Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4F073324.8030309@redhat.com>
Date: Fri, 06 Jan 2012 10:45:08 -0700
From: Kurt Seifried <kseifrie@...hat.com>
To: oss-security@...ts.openwall.com
CC: Moritz Muehlenhoff <jmm@...ian.org>
Subject: Re: CVE request: redmine issues

On 01/06/2012 10:02 AM, Moritz Muehlenhoff wrote:
> Hi,
> please assign three CVE IDs for the following issues in Redmine:
>
> These need to be CVE-2011-* IDs:
>
> The announcement can be found here: http://www.redmine.org/news/49
>
> --------
> This release also fixes 3 security issues reported by joernchen of
> Phenoelit:
>
> * logged in users may be able to access private data (affected
> versions: 1.0.x)
Please use CVE-2011-4927 for this issue.
>
> * persistent XSS vulnerability in textile formatter (affected
> versions: all previous releases)
Please use CVE-2011-4928 for this issue.
>
> * remote command execution in bazaar repository adapter (affected
> versions: 0.9.x, 1.0.x)
Please use CVE-2011-4929 for this issue.
> --------
>
> This was already fixed in a Debian security update some time ago,
> but never received a CVE ID:
> http://lists.debian.org/debian-security-announce/2011/msg00131.html
>
> Patches can be found in the Debian patch tracker:
> http://patch-tracker.debian.org/package/redmine/1.0.1-2
>
> Cheers,
>         Moritz


-- 

-- Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.