Bug 205110 - www/redmine: multiple vulnerabilities
Summary: www/redmine: multiple vulnerabilities
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Michael Moll
URL: http://www.redmine.org/projects/redmi...
Keywords: security
Depends on:
Blocks:
 
Reported: 2015-12-08 01:01 UTC by Jason Unovitch
Modified: 2015-12-11 00:42 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (ruby)
junovitch: merge-quarterly+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Jason Unovitch freebsd_committer 2015-12-08 01:02:59 UTC
I haven't been able to dig into all the reported issues.  Still catching up from vacation and I'll revisit once I am able.
Comment 2 Jason Unovitch freebsd_committer 2015-12-08 01:04:15 UTC
One more: http://www.openwall.com/lists/oss-security/2015/11/25/1
Comment 3 Michael Moll freebsd_committer 2015-12-09 21:16:52 UTC
take
Comment 4 commit-hook freebsd_committer 2015-12-09 23:03:37 UTC
A commit references this bug:

Author: mmoll
Date: Wed Dec  9 23:02:55 UTC 2015
New revision: 403433
URL: https://svnweb.freebsd.org/changeset/ports/403433

Log:
  www/redmine: update to 2.6.9

  PR:		205110
  MFH:		2015Q4
  Security:	CVE-2015-8346
  Security:	CVE-2015-8473
  Security:	CVE-2015-8474
  Security:	CVE-2015-8477

Changes:
  head/www/redmine/Makefile
  head/www/redmine/distinfo
  head/www/redmine/files/extra-patch-Gemfile
  head/www/redmine/files/patch-Gemfile
  head/www/redmine/pkg-plist
Comment 5 Michael Moll freebsd_committer 2015-12-09 23:13:41 UTC
Jason, could you add the CVEs to vuxml? If not, drop me a line here.
Comment 6 commit-hook freebsd_committer 2015-12-09 23:36:40 UTC
A commit references this bug:

Author: mmoll
Date: Wed Dec  9 23:36:09 UTC 2015
New revision: 403434
URL: https://svnweb.freebsd.org/changeset/ports/403434

Log:
  MFH: r403433

  www/redmine: update to 2.6.9

  PR:		205110
  Security:	CVE-2015-8346
  Security:	CVE-2015-8473
  Security:	CVE-2015-8474
  Security:	CVE-2015-8477
  Approved by:	ports-secteam (erwin)

Changes:
_U  branches/2015Q4/
  branches/2015Q4/www/redmine/Makefile
  branches/2015Q4/www/redmine/distinfo
  branches/2015Q4/www/redmine/files/extra-patch-Gemfile
  branches/2015Q4/www/redmine/files/patch-Gemfile
  branches/2015Q4/www/redmine/pkg-plist
Comment 7 commit-hook freebsd_committer 2015-12-10 01:08:48 UTC
A commit references this bug:

Author: junovitch
Date: Thu Dec 10 01:08:29 UTC 2015
New revision: 403438
URL: https://svnweb.freebsd.org/changeset/ports/403438

Log:
  Catch up on documentation of Redmine vulnerabilities

  PR:		205110
  Security:	CVE-2015-8346
  Security:	CVE-2015-8473
  Security:	CVE-2015-8474
  Security:	https://vuxml.FreeBSD.org/freebsd/21bc4d71-9ed8-11e5-8f5c-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/3ec2e0bc-9ed7-11e5-8f5c-002590263bf5.html
  Security:	https://vuxml.FreeBSD.org/freebsd/be63533c-9ed7-11e5-8f5c-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml
Comment 8 Jason Unovitch freebsd_committer 2015-12-10 01:10:42 UTC
Thanks Michael!

- Set as fixed
- Set merge-quarterly+ since it was MFH'd

Note the VuXML comment message just mentioned the issues for this PR but I also played catch up and documented the prior issues as well (from http://www.redmine.org/projects/redmine/wiki/Security_Advisories).
Comment 9 commit-hook freebsd_committer 2015-12-11 00:42:38 UTC
A commit references this bug:

Author: junovitch
Date: Fri Dec 11 00:42:28 UTC 2015
New revision: 403477
URL: https://svnweb.freebsd.org/changeset/ports/403477

Log:
  Add CVE assignment to the most recent Redmine vulnerability

  PR:		205110
  Security:	CVE-2015-8537
  Security:	https://vuxml.FreeBSD.org/freebsd/21bc4d71-9ed8-11e5-8f5c-002590263bf5.html

Changes:
  head/security/vuxml/vuln.xml