Redmine

https://www.redmine.org/projects/redmine/repository/entry/trunk/Gemfile

ruby '>= 2.3.0', '< 2.7.0'
gem 'bundler', '>= 1.12.0'

gem 'rails', '5.2.4.2'

At least rails 5.2.4.3 is required! Ruby 2.7 would be helpful, too.

I don't think that the current Redmine version is really vulnerable to CVE-2020-8165 because there's no such code (unless you have plugins or modifications), see https://groups.google.com/g/rubyonrails-security/c/bv6fW4S0Y1c

but I'm not so sure for instance about this https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw

note that those vulnerablities were disclosed and fixes are available for 6 months. The fix is 1 line of code. It's sad that there's no reaction from Redmine's team for such a long time :-(

It would be helpful to process security fixes in all current branches like version 4.1.x (https://www.redmine.org/projects/redmine/repository/raw/branches/4.1-stable/Gemfile) and 4.0.x (https://www.redmine.org/projects/redmine/repository/raw/branches/4.0-stable/Gemfile) not only in trunk.

Daniel Müller wrote:

It would be helpful to process security fixes in all current branches like version 4.1.x (https://www.redmine.org/projects/redmine/repository/raw/branches/4.1-stable/Gemfile) and 4.0.x (https://www.redmine.org/projects/redmine/repository/raw/branches/4.0-stable/Gemfile) not only in trunk.

The stable branches will be updated for sure in the following days.

This security issue is rated as "critical" (9.8).

When will we see a new Redmnine release to address this issue?

Note: There are tools out there that check for CVE-2020-8165. Expect more user comments in the near future.

Just wondering - will this security issue be fixed anytime soon?

Michael Gerz wrote:

Just wondering - will this security issue be fixed anytime soon?

Yes, I’m confident that new maintainance releases will be made until end of the year.

Marius BALTEANU wrote:

Michael Gerz wrote:

Just wondering - will this security issue be fixed anytime soon?

Yes, I’m confident that new maintainance releases will be made until end of the year.

Well... then they will be made until the end of 2021. (Anyway... Happy new year!)

Should we change the Target-Version?
Is 4.0.8 still a real candidate for a release?

Markus Boremski wrote:

Should we change the Target-Version?
Is 4.0.8 still a real candidate for a release?

Well.. the question is: will we see any maintenance release anytime soon?

I far as I can see, there has been only one developer actively committing changes to the source repository in the past 2 1/2 months.

Looks like Redmine is dying slowly.