Defect #29476

Updated by Marius BALTEANU about 1 year ago


Redmine 3.4-stable specifies net-ldap 0.12.0 in Gemfile.

There is a known vulnerability, and an update to 0.16.0 is recommended. (CVE-2017-17718)

Redmine trunk has already been updated to 0.16.0.
#24970 http://www.redmine.org/issues/24970

Please also implement the same fix for 3.4-stable.

In Github's repository, vulnerabilities are being warned.
<pre>
CVE-2017-17718
The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation.

Gemfile update suggested:
net-ldap ~> 0.16.0
</pre>

Back