https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292018-09-02T10:11:49ZRedmineRedmine - Defect #29476: Update net-ldap to 0.16.0https://www.redmine.org/issues/29476?journal_id=869212018-09-02T10:11:49ZYuuki NARA
<ul><li><strong>File</strong> <a href="/attachments/21348">github-netldap-warning.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/21348/github-netldap-warning.png">github-netldap-warning.png</a> added</li></ul><p>Github vulnerability warning secreen.<br /><img src="https://www.redmine.org/attachments/download/21348/github-netldap-warning.png" alt="" /></p> Redmine - Defect #29476: Update net-ldap to 0.16.0https://www.redmine.org/issues/29476?journal_id=869272018-09-02T15:54:58ZMarius BÄ‚LTEANU
<ul><li><strong>Description</strong> updated (<a title="View differences" href="/journals/86927/diff?detail_id=69233">diff</a>)</li></ul> Redmine - Defect #29476: Update net-ldap to 0.16.0https://www.redmine.org/issues/29476?journal_id=869282018-09-02T15:55:17ZMarius BÄ‚LTEANU
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-5 priority-4 priority-default closed" href="/issues/24970">Defect #24970</a>: Net::LDAP::LdapError is deprecated</i> added</li></ul> Redmine - Defect #29476: Update net-ldap to 0.16.0https://www.redmine.org/issues/29476?journal_id=872372018-09-13T13:58:37ZHolger Just
<ul><li><strong>Related to</strong> <i><a class="issue tracker-3 status-5 priority-4 priority-default closed" href="/issues/29606">Patch #29606</a>: Support self-signed LDAPS connections</i> added</li></ul> Redmine - Defect #29476: Update net-ldap to 0.16.0https://www.redmine.org/issues/29476?journal_id=872532018-09-14T05:13:29ZGo MAEDA
<ul><li><strong>Category</strong> set to <i>Gems support</i></li></ul><p>According to <a class="issue tracker-3 status-5 priority-4 priority-default closed" title="Patch: Support self-signed LDAPS connections (Closed)" href="https://www.redmine.org/issues/29606">#29606</a>, net-ldap 0.16.0 rejects self-signed certificates by default. It may affect some on-premise installations if we upgrade net-ldap without implementing <a class="issue tracker-3 status-5 priority-4 priority-default closed" title="Patch: Support self-signed LDAPS connections (Closed)" href="https://www.redmine.org/issues/29606">#29606</a>.</p>
<p>However, in my opinion, the patch <a class="issue tracker-3 status-5 priority-4 priority-default closed" title="Patch: Support self-signed LDAPS connections (Closed)" href="https://www.redmine.org/issues/29606">#29606</a> should not be merged into 3.4-stable/3.3-stable branches because it has a database migration.</p> Redmine - Defect #29476: Update net-ldap to 0.16.0https://www.redmine.org/issues/29476?journal_id=890672018-12-18T00:13:37ZGo MAEDA
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li><li><strong>Resolution</strong> set to <i>Wont fix</i></li></ul><p>I think we should not update the gem in 3.4-stable branch because there is a compatibility problem I wrote in <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Defect: Update net-ldap to 0.16.0 (Closed)" href="https://www.redmine.org/issues/29476#note-5">#29476#note-5</a>. In the worst case, users cannot log in after upgrading.</p>
<p>I recommend upgrading to Redmine 4.0.0 if the vulnerability matters.</p>