Project

General

Profile

Actions
Copy link

Defect #29476

closed

Update net-ldap to 0.16.0

Added by Yuuki NARA about 6 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Gems support
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Wont fix
Affected version:
3.4.6

Description

Redmine 3.4-stable specifies net-ldap 0.12.0 in Gemfile.

There is a known vulnerability, and an update to 0.16.0 is recommended. (CVE-2017-17718)

Redmine trunk has already been updated to 0.16.0.
#24970

Please also implement the same fix for 3.4-stable.

In Github's repository, vulnerabilities are being warned.

CVE-2017-17718
The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL Certificate Validation.

Gemfile update suggested:
net-ldap ~> 0.16.0

Files

github-netldap-warning.png (157 KB) github-netldap-warning.png Yuuki NARA, 2018-09-02 12:10

Related issues

Related to Redmine - Defect #24970: Net::LDAP::LdapError is deprecatedClosedJean-Philippe Lang

Actions
Related to Redmine - Patch #29606: Support self-signed LDAPS connectionsClosedJean-Philippe Lang

Actions
Actions
Copy link

Also available in: Atom PDF