Update net-ldap to 0.16.0
|Resolution:||Wont fix||Affected version:||3.4.6|
Redmine 3.4-stable specifies net-ldap 0.12.0 in Gemfile.
There is a known vulnerability, and an update to 0.16.0 is recommended. (CVE-2017-17718)
Redmine trunk has already been updated to 0.16.0.
Please also implement the same fix for 3.4-stable.
In Github's repository, vulnerabilities are being warned.
CVE-2017-17718 The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation. Gemfile update suggested: net-ldap ~> 0.16.0
#5 Updated by Go MAEDA about 3 years ago
- Category set to Gems support
However, in my opinion, the patch #29606 should not be merged into 3.4-stable/3.3-stable branches because it has a database migration.
#6 Updated by Go MAEDA almost 3 years ago
- Status changed from New to Closed
- Resolution set to Wont fix
I think we should not update the gem in 3.4-stable branch because there is a compatibility problem I wrote in #29476#note-5. In the worst case, users cannot log in after upgrading.
I recommend upgrading to Redmine 4.0.0 if the vulnerability matters.