Debian DSA-2261-1 : redmine - several vulnerabilities

high Nessus Plugin ID 55145

Synopsis

The remote Debian host is missing a security-related update.

Description

Joernchen of Phenoelit discovered several vulnerabilities in Redmine, a project management web application :

- Logged in users may be able to access private data.
- The Textile formatter allowed for cross site scripting, exposing sensitive data to an attacker.

- The Bazaar repository adapter could be used to remotely execute commands on the host running Redmine.

The oldstable distribution (lenny) does not contain redmine packages.

Solution

Upgrade the redmine packages.

For the stable distribution (squeeze), this problem has been fixed in version 1.0.1-2.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608397

https://packages.debian.org/source/squeeze/redmine

https://www.debian.org/security/2011/dsa-2261

Plugin Details

Severity: High

ID: 55145

File Name: debian_DSA-2261.nasl

Version: 1.10

Type: local

Agent: unix

Published: 6/16/2011

Updated: 1/4/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:redmine, cpe:/o:debian:debian_linux:6.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/15/2011

Reference Information

BID: 45571

DSA: 2261