lib/redmine/scm/adapters/mercurial_adapter.rb | 33 17 + 16 - 0 !
1 file changed, 17 insertions(+), 16 deletions(-)

 [patch] mercurial: work around faulty parsing of early command
 options (#27516)

Use -sVALUE and --long=VALUE instead of "-s VALUE" and "--long VALUE"
respectively.

Contributed by Yuya Nishihara.

git-svn-id: http://svn.redmine.org/redmine/trunk@17062 e93f8b46-1217-0410-a6f0-8f06a7374b81

lib/redmine/scm/adapters/mercurial_adapter.rb | 15 15 + 0 - 0 !
test/unit/lib/redmine/scm/adapters/mercurial_adapter_test.rb | 19 19 + 0 - 0 !
2 files changed, 34 insertions(+)

 [patch] mercurial: reject malicious command argument (#27516)

We've got a security report from the Phabricator team, which basically says
--config and --debugger arguments can be injected anywhere to lead to an
arbitrary command execution.

https://secure.phabricator.com/rPa7921a4448093d00defa8bd18f35b8c8f8bf3314

This is a fundamental issue of the argument parsing rules in Mercurial, which
allows extensions to populate their parsing rules and such extensions can be
loaded by "--config extensions.<name>=". There's a chicken and egg problem.
We're working on hardening the parsing rules, but which won't come in by
default as it would be a behavior change.

This patch adds a verification to reject malicious command arguments as a
last ditch. The subsequent patches will fix the problem in more appropriate
way.

Contributed by Yuya Nishihara.

git-svn-id: http://svn.redmine.org/redmine/trunk@17060 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/models/mailer.rb | 5 4 + 1 - 0 !
test/unit/mailer_test.rb | 19 19 + 0 - 0 !
2 files changed, 23 insertions(+), 1 deletion(-)

 [patch] send reminders about visible issues only (#25713).
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Patch by Felix Schfer.

git-svn-id: http://svn.redmine.org/redmine/trunk@16557 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/helpers/application_helper.rb | 2 1 + 1 - 0 !
test/fixtures/wikis.yml | 5 5 + 0 - 0 !
test/unit/helpers/application_helper_test.rb | 4 4 + 0 - 0 !
3 files changed, 10 insertions(+), 1 deletion(-)

 [patch] merged r16283 (#23793).

git-svn-id: http://svn.redmine.org/redmine/branches/3.3-stable@16300 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/models/time_entry.rb | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 [patch] merged r16284 (#23803).

git-svn-id: http://svn.redmine.org/redmine/branches/3.3-stable@16302 e93f8b46-1217-0410-a6f0-8f06a7374b81

extra/svn/Redmine.pm | 5 4 + 1 - 0 !
test/extra/redmine_pm/repository_subversion_test_pm.rb | 25 24 + 1 - 0 !
2 files changed, 28 insertions(+), 2 deletions(-)

 [patch] merged r16286 (#24307).

git-svn-id: http://svn.redmine.org/redmine/branches/3.3-stable@16296 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/attachments_controller.rb | 2 1 + 1 - 0 !
app/controllers/repositories_controller.rb | 2 1 + 1 - 0 !
2 files changed, 2 insertions(+), 2 deletions(-)

 [patch] merged r16285 (#24199).

git-svn-id: http://svn.redmine.org/redmine/branches/3.3-stable@16294 e93f8b46-1217-0410-a6f0-8f06a7374b81

lib/redcloth3.rb | 14 11 + 3 - 0 !
lib/redmine/syntax_highlighting.rb | 16 16 + 0 - 0 !
lib/redmine/wiki_formatting/markdown/formatter.rb | 2 1 + 1 - 0 !
lib/redmine/wiki_formatting/textile/formatter.rb | 10 8 + 2 - 0 !
public/stylesheets/application.css | 2 1 + 1 - 0 !
test/unit/helpers/application_helper_test.rb | 13 7 + 6 - 0 !
test/unit/lib/redmine/wiki_formatting/markdown_formatter_test.rb | 9 9 + 0 - 0 !
test/unit/lib/redmine/wiki_formatting/textile_formatter_test.rb | 54 51 + 3 - 0 !
8 files changed, 104 insertions(+), 16 deletions(-)

 [patch] merged r16500 to r16503 (#25503).

git-svn-id: http://svn.redmine.org/redmine/branches/3.3-stable@16523 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/controllers/account_controller.rb | 12 10 + 2 - 0 !
test/functional/account_controller_test.rb | 13 12 + 1 - 0 !
test/integration/account_test.rb | 3 3 + 0 - 0 !
3 files changed, 25 insertions(+), 3 deletions(-)

 [patch] merged r16287 to r16289 (#24416).

git-svn-id: http://svn.redmine.org/redmine/branches/3.3-stable@16298 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/views/issues/_list.html.erb | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 [patch] don't use raw output (#27186).

git-svn-id: http://svn.redmine.org/redmine/trunk@16971 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/views/timelog/_list.html.erb | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 [patch] don't use raw output in timelog (#27186).

git-svn-id: http://svn.redmine.org/redmine/trunk@16983 e93f8b46-1217-0410-a6f0-8f06a7374b81

app/helpers/queries_helper.rb | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] ensure that values of multi-value fields are html-escaped in
 issue list (#27186).

Patch by Holger Just.

git-svn-id: http://svn.redmine.org/redmine/trunk@16984 e93f8b46-1217-0410-a6f0-8f06a7374b81
[Salvatore Bonaccorso <carnil@debian.org>: Rename 'item' back to 'issue',
  as the change was introduced upstream in 3.4.0 via
  https://github.com/redmine/redmine/commit/2bcbb305464d8cc7a3f0df08312accb3b37c8042
]

app/helpers/application_helper.rb | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 [patch] ensure that values of multi-value fields are html-escaped in
 issue history (#27186).

Patch by Holger Just.

git-svn-id: http://svn.redmine.org/redmine/trunk@16985 e93f8b46-1217-0410-a6f0-8f06a7374b81

Gemfile | 31 8 + 23 - 0 !
1 file changed, 8 insertions(+), 23 deletions(-)

 gemfile: relax some dependencies

config/initializers/10-patches.rb | 15 15 + 0 - 0 !
1 file changed, 15 insertions(+)

 force table encoding in mysql

mysql default encoding is not UTF8, but forcing table encoding is
possible. dbconfig-common does not provide appropriate configuration
variable, so here the mysql adapter is modified to respect encoding set

config/boot.rb | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 use production environment by default

This patch is Debian-specific

.gitignore | 1 1 + 0 - 0 !
Gemfile | 11 7 + 4 - 0 !
app/models/attachment.rb | 4 2 + 2 - 0 !
bin/redmine-instances | 289 289 + 0 - 0 !
config/application.rb | 1 1 + 0 - 0 !
config/multitenancy_environment.rb | 42 42 + 0 - 0 !
lib/plugins/open_id_authentication/lib/open_id_authentication.rb | 2 1 + 1 - 0 !
lib/redmine/configuration.rb | 4 2 + 2 - 0 !
lib/redmine/export/pdf.rb | 2 1 + 1 - 0 !
lib/redmine/multi_tenancy.rb | 43 43 + 0 - 0 !
lib/redmine/plugin.rb | 2 1 + 1 - 0 !
lib/redmine/scm/adapters/abstract_adapter.rb | 2 1 + 1 - 0 !
lib/tasks/initializers.rake | 2 1 + 1 - 0 !
13 files changed, 392 insertions(+), 13 deletions(-)

 add multi-tenancy support
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

This is an improved version of the combination of a few patches that
were carried in the Redmine package for Debian GNU/Linux for a few
years.

Documentation is provided as a man page produced by
`./bin/redmine-instances help`

Signed-off-by: Antonio Terceiro <terceiro@debian.org>
Signed-off-by: Jrmy Lal <kapouer@melix.org>
Signed-off-by: Ondej Sur <ondrej@sury.org>

lib/redmine/multi_tenancy.rb | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 assume default instance

app/controllers/issues_controller.rb | 25 21 + 4 - 0 !
app/views/issues/bulk_edit.html.erb | 6 4 + 2 - 0 !
2 files changed, 25 insertions(+), 6 deletions(-)

 bulk edit: show fields required after status/tracker change

Backported-by: Thomas Klose <thomas.klose@hiperscan.com>
Debian-Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852694
Original: http://www.redmine.org/projects/redmine/repository/revisions/15815

This patch must be dropped when upgrading Redmine to version 3.4+.

lib/redcloth3.rb | 8 7 + 1 - 0 !
1 file changed, 7 insertions(+), 1 deletion(-)

 fix cve-2019-17427

Fix persistent XSS exists due to textile formatting errors.

Cherry pick upstream commit: 899fc2e0cd2bcb4f5f9333b612b160bb9c6e803b

app/models/query.rb | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix cve-2019-18890

Fix SQL injection vulnerability. Following is an upstream's quote:

It turns out that this bug could be used for a full-blown arbitrary SQL
injection which can e.g. be used to read any issue, time entry, or other
query-accessible data in a Redmine account, as long as the attacker can
access any project with a visible-to-them subproject.

Reported by: Holger Just <redmine@meine-er.de>