Defect #29476

Updated by Marius BALTEANU over 3 years ago

Redmine 3.4-stable specifies net-ldap 0.12.0 in Gemfile.

There is a known vulnerability, and an update to 0.16.0 is recommended. (CVE-2017-17718)

Redmine trunk has already been updated to 0.16.0.

Please also implement the same fix for 3.4-stable.

In Github's repository, vulnerabilities are being warned.
The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation.

Gemfile update suggested:
net-ldap ~> 0.16.0