[Mageia-dev] Freeze push: redmine 1.3.2

Funda Wang fundawang at gmail.com
Sun Apr 8 08:38:41 CEST 2012


Hello,

Could somebody pushing redmine 1.3.2 into cauldron?

Redmine before 1.3.2 does not properly restrict the use of a hash to
provide values for a model's attributes, which allows remote attackers
to set attributes in the (1) Comment, (2) Document, (3) IssueCategory,
(4) MembersController, (5) Message, (6) News, (7) TimeEntry, (8)
Version, (9) Wiki, (10) UserPreference, or (11) Board model via a
modified URL, related to a "mass assignment" vulnerability, a
different vulnerability than CVE-2012-0327.

Thanks.


More information about the Mageia-dev mailing list