Project

General

Profile

Actions

Defect #29476

closed

Update net-ldap to 0.16.0

Added by Yuuki NARA over 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Gems support
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Wont fix
Affected version:

Description

Redmine 3.4-stable specifies net-ldap 0.12.0 in Gemfile.

There is a known vulnerability, and an update to 0.16.0 is recommended. (CVE-2017-17718)

Redmine trunk has already been updated to 0.16.0.
#24970

Please also implement the same fix for 3.4-stable.

In Github's repository, vulnerabilities are being warned.

CVE-2017-17718
The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation.

Gemfile update suggested:
net-ldap ~> 0.16.0


Files

github-netldap-warning.png (157 KB) github-netldap-warning.png Yuuki NARA, 2018-09-02 12:10

Related issues

Related to Redmine - Defect #24970: Net::LDAP::LdapError is deprecatedClosedJean-Philippe Lang

Actions
Related to Redmine - Patch #29606: Support self-signed LDAPS connectionsClosedJean-Philippe Lang

Actions
Actions #1

Updated by Yuuki NARA over 6 years ago

Github vulnerability warning secreen.

Actions #2

Updated by Marius BĂLTEANU over 6 years ago

  • Description updated (diff)
Actions #3

Updated by Marius BĂLTEANU over 6 years ago

  • Related to Defect #24970: Net::LDAP::LdapError is deprecated added
Actions #4

Updated by Holger Just over 6 years ago

  • Related to Patch #29606: Support self-signed LDAPS connections added
Actions #5

Updated by Go MAEDA over 6 years ago

  • Category set to Gems support

According to #29606, net-ldap 0.16.0 rejects self-signed certificates by default. It may affect some on-premise installations if we upgrade net-ldap without implementing #29606.

However, in my opinion, the patch #29606 should not be merged into 3.4-stable/3.3-stable branches because it has a database migration.

Actions #6

Updated by Go MAEDA about 6 years ago

  • Status changed from New to Closed
  • Resolution set to Wont fix

I think we should not update the gem in 3.4-stable branch because there is a compatibility problem I wrote in #29476#note-5. In the worst case, users cannot log in after upgrading.

I recommend upgrading to Redmine 4.0.0 if the vulnerability matters.

Actions

Also available in: Atom PDF