zarb-ml/mageia-dev/2012-April/014010.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
 <HEAD>
   <TITLE> [Mageia-dev] Freeze push: redmine 1.3.2
   </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Freeze%20push%3A%20redmine%201.3.2&In-Reply-To=%3CCAOfq2QSwQJ%3DcqAZvxP%3Dm_iTzbVHBkGYYHL%3D3eT5dN7RiN0j5%3DA%40mail.gmail.com%3E">
   <META NAME="robots" CONTENT="index,nofollow">
   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
   <LINK REL="Previous"  HREF="014009.html">
   <LINK REL="Next"  HREF="014037.html">
 </HEAD>
 <BODY BGCOLOR="#ffffff">
   <H1>[Mageia-dev] Freeze push: redmine 1.3.2</H1>
    <B>Funda Wang</B> 
    <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20Freeze%20push%3A%20redmine%201.3.2&In-Reply-To=%3CCAOfq2QSwQJ%3DcqAZvxP%3Dm_iTzbVHBkGYYHL%3D3eT5dN7RiN0j5%3DA%40mail.gmail.com%3E"
       TITLE="[Mageia-dev] Freeze push: redmine 1.3.2">fundawang at gmail.com
       </A><BR>
    <I>Sun Apr  8 08:38:41 CEST 2012</I>
    <P><UL>
        <LI>Previous message: <A HREF="014009.html">[Mageia-dev] Freeze push: drakx-installer-rescue
</A></li>
        <LI>Next message: <A HREF="014037.html">[Mageia-dev] Freeze push: redmine 1.3.2
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#14010">[ date ]</a>
              <a href="thread.html#14010">[ thread ]</a>
              <a href="subject.html#14010">[ subject ]</a>
              <a href="author.html#14010">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--beginarticle-->
<PRE>Hello,

Could somebody pushing redmine 1.3.2 into cauldron?

Redmine before 1.3.2 does not properly restrict the use of a hash to
provide values for a model's attributes, which allows remote attackers
to set attributes in the (1) Comment, (2) Document, (3) IssueCategory,
(4) MembersController, (5) Message, (6) News, (7) TimeEntry, (8)
Version, (9) Wiki, (10) UserPreference, or (11) Board model via a
modified URL, related to a &quot;mass assignment&quot; vulnerability, a
different vulnerability than CVE-2012-0327.

Thanks.
</PRE>


<!--endarticle-->
    <HR>
    <P><UL>
        <!--threads-->
	<LI>Previous message: <A HREF="014009.html">[Mageia-dev] Freeze push: drakx-installer-rescue
</A></li>
	<LI>Next message: <A HREF="014037.html">[Mageia-dev] Freeze push: redmine 1.3.2
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#14010">[ date ]</a>
              <a href="thread.html#14010">[ thread ]</a>
              <a href="subject.html#14010">[ subject ]</a>
              <a href="author.html#14010">[ author ]</a>
         </LI>
       </UL>

<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>