[Mageia-dev] Freeze push: redmine 1.3.2
Thomas Backlund
tmb at mageia.org
Mon Apr 9 20:13:15 CEST 2012
09.04.2012 13:53, Funda Wang skrev:
> ping?
>
> 在 2012年4月9日星期一,Funda Wang <fundawang at gmail.com
> <mailto:fundawang at gmail.com>> 写道:
>> ping?
>>
>> 2012/4/8 Funda Wang <fundawang at gmail.com <mailto:fundawang at gmail.com>>:
>>> Hello,
>>>
>>> Could somebody pushing redmine 1.3.2 into cauldron?
>>>
>>> Redmine before 1.3.2 does not properly restrict the use of a hash to
>>> provide values for a model's attributes, which allows remote attackers
>>> to set attributes in the (1) Comment, (2) Document, (3) IssueCategory,
>>> (4) MembersController, (5) Message, (6) News, (7) TimeEntry, (8)
>>> Version, (9) Wiki, (10) UserPreference, or (11) Board model via a
>>> modified URL, related to a "mass assignment" vulnerability, a
>>> different vulnerability than CVE-2012-0327.
>>>
>>> Thanks.
>>
Pushed.
--
Thomas
More information about the Mageia-dev
mailing list