[DRE-maint] Bug#705533: redmine: html escape? problem in the administration/settings dialog, projects and repositories tab

Wim Bertels wim.bertels at khleuven.be
Tue Apr 16 18:44:37 UTC 2013 

On Tue, 2013-04-16 at 11:34 +0200, Jérémy Lal wrote:
> On 16/04/2013 11:19, Wim Bertels wrote:
> > Package: redmine Version: 1.0.1-2 Severity: normal Tags: upstream
> > 
> > 
> > problem occured after safe-upgrade
> > 
> > As an administrator for redmine, u can use the webinterface for the
> > administration/settings dialog. In this dialog the projects and
> > repositories tab have a a problem with listing checkboxes rendering
> > them useless, it is impossible to use them, so u cannot choose a scm
> > or set the default project settings anymore (workaround for the
> > advanced, directly edit the redmine database, settings table)
> 
> Can you downgrade rails security updates from 2.3.5-1.2+squeeze8
> to 2.3.5-1.2+squeeze7, then 2.3.5-1.2+squeeze6, etc... until you
> find at which version it works again ?
> 
> There is a good chance the culprit is the latest rails security update,
> since nobody reported that bug before and 2.3.5-1.2+squeeze8 was made
> available this month.

check:
a downgrade of the following packages to squeeze7 (stable has squeeze8)
fixed the problem:
libactionmailer-ruby1.8_2.3.5-1.2+squeeze7_all.deb
libactiverecord-ruby1.8_2.3.5-1.2+squeeze7_all.deb
libactiveresource-ruby_2.3.5-1.2+squeeze7_all.deb	 
rails_2.3.5-1.2+squeeze7_all.deb
libactionmailer-ruby_2.3.5-1.2+squeeze7_all.deb
libactiverecord-ruby1.9.1_2.3.5-1.2+squeeze7_all.deb
libactivesupport-ruby1.8_2.3.5-1.2+squeeze7_all.deb	 rails-doc_2.3.5-1.2
+squeeze7_all.deb
libactionpack-ruby1.8_2.3.5-1.2+squeeze7_all.deb
libactiverecord-ruby_2.3.5-1.2+squeeze7_all.deb
libactivesupport-ruby1.9.1_2.3.5-1.2+squeeze7_all.deb
rails-ruby1.8_2.3.5-1.2+squeeze7_all.deb
libactionpack-ruby_2.3.5-1.2+squeeze7_all.deb
libactiveresource-ruby1.8_2.3.5-1.2+squeeze7_all.deb
libactivesupport-ruby_2.3.5-1.2+squeeze7_all.deb

So indeed the problem persists in the upgrade to latest stable packages.

So if if u need a quick patch:
# get files
$ wget -r -l1 --no-parent -A.deb
http://snapshot.debian.org/archive/debian-security/20130212T211154Z/pool/updates/main/r/rails/
# then cd to dir where deb files just downloaded are
# install files
$ ls *squeeze7* | xargs dpkg -i
# logout of redmine
# restart apache
# everything should be fine now, security?

have to plant some flowers now,
Wim

More information about the Pkg-ruby-extras-maintainers mailing list