Debian DSA-2261-1 : redmine - several vulnerabilities

High Nessus Plugin ID 55145

Synopsis

The remote Debian host is missing a security-related update.

Description

Joernchen of Phenoelit discovered several vulnerabilities in Redmine, a project management web application :

- Logged in users may be able to access private data.
- The Textile formatter allowed for cross site scripting, exposing sensitive data to an attacker.

- The Bazaar repository adapter could be used to remotely execute commands on the host running Redmine.

The oldstable distribution (lenny) does not contain redmine packages.

Solution

Upgrade the redmine packages.

For the stable distribution (squeeze), this problem has been fixed in version 1.0.1-2.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608397

https://packages.debian.org/source/squeeze/redmine

https://www.debian.org/security/2011/dsa-2261

Plugin Details

Severity: High

ID: 55145

File Name: debian_DSA-2261.nasl

Version: 1.9

Type: local

Agent: unix

Published: 2011/06/16

Updated: 2020/03/12

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:redmine, cpe:/o:debian:debian_linux:6.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2011/06/15

Reference Information

BID: 45571

DSA: 2261