ASA-202105-1 log generated external raw

[ASA-202105-1] redmine: multiple issues
Arch Linux Security Advisory ASA-202105-1 ========================================= Severity: Critical Date : 2021-05-19 CVE-ID : CVE-2021-29274 CVE-2021-30163 CVE-2021-30164 CVE-2021-31863 CVE-2021-31864 CVE-2021-31865 CVE-2021-31866 Package : redmine Type : multiple issues Remote : Yes Link : Summary ======= The package redmine before version 4.2.1-1 is vulnerable to multiple issues including arbitrary filesystem access, access restriction bypass, cross-site scripting, arbitrary file upload and information disclosure. Resolution ========== Upgrade to 4.2.1-1. # pacman -Syu "redmine>=4.2.1-1" The problems have been fixed upstream in version 4.2.1. Workaround ========== None. Description =========== - CVE-2021-29274 (cross-site scripting) Redmine 4.1.x before 4.1.2 allows cross-site scripting (XSS) because an issue's subject is mishandled in the auto complete tip. - CVE-2021-30163 (information disclosure) Redmine before 4.1.2 allows attackers to discover the names of private projects if issue-journal details exist that have changes to project_id values. - CVE-2021-30164 (access restriction bypass) Redmine before 4.1.2 allows attackers to bypass the add_issue_notes permission requirement by leveraging the Issues API. - CVE-2021-31863 (arbitrary filesystem access) Insufficient input validation in the Git repository integration of Redmine before 4.2.1 allows Redmine users to read arbitrary local files accessible by the application server process. - CVE-2021-31864 (access restriction bypass) Redmine before 4.2.1 allows attackers to bypass the add_issue_notes permission requirement by leveraging the incoming mail handler. - CVE-2021-31865 (arbitrary file upload) Redmine before 4.2.1 allows users to circumvent the allowed filename extensions of uploaded attachments. - CVE-2021-31866 (information disclosure) Redmine before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController. Impact ====== A remote attacker could disclose private information, perform actions without having the required permissions, or execute arbitrary JavaScript code by leveraging cross-site scripting. References ==========