Ubuntu Security Notice 4200-1 - It was discovered that Redmine incorrectly handle certain inputs that could cause textile formatting errors. An attacker could possibly use this issue to cause a XSS attack. It was discovered that an SQL injection could allow users to access protected information via a crafted object query.
623c8e3a17e14a602b525ab5f5540e738d4bb3f031a88de1d5acd06feb27ea0e
=========================================================================
Ubuntu Security Notice USN-4200-1
November 26, 2019
redmine vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 19.04
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary:
Several security issues were fixed in redmine.
Software Description:
- redmine: flexible project management web application
Details:
It was discovered that Redmine incorrectly handle certain inputs that could
cause textile formatting errors. An attacker could possibly use this issue to
cause a XSS attack. (CVE-2019-17427)
It was discovered that an SQL injection could allow users to access protected
information via a crafted object query. (CVE-2019-18890)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 19.04:
redmine 4.0.1-2ubuntu0.1
redmine-mysql 4.0.1-2ubuntu0.1
redmine-pgsql 4.0.1-2ubuntu0.1
redmine-sqlite 4.0.1-2ubuntu0.1
Ubuntu 18.04 LTS:
redmine 3.4.4-1ubuntu0.1
redmine-mysql 3.4.4-1ubuntu0.1
redmine-pgsql 3.4.4-1ubuntu0.1
redmine-sqlite 3.4.4-1ubuntu0.1
Ubuntu 16.04 LTS:
redmine 3.2.1-2ubuntu0.2
redmine-mysql 3.2.1-2ubuntu0.2
redmine-pgsql 3.2.1-2ubuntu0.2
redmine-sqlite 3.2.1-2ubuntu0.2
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4200-1
CVE-2019-17427, CVE-2019-18890
Package Information:
https://launchpad.net/ubuntu/+source/redmine/4.0.1-2ubuntu0.1
https://launchpad.net/ubuntu/+source/redmine/3.4.4-1ubuntu0.1
https://launchpad.net/ubuntu/+source/redmine/3.2.1-2ubuntu0.2