Package: redmine Version: 6.0.5+ds-1 Severity: grave Tags: security upstream Justification: user security hole
It is well known that the Redmine PDF creation for issues is broken and is used regularly to run DoS attacks against public Redmine instances. https://www.redmine.org/issues/3661 Just take a redmine tracker, append .pdf to the end of the issues and when some of the issue doesn't immediately return a PDF, just run wget/curl a couple of dozen times more against this URL. The server is then gone (consuming resources and will cost you an arm+leg on a cloud provider) and the apache/nginx proxy will just return a service outage error ("504 gateway timed out"). People work around this by disabling PDF extensions in Apache: RewriteEngine On # Return HTTP 403 for any URL ending in .pdf - simply because Redmine will hang forever and endlessly consume resources for the issue PDF creation RewriteRule \.pdf$ - [F,L,NC] But it is a DoS-able bug in Redmine which either must be fixed or it must be disabled by default. _______________________________________________ Pkg-ruby-extras-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
