Defect #29476
Updated by Marius BÄ‚LTEANU over 5 years ago
Redmine 3.4-stable specifies net-ldap 0.12.0 in Gemfile. There is a known vulnerability, and an update to 0.16.0 is recommended. (CVE-2017-17718) Redmine trunk has already been updated to 0.16.0. #24970 http://www.redmine.org/issues/24970 Please also implement the same fix for 3.4-stable. In Github's repository, vulnerabilities are being warned. <pre> CVE-2017-17718 The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation. Gemfile update suggested: net-ldap ~> 0.16.0 </pre>