[Mageia-dev] Freeze push: redmine 1.3.2

Funda Wang fundawang at gmail.com
Mon Apr 9 06:27:03 CEST 2012


ping?

2012/4/8 Funda Wang <fundawang at gmail.com>:
> Hello,
>
> Could somebody pushing redmine 1.3.2 into cauldron?
>
> Redmine before 1.3.2 does not properly restrict the use of a hash to
> provide values for a model's attributes, which allows remote attackers
> to set attributes in the (1) Comment, (2) Document, (3) IssueCategory,
> (4) MembersController, (5) Message, (6) News, (7) TimeEntry, (8)
> Version, (9) Wiki, (10) UserPreference, or (11) Board model via a
> modified URL, related to a "mass assignment" vulnerability, a
> different vulnerability than CVE-2012-0327.
>
> Thanks.


More information about the Mageia-dev mailing list