Defect #29476
closed
Update net-ldap to 0.16.0
0%
Description
Redmine 3.4-stable specifies net-ldap 0.12.0 in Gemfile.
There is a known vulnerability, and an update to 0.16.0 is recommended. (CVE-2017-17718)
Redmine trunk has already been updated to 0.16.0.
#24970
Please also implement the same fix for 3.4-stable.
In Github's repository, vulnerabilities are being warned.
CVE-2017-17718 The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation. Gemfile update suggested: net-ldap ~> 0.16.0
Files
Related issues
Updated by Yuuki NARA about 6 years ago
Github vulnerability warning secreen.
Updated by Marius BĂLTEANU about 6 years ago
- Related to Defect #24970: Net::LDAP::LdapError is deprecated added
Updated by Holger Just about 6 years ago
- Related to Patch #29606: Support self-signed LDAPS connections added
Updated by Go MAEDA about 6 years ago
- Category set to Gems support
According to #29606, net-ldap 0.16.0 rejects self-signed certificates by default. It may affect some on-premise installations if we upgrade net-ldap without implementing #29606.
However, in my opinion, the patch #29606 should not be merged into 3.4-stable/3.3-stable branches because it has a database migration.
Updated by Go MAEDA almost 6 years ago
- Status changed from New to Closed
- Resolution set to Wont fix
I think we should not update the gem in 3.4-stable branch because there is a compatibility problem I wrote in #29476#note-5. In the worst case, users cannot log in after upgrading.
I recommend upgrading to Redmine 4.0.0 if the vulnerability matters.