Project

General

Profile

Actions

Defect #12727

closed

CVE-2012-5664

Added by Alex Shulgin almost 12 years ago. Updated almost 12 years ago.

Status:
Closed
Priority:
High
Assignee:
-
Category:
Rails support
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Rails-3.2.9 needs to be updated to 3.2.10 in Gemfile.

Actions #1

Updated by Etienne Massip almost 12 years ago

  • Target version set to Candidate for next minor release
  • Private changed from No to Yes
Actions #2

Updated by Jean-Philippe Lang almost 12 years ago

  • Target version changed from Candidate for next minor release to 2.2.1

trunk upgraded to 3.2.10 in r11109.

Actions #3

Updated by Toshi MARUYAMA almost 12 years ago

Merged to 2.2-stable by r11111.

Actions #4

Updated by Jean-Baptiste Barth almost 12 years ago

I saw comments on various blog posts / tweets saying that the article mentionned in the forum thread is not accurate and the problem could be exploited without knowing the secret token. Btw, none of the code related to authentication is affected (there's already a params[:blah].to_s performed on user inputs everywhere, which is a workaround mentionned on rails blog post). So I'm 99% sure your Redmine instance is totally unaffected if you force authentication.

Unfortunately there are other security vulnerabilities regarding params in rails core pipe. One disclosed tonight may affect Redmine in some way, I'll open a different issue for that one.

Actions #5

Updated by Etienne Massip almost 12 years ago

  • Status changed from New to Closed
  • Target version deleted (2.2.1)
  • Resolution set to Fixed

Superseded by #12776 and upgrade to 3.2.11.

Actions #6

Updated by Etienne Massip almost 12 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF