Ubuntu
redmine package

Mass assignment security vulnerability in Redmine

Bug #959187 reported by Christian Korff
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
redmine (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Won't Fix
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned

Bug Description

Redmine has many mass assignment security vulnerabilities. See http://www.redmine.org/issues/10390 for details.

Version 0.9.3-1 (Lucid Lynx) seems to be affected. Upstream reported version 1.3.0 (Precise Pangolin) and 1.3.1 as vulnerable.

Tags: rails ruby

CVE References

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

security vulnerability: yes → no
visibility: private → public
Changed in redmine (Ubuntu):
status: New → Confirmed
Changed in redmine (Ubuntu Lucid):
status: New → Confirmed
Changed in redmine (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This was fixed in 1.3.2+dfsg1-1 on Precise.

Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in redmine (Ubuntu Lucid):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.