redmine2.3 CVE-2014-0160 CVE-2015-2808 CVE-2014-3566 problem
There are some leak CVE-2014-0160 CVE-2015-2808 CVE-2014-3566 in the redmine2.3 envirment, who can help to resolv the problem, thanks
RE: redmine2.3 CVE-2014-0160 CVE-2015-2808 CVE-2014-3566 problem - Added by lin qiang almost 2 years ago
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue.
RE: redmine2.3 CVE-2014-0160 CVE-2015-2808 CVE-2014-3566 problem - Added by Hinako Tajima almost 2 years ago
These three vulnerabilities are related to Open SSL which does not bring a direct effection on Redmine.
This vulnerabilities' problems will not be able to resolve by Redmine, it needs to be different approach such as OS update.
Now that Redmine 2.3 is a far old version which released 6 years ago. For now, you will find a reliable amount of security vulnerabilities have been fixed since Redmine 2.3 to 4.0, I recommend you to update Redmine as well as OS environment.