Package: redmine Version: 3.3.1-4+deb9u1
Dear Maintainers, on Thu, 12 Apr 2018 11:33:06 -0300 Debian published a security update for Redmine in version 3.3.1. This security update includes patch CVE-2017-15569. https://sources.debian.org/patches/redmine/3.3.1-4+deb9u1/CVE-2017-15569.patch/ I write to report a bug with this patch. Custom fields with multiple values will not be put to a table correctly. The way I found out was: Create a tracker, that utilizes a custom field of type list or user and has multiple values allowed. Create an issue, that has more then one value in that custom field. E.g. two users. If I then do a query on my project, I get a HTTP-error 500 response and see the following in my logs: ------------------------------------------>8---------------------------------------------------------------------- Completed 500 Internal Server Error in 442ms (ActiveRecord: 84.3ms) ActionView::Template::Error (undefined local variable or method `item' for #<#<Class:0x00563c5e6eae88>:0x007f128233ed70>): 28: <% end %> 29: <tr id="issue-<%= issue.id %>" class="hascontextmenu <%= cycle('odd', 'even') %> <%= issue.css_classes %> <%= level > 0 ? "idnt idnt-#{level}" : nil %>"> 30: <td class="checkbox hide-when-print"><%= check_box_tag("ids[]", issue.id, false, :id => nil) %></td> 31: <% query.inline_columns.each do |column| %> 32: <%= content_tag('td', column_content(column, issue), :class => column.css_classes) %> 33: <% end %> 34: </tr> app/helpers/queries_helper.rb:132:in `block in column_content' app/helpers/queries_helper.rb:132:in `collect' ------------------------------------------8<---------------------------------------------------------------------- Changing the word "item" to "issue" resolves this problem. I'm using Debian 4.9.88-1 (2018-04-29) x86_64 GNU/Linux with kernel 4.9.0-6-amd64 and libc6 2.24-11+deb9u3. Please contact us if you have any further questions or would like to have more information. Kind regards Frank Hebold -- Frank Hebold Auszubildender zum Fachinformatiker (IHK) HiperScan GmbH Weißeritzstr. 3 01067 Dresden Germany phone +49 351 212 496 20 fax +49 351 212 496 99 mailto: [email protected] www.hiperscan.com www.apo-ident.de HiperScan GmbH, Dresden commercial register number HRB 24683 local court Dresden CEOs: Dr. Alexander Wolter, Michael Thoma
