Arch Linux alert ASA-202105-1 (redmine)

From:
             
 
Jonas Witschel via arch-security <arch-security@lists.archlinux.org>
To:
             
 
arch-security@lists.archlinux.org
Subject:
             
 
[ASA-202105-1] redmine: multiple issues
Date:
             
 
Thu, 20 May 2021 19:46:26 +0200
Message-ID:
             
 
<20210520174626.4lidzd7r5vzalv5s@archlinux.org>
Cc:
             
 
Jonas Witschel <diabonas@archlinux.org>
Arch Linux Security Advisory ASA-202105-1
=========================================

Severity: Critical
Date    : 2021-05-19
CVE-ID  : CVE-2021-29274 CVE-2021-30163 CVE-2021-30164 CVE-2021-31863
          CVE-2021-31864 CVE-2021-31865 CVE-2021-31866
Package : redmine
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1743

Summary
=======

The package redmine before version 4.2.1-1 is vulnerable to multiple
issues including arbitrary filesystem access, access restriction
bypass, cross-site scripting, arbitrary file upload and information
disclosure.

Resolution
==========

Upgrade to 4.2.1-1.

# pacman -Syu "redmine>=4.2.1-1"

The problems have been fixed upstream in version 4.2.1.

Workaround
==========

None.

Description
===========

- CVE-2021-29274 (cross-site scripting)

Redmine 4.1.x before 4.1.2 allows cross-site scripting (XSS) because an
issue's subject is mishandled in the auto complete tip.

- CVE-2021-30163 (information disclosure)

Redmine before 4.1.2 allows attackers to discover the names of private
projects if issue-journal details exist that have changes to project_id
values.

- CVE-2021-30164 (access restriction bypass)

Redmine before 4.1.2 allows attackers to bypass the add_issue_notes
permission requirement by leveraging the Issues API.

- CVE-2021-31863 (arbitrary filesystem access)

Insufficient input validation in the Git repository integration of
Redmine before 4.2.1 allows Redmine users to read arbitrary local files
accessible by the application server process.

- CVE-2021-31864 (access restriction bypass)

Redmine before 4.2.1 allows attackers to bypass the add_issue_notes
permission requirement by leveraging the incoming mail handler.

- CVE-2021-31865 (arbitrary file upload)

Redmine before 4.2.1 allows users to circumvent the allowed filename
extensions of uploaded attachments.

- CVE-2021-31866 (information disclosure)

Redmine before 4.1.3 allows an attacker to learn the values of internal
authentication keys by observing timing differences in string
comparison operations within SysController and MailHandlerController.

Impact
======

A remote attacker could disclose private information, perform actions
without having the required permissions, or execute arbitrary
JavaScript code by leveraging cross-site scripting.

References
==========

https://bugs.archlinux.org/task/70203
https://www.redmine.org/projects/redmine/wiki/Security_Ad...
https://www.redmine.org/issues/33846
https://github.com/redmine/redmine/commit/bbfade972865e78...
https://www.redmine.org/issues/33360
https://github.com/redmine/redmine/commit/0d96c4ebdb1ccee...
https://www.redmine.org/issues/33689
https://github.com/redmine/redmine/commit/a7b9fa99966e8d5...
https://www.redmine.org/issues/35085
https://github.com/redmine/redmine/commit/45461bfe51e9492...
https://www.redmine.org/issues/35045
https://github.com/redmine/redmine/commit/d03a718e6efca04...
https://www.redmine.org/issues/34367
https://github.com/redmine/redmine/commit/56979912c9bb041...
https://www.redmine.org/issues/34950
https://github.com/redmine/redmine/commit/23e09ef64e26d6f...
https://security.archlinux.org/CVE-2021-29274
https://security.archlinux.org/CVE-2021-30163
https://security.archlinux.org/CVE-2021-30164
https://security.archlinux.org/CVE-2021-31863
https://security.archlinux.org/CVE-2021-31864
https://security.archlinux.org/CVE-2021-31865
https://security.archlinux.org/CVE-2021-31866