Multiple that need to be patched and documented: http://www.redmine.org/projects/redmine/wiki/Security_Advisories There's been several threads on this recently. http://www.openwall.com/lists/oss-security/2015/12/03/7 http://www.openwall.com/lists/oss-security/2015/12/05/3 http://www.openwall.com/lists/oss-security/2015/12/05/6
I haven't been able to dig into all the reported issues. Still catching up from vacation and I'll revisit once I am able.
One more: http://www.openwall.com/lists/oss-security/2015/11/25/1
take
A commit references this bug: Author: mmoll Date: Wed Dec 9 23:02:55 UTC 2015 New revision: 403433 URL: https://svnweb.freebsd.org/changeset/ports/403433 Log: www/redmine: update to 2.6.9 PR: 205110 MFH: 2015Q4 Security: CVE-2015-8346 Security: CVE-2015-8473 Security: CVE-2015-8474 Security: CVE-2015-8477 Changes: head/www/redmine/Makefile head/www/redmine/distinfo head/www/redmine/files/extra-patch-Gemfile head/www/redmine/files/patch-Gemfile head/www/redmine/pkg-plist
Jason, could you add the CVEs to vuxml? If not, drop me a line here.
A commit references this bug: Author: mmoll Date: Wed Dec 9 23:36:09 UTC 2015 New revision: 403434 URL: https://svnweb.freebsd.org/changeset/ports/403434 Log: MFH: r403433 www/redmine: update to 2.6.9 PR: 205110 Security: CVE-2015-8346 Security: CVE-2015-8473 Security: CVE-2015-8474 Security: CVE-2015-8477 Approved by: ports-secteam (erwin) Changes: _U branches/2015Q4/ branches/2015Q4/www/redmine/Makefile branches/2015Q4/www/redmine/distinfo branches/2015Q4/www/redmine/files/extra-patch-Gemfile branches/2015Q4/www/redmine/files/patch-Gemfile branches/2015Q4/www/redmine/pkg-plist
A commit references this bug: Author: junovitch Date: Thu Dec 10 01:08:29 UTC 2015 New revision: 403438 URL: https://svnweb.freebsd.org/changeset/ports/403438 Log: Catch up on documentation of Redmine vulnerabilities PR: 205110 Security: CVE-2015-8346 Security: CVE-2015-8473 Security: CVE-2015-8474 Security: https://vuxml.FreeBSD.org/freebsd/21bc4d71-9ed8-11e5-8f5c-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/3ec2e0bc-9ed7-11e5-8f5c-002590263bf5.html Security: https://vuxml.FreeBSD.org/freebsd/be63533c-9ed7-11e5-8f5c-002590263bf5.html Changes: head/security/vuxml/vuln.xml
Thanks Michael! - Set as fixed - Set merge-quarterly+ since it was MFH'd Note the VuXML comment message just mentioned the issues for this PR but I also played catch up and documented the prior issues as well (from http://www.redmine.org/projects/redmine/wiki/Security_Advisories).
A commit references this bug: Author: junovitch Date: Fri Dec 11 00:42:28 UTC 2015 New revision: 403477 URL: https://svnweb.freebsd.org/changeset/ports/403477 Log: Add CVE assignment to the most recent Redmine vulnerability PR: 205110 Security: CVE-2015-8537 Security: https://vuxml.FreeBSD.org/freebsd/21bc4d71-9ed8-11e5-8f5c-002590263bf5.html Changes: head/security/vuxml/vuln.xml