Defect #29476

Update net-ldap to 0.16.0

Added by Yuuki NARA about 1 year ago. Updated 9 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Gems support
Target version:-
Resolution:Wont fix Affected version:3.4.6

Description

Redmine 3.4-stable specifies net-ldap 0.12.0 in Gemfile.

There is a known vulnerability, and an update to 0.16.0 is recommended. (CVE-2017-17718)

Redmine trunk has already been updated to 0.16.0.
#24970

Please also implement the same fix for 3.4-stable.

In Github's repository, vulnerabilities are being warned.

CVE-2017-17718
The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation.

Gemfile update suggested:
net-ldap ~> 0.16.0

github-netldap-warning.png (157 KB) Yuuki NARA, 2018-09-02 12:10


Related issues

Related to Redmine - Defect #24970: Net::LDAP::LdapError is deprecated Closed
Related to Redmine - Patch #29606: Support self-signed LDAPS connections Closed

History

#1 Updated by Yuuki NARA about 1 year ago

Github vulnerability warning secreen.

#2 Updated by Marius BALTEANU about 1 year ago

  • Description updated (diff)

#3 Updated by Marius BALTEANU about 1 year ago

  • Related to Defect #24970: Net::LDAP::LdapError is deprecated added

#4 Updated by Holger Just about 1 year ago

  • Related to Patch #29606: Support self-signed LDAPS connections added

#5 Updated by Go MAEDA about 1 year ago

  • Category set to Gems support

According to #29606, net-ldap 0.16.0 rejects self-signed certificates by default. It may affect some on-premise installations if we upgrade net-ldap without implementing #29606.

However, in my opinion, the patch #29606 should not be merged into 3.4-stable/3.3-stable branches because it has a database migration.

#6 Updated by Go MAEDA 9 months ago

  • Status changed from New to Closed
  • Resolution set to Wont fix

I think we should not update the gem in 3.4-stable branch because there is a compatibility problem I wrote in #29476#note-5. In the worst case, users cannot log in after upgrading.

I recommend upgrading to Redmine 4.0.0 if the vulnerability matters.

Also available in: Atom PDF