AFAICT, this bug is fixed since version 3.2.0-1 although not mentioned in the changelog. The reason I replied to these bugs is that in the Package Tracker (https://security-tracker.debian.org/tracker/source-package/redmine ) version 3.2.0-2 of redmine is still marked as vulnerable.
Regards, Jörg-Volker.
