Bug 205110

Summary: www/redmine: multiple vulnerabilities
Product: Ports & Packages Reporter: Jason Unovitch <junovitch>
Component: Individual Port(s)Assignee: Michael Moll <mmoll>
Status: Closed FIXED    
Severity: Affects Only Me CC: junovitch, mmoll, ports-secteam
Priority: --- Keywords: security
Version: LatestFlags: bugzilla: maintainer-feedback? (ruby)
junovitch: merge-quarterly+
Hardware: Any   
OS: Any   
URL: http://www.redmine.org/projects/redmine/wiki/Security_Advisories

Comment 1 Jason Unovitch freebsd_committer freebsd_triage 2015-12-08 01:02:59 UTC 
I haven't been able to dig into all the reported issues.  Still catching up from vacation and I'll revisit once I am able.
Comment 2 Jason Unovitch freebsd_committer freebsd_triage 2015-12-08 01:04:15 UTC 
One more: http://www.openwall.com/lists/oss-security/2015/11/25/1
Comment 3 Michael Moll freebsd_committer freebsd_triage 2015-12-09 21:16:52 UTC 
take
Comment 4 commit-hook freebsd_committer freebsd_triage 2015-12-09 23:03:37 UTC 
A commit references this bug:

Author: mmoll
Date: Wed Dec  9 23:02:55 UTC 2015
New revision: 403433
URL: https://svnweb.freebsd.org/changeset/ports/403433

Log:
  www/redmine: update to 2.6.9

  PR:		205110
  MFH:		2015Q4
  Security:	CVE-2015-8346
  Security:	CVE-2015-8473
  Security:	CVE-2015-8474
  Security:	CVE-2015-8477

Changes:
  head/www/redmine/Makefile
  head/www/redmine/distinfo
  head/www/redmine/files/extra-patch-Gemfile
  head/www/redmine/files/patch-Gemfile
  head/www/redmine/pkg-plist
Comment 5 Michael Moll freebsd_committer freebsd_triage 2015-12-09 23:13:41 UTC 
Jason, could you add the CVEs to vuxml? If not, drop me a line here.
Comment 6 commit-hook freebsd_committer freebsd_triage 2015-12-09 23:36:40 UTC 
A commit references this bug:

Author: mmoll
Date: Wed Dec  9 23:36:09 UTC 2015
New revision: 403434
URL: https://svnweb.freebsd.org/changeset/ports/403434

Log:
  MFH: r403433

  www/redmine: update to 2.6.9

  PR:		205110
  Security:	CVE-2015-8346
  Security:	CVE-2015-8473
  Security:	CVE-2015-8474
  Security:	CVE-2015-8477
  Approved by:	ports-secteam (erwin)

Changes:
_U  branches/2015Q4/
  branches/2015Q4/www/redmine/Makefile
  branches/2015Q4/www/redmine/distinfo
  branches/2015Q4/www/redmine/files/extra-patch-Gemfile
  branches/2015Q4/www/redmine/files/patch-Gemfile
  branches/2015Q4/www/redmine/pkg-plist
Comment 7 commit-hook freebsd_committer freebsd_triage 2015-12-10 01:08:48 UTC 
A commit references this bug:

Author: junovitch
Date: Thu Dec 10 01:08:29 UTC 2015
New revision: 403438
URL: https://svnweb.freebsd.org/changeset/ports/403438

Log:
  Catch up on documentation of Redmine vulnerabilities

  PR:		205110
  Security:	CVE-2015-8346
  Security:	CVE-2015-8473
  Security:	CVE-2015-8474
  Security:	https://vuxml.FreeBSD.org/freebsd/21bc4d71-9ed8-11e5-8f5c-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/3ec2e0bc-9ed7-11e5-8f5c-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/be63533c-9ed7-11e5-8f5c-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml
Comment 8 Jason Unovitch freebsd_committer freebsd_triage 2015-12-10 01:10:42 UTC 
Thanks Michael!

- Set as fixed
- Set merge-quarterly+ since it was MFH'd

Note the VuXML comment message just mentioned the issues for this PR but I also played catch up and documented the prior issues as well (from http://www.redmine.org/projects/redmine/wiki/Security_Advisories).
Comment 9 commit-hook freebsd_committer freebsd_triage 2015-12-11 00:42:38 UTC 
A commit references this bug:

Author: junovitch
Date: Fri Dec 11 00:42:28 UTC 2015
New revision: 403477
URL: https://svnweb.freebsd.org/changeset/ports/403477

Log:
  Add CVE assignment to the most recent Redmine vulnerability

  PR:		205110
  Security:	CVE-2015-8537
  Security:	https://vuxml.FreeBSD.org/freebsd/21bc4d71-9ed8-11e5-8f5c-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml