Defect #12727
closedCVE-2012-5664
0%
Description
Rails-3.2.9 needs to be updated to 3.2.10 in Gemfile.
Updated by Etienne Massip almost 12 years ago
- Target version set to Candidate for next minor release
- Private changed from No to Yes
Related to
.Updated by Jean-Philippe Lang almost 12 years ago
- Target version changed from Candidate for next minor release to 2.2.1
trunk upgraded to 3.2.10 in r11109.
Updated by Jean-Baptiste Barth almost 12 years ago
I saw comments on various blog posts / tweets saying that the article mentionned in the forum thread is not accurate and the problem could be exploited without knowing the secret token. Btw, none of the code related to authentication is affected (there's already a params[:blah].to_s
performed on user inputs everywhere, which is a workaround mentionned on rails blog post). So I'm 99% sure your Redmine instance is totally unaffected if you force authentication.
Unfortunately there are other security vulnerabilities regarding params
in rails core pipe. One disclosed tonight may affect Redmine in some way, I'll open a different issue for that one.
Updated by Etienne Massip almost 12 years ago
- Status changed from New to Closed
- Target version deleted (
2.2.1) - Resolution set to Fixed
Superseded by #12776 and upgrade to 3.2.11.