 go to testing, or backport the
security issues i'm aware of to a 1.0.1-2 version -- i know this is the
solution when deep freeze is in effect.
The question being : where should i upload 1.0.1-2 ? t-p-u ?

Kind regards,
Jérémy Lal




Information forwarded to debian-bugs-dist@lists.debian.org, Jérémy Lal <kapouer@melix.org>:
Bug#608397; Package redmine. (Sat, 01 Jan 2011 18:42:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Jérémy Lal <kapouer@melix.org>. (Sat, 01 Jan 2011 18:42:04 GMT) Full text and rfc822 format available.

Message #17 received at 608397@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Jérémy Lal <jerry@edagames.com>
Cc: debian-release@lists.debian.org, 608397@bugs.debian.org, team@security.debian.org
Subject: Re: redmine security issues fixed in 1.0.5
Date: Sat, 1 Jan 2011 19:38:35 +0100
[Message part 1 (text/plain, inline)]
On Fri, Dec 31, 2010 at 23:53:11 +0100, Jérémy Lal wrote:

> Hi,
> i'd need some tip about how to manage the situation with redmine package :
> version 1.0.1-1 is in testing, version 1.0.5-1 in unstable (my bad, i should
> have uploaded it to experimental).
> I would like to see either redmine 1.0.5-1 go to testing, or backport the
> security issues i'm aware of to a 1.0.1-2 version -- i know this is the
> solution when deep freeze is in effect.
> The question being : where should i upload 1.0.1-2 ? t-p-u ?
> 
Or testing-security.  In any case, please prepare the package and come
back to us and the security team when that's ready and tested, and we'll
figure out where the upload should go.

Thanks,
Julien
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jérémy Lal <kapouer@melix.org>:
Bug#608397; Package redmine. (Tue, 04 Jan 2011 20:27:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Jérémy Lal <kapouer@melix.org>. (Tue, 04 Jan 2011 20:27:05 GMT) Full text and rfc822 format available.

Message #22 received at 608397@bugs.debian.org (full text, mbox):

From: Julien Cristau <jcristau@debian.org>
To: Jérémy Lal <jerry@edagames.com>
Cc: debian-release@lists.debian.org, 608397@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#608397: redmine security issues fixed in 1.0.5
Date: Tue, 4 Jan 2011 21:23:55 +0100
[Message part 1 (text/plain, inline)]
user release.debian.org@packages.debian.org
usertag 608397 squeeze-can-defer
tag 608397 squeeze-ignore
kthxbye

On Sat, Jan  1, 2011 at 19:38:35 +0100, Julien Cristau wrote:

> On Fri, Dec 31, 2010 at 23:53:11 +0100, Jérémy Lal wrote:
> 
> > Hi,
> > i'd need some tip about how to manage the situation with redmine package :
> > version 1.0.1-1 is in testing, version 1.0.5-1 in unstable (my bad, i should
> > have uploaded it to experimental).
> > I would like to see either redmine 1.0.5-1 go to testing, or backport the
> > security issues i'm aware of to a 1.0.1-2 version -- i know this is the
> > solution when deep freeze is in effect.
> > The question being : where should i upload 1.0.1-2 ? t-p-u ?
> > 
> Or testing-security.  In any case, please prepare the package and come
> back to us and the security team when that's ready and tested, and we'll
> figure out where the upload should go.

Tagging as -can-defer as this can be fixed post-release if not ready
soon enough.

Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]

Added tag(s) squeeze-ignore. Request was from Julien Cristau <jcristau@debian.org> to control@bugs.debian.org. (Tue, 04 Jan 2011 20:27:08 GMT) Full text and rfc822 format available.

Added tag(s) pending. Request was from Jérémy Lal <kapouer@melix.org> to control@bugs.debian.org. (Tue, 04 Jan 2011 23:51:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jérémy Lal <kapouer@melix.org>:
Bug#608397; Package redmine. (Wed, 05 Jan 2011 10:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jérémy Lal <jerry@edagames.com>:
Extra info received and forwarded to list. Copy sent to Jérémy Lal <kapouer@melix.org>. (Wed, 05 Jan 2011 10:30:03 GMT) Full text and rfc822 format available.

Message #31 received at 608397@bugs.debian.org (full text, mbox):

From: Jérémy Lal <jerry@edagames.com>
To: Julien Cristau <jcristau@debian.org>
Cc: debian-release@lists.debian.org, 608397@bugs.debian.org
Subject: Re: Bug#608397: redmine security issues fixed in 1.0.5
Date: Wed, 05 Jan 2011 11:26:28 +0100
Hi,

On 04/01/2011 21:23, Julien Cristau wrote:
> user release.debian.org@packages.debian.org
> usertag 608397 squeeze-can-defer
> tag 608397 squeeze-ignore
> kthxbye
> 
> On Sat, Jan  1, 2011 at 19:38:35 +0100, Julien Cristau wrote:
> 
>> On Fri, Dec 31, 2010 at 23:53:11 +0100, Jérémy Lal wrote:
>>
>>> Hi,
>>> i'd need some tip about how to manage the situation with redmine package :
>>> version 1.0.1-1 is in testing, version 1.0.5-1 in unstable (my bad, i should
>>> have uploaded it to experimental).
>>> I would like to see either redmine 1.0.5-1 go to testing, or backport the
>>> security issues i'm aware of to a 1.0.1-2 version -- i know this is the
>>> solution when deep freeze is in effect.
>>> The question being : where should i upload 1.0.1-2 ? t-p-u ?
>>>
>> Or testing-security.  In any case, please prepare the package and come
>> back to us and the security team when that's ready and tested, and we'll
>> figure out where the upload should go.
> 
> Tagging as -can-defer as this can be fixed post-release if not ready
> soon enough.
> 
> Cheers,
> Julien

I sent a debdiff for review to team@s.d.o

Cheers,
Jérémy.




Information forwarded to debian-bugs-dist@lists.debian.org, Jérémy Lal <kapouer@melix.org>:
Bug#608397; Package redmine. (Wed, 23 Feb 2011 14:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to kapouer@melix.org:
Extra info received and forwarded to list. Copy sent to Jérémy Lal <kapouer@melix.org>. (Wed, 23 Feb 2011 14:12:03 GMT) Full text and rfc822 format available.

Message #36 received at 608397@bugs.debian.org (full text, mbox):

From: Jérémy Lal <kapouer@melix.org>
To: Debian Security Team <team@security.debian.org>
Cc: 608397@bugs.debian.org
Subject: redmine: security issues in 1.0.1 (fixed in 1.0.5)
Date: Wed, 23 Feb 2011 15:04:10 +0100
[Message part 1 (text/plain, inline)]
Hi,

Redmine package 1.0.1-1 is affected by several security issues :
* Info leak in journals controller
* Persistent XSS in wiki
* Command Execution in SCM adapter

I prefer not to disclose here the full description.
Ask me if needed, or find it in the encrypted email i sent to
the security team (05/01/2011 00:58).

Could you consider either of the following ?

1. Propose an update to redmine 1.0.5-1

It's been a while in testing, and is a good candidate to a
proposed update, fixing the issues.


2. Use the attached security update

The diff to redmine-1.0.1-2 is attached. It backports only the security fixes,
and i verified it does not introduce new bugs.


Best regards,
Jérémy Lal

[redmine_1.0.1-1_1.0.1-2.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jérémy Lal <kapouer@melix.org>:
Bug#608397; Package redmine. (Wed, 23 Feb 2011 17:45:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Jérémy Lal <kapouer@melix.org>. (Wed, 23 Feb 2011 17:45:09 GMT) Full text and rfc822 format available.

Message #41 received at 608397@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: kapouer@melix.org
Cc: 608397@bugs.debian.org, team@security.debian.org
Subject: Re: redmine: security issues in 1.0.1 (fixed in 1.0.5)
Date: Wed, 23 Feb 2011 18:39:58 +0100
[Message part 1 (text/plain, inline)]
Hi Jérémy,

On Wednesday 23 February 2011 15:04:10 Jérémy Lal wrote:
> Redmine package 1.0.1-1 is affected by several security issues :
> * Info leak in journals controller
> * Persistent XSS in wiki
> * Command Execution in SCM adapter

Thanks. We've taken note of the issue (RT 3009) and someone from the team will 
tend to it as soon as possible.


Thijs
[signature.asc (application/pgp-signature, inline)]

Reply sent to Jérémy Lal <kapouer@melix.org>:
You have taken responsibility. (Thu, 16 Jun 2011 01:57:06 GMT) Full text and rfc822 format available.

Notification sent to Hideki Yamane <henrich@debian.or.jp>:
Bug acknowledged by developer. (Thu, 16 Jun 2011 01:57:06 GMT) Full text and rfc822 format available.

Message #46 received at 608397-close@bugs.debian.org (full text, mbox):

From: Jérémy Lal <kapouer@melix.org>
To: 608397-close@bugs.debian.org
Subject: Bug#608397: fixed in redmine 1.0.1-2
Date: Thu, 16 Jun 2011 01:54:44 +0000
Source: redmine
Source-Version: 1.0.1-2

We believe that the bug you reported is fixed in the latest version of
redmine, which is due to be installed in the Debian FTP archive:

redmine-mysql_1.0.1-2_all.deb
  to main/r/redmine/redmine-mysql_1.0.1-2_all.deb
redmine-pgsql_1.0.1-2_all.deb
  to main/r/redmine/redmine-pgsql_1.0.1-2_all.deb
redmine-sqlite_1.0.1-2_all.deb
  to main/r/redmine/redmine-sqlite_1.0.1-2_all.deb
redmine_1.0.1-2.debian.tar.gz
  to main/r/redmine/redmine_1.0.1-2.debian.tar.gz
redmine_1.0.1-2.dsc
  to main/r/redmine/redmine_1.0.1-2.dsc
redmine_1.0.1-2_all.deb
  to main/r/redmine/redmine_1.0.1-2_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 608397@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jérémy Lal <kapouer@melix.org> (supplier of updated redmine package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 04 Jan 2011 22:49:03 +0100
Source: redmine
Binary: redmine redmine-mysql redmine-pgsql redmine-sqlite
Architecture: source all
Version: 1.0.1-2
Distribution: stable-security
Urgency: high
Maintainer: Jérémy Lal <kapouer@melix.org>
Changed-By: Jérémy Lal <kapouer@melix.org>
Description: 
 redmine    - flexible project management web application
 redmine-mysql - metapackage providing MySQL dependencies for Redmine
 redmine-pgsql - metapackage providing PostgreSQL dependencies for Redmine
 redmine-sqlite - metapackage providing sqlite dependencies for Redmine
Closes: 608397
Changes: 
 redmine (1.0.1-2) stable-security; urgency=high
 .
   * Security update, fixes
     - Infoleak in journals controller,
     - Persistent XSS in issue description,
     - Command Execution in repository.
     (Closes: #608397)
Checksums-Sha1: 
 d17a54c95b9cbea1a77d523825da361bf4ad167b 1640 redmine_1.0.1-2.dsc
 e96bf28639af4e51f477a1e33d532f4a88c10723 4804274 redmine_1.0.1.orig.tar.gz
 6536d6ea4450b0c0a7698e4135a194b545170b8e 32762 redmine_1.0.1-2.debian.tar.gz
 8ae7c535ea86fbc7a366617a3cb6760c3ca60032 1586314 redmine_1.0.1-2_all.deb
 95546ca6decaae8217f29d2104eb180d8b670cc1 32480 redmine-mysql_1.0.1-2_all.deb
 5a2f9e61e9bc9af41ed41c26c44d0a5a98827535 32458 redmine-pgsql_1.0.1-2_all.deb
 3e64be94192fad070eb3e06ca1ede01e8e2d2bb3 32436 redmine-sqlite_1.0.1-2_all.deb
Checksums-Sha256: 
 fa306e9b88655608c59c2420496322b2baae43dc130ce9cf3a3bd9db4c6b49ba 1640 redmine_1.0.1-2.dsc
 974677b19a448ae43d78f6375a0efc224765251e0323159419ac96617124c07e 4804274 redmine_1.0.1.orig.tar.gz
 2a309b0de13e99c27291a9ba6ea8140a0306e47ddbe23e1ee27567a37a8f1317 32762 redmine_1.0.1-2.debian.tar.gz
 3b11566d21e5dc2203266a2202f0846c4822ca3b8eff567f597ef16b64fcff28 1586314 redmine_1.0.1-2_all.deb
 4af2ba8870991d969bb71b1bf7fb6eaf57abe42eb07c86b6f4b0a0f116ed6bdb 32480 redmine-mysql_1.0.1-2_all.deb
 80a9727df39eca060f434ff162ead7920df0d3c4d22e921605331e8e3a967d28 32458 redmine-pgsql_1.0.1-2_all.deb
 185fcfdfc8ba492119c45629d08f88159cca82a7f4261398a52499abb076ea5c 32436 redmine-sqlite_1.0.1-2_all.deb
Files: 
 16850e44e0194ca854f3d65d83230418 1640 web extra redmine_1.0.1-2.dsc
 3bcb608f462b4cd0f272acd4fb2e2384 4804274 web extra redmine_1.0.1.orig.tar.gz
 d593e77bc949f0e5ad9b78a42bef50b9 32762 web extra redmine_1.0.1-2.debian.tar.gz
 b04e3ec0635be5256439c9f694e59324 1586314 web extra redmine_1.0.1-2_all.deb
 d47ffd557fd53f59a4e66b0940899ce5 32480 web extra redmine-mysql_1.0.1-2_all.deb
 29459e68816b6b82df18d77cefbf2018 32458 web extra redmine-pgsql_1.0.1-2_all.deb
 f8f1d704ae4eea6e35006a08bc40ba7d 32436 web extra redmine-sqlite_1.0.1-2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJN+I+xAAoJEOxfUAG2iX57bCsIAKdS9wLyoOCFWvWVv30XCUaR
laI55qTr4EfEvkLZFKZcuQelwd8vY701Xqn0KVBVD1b6YDFNF1UL6thF6GMB1dHQ
uzWUocvQrz/WyuKueH/UOx/qgpGspqc+Y5eTjmDxqVdKXHrxNlJHBPjh1HVtOt8Z
JS+RSFtpIMPW6RIC5Ocs4xpLFQBfYhJTMldbsQas/9hRnR6Z6NrhSPSlW8IbwFvw
tmT27xSLCX18+KOJwyWtFy+UMczKX7RFsG+7GD+4YzOkSHpQE5B9ufuYGp0jtsVW
FI0W+dKv/nI62K/G5qUks/s9M5Y65RbT1fFOplpvZ5XGXuOVs21/OT27t3MZRws=
=QXSl
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 14 Jul 2011 07:36:29 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 09:06:14 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.