Defect #12727
closed
- Target version set to Candidate for next minor release
- Private changed from No to Yes
- Target version changed from Candidate for next minor release to 2.2.1
trunk upgraded to 3.2.10 in r11109.
Merged to 2.2-stable by r11111.
I saw comments on various blog posts / tweets saying that the article mentionned in the forum thread is not accurate and the problem could be exploited without knowing the secret token. Btw, none of the code related to authentication is affected (there's already a params[:blah].to_s performed on user inputs everywhere, which is a workaround mentionned on rails blog post). So I'm 99% sure your Redmine instance is totally unaffected if you force authentication.
Unfortunately there are other security vulnerabilities regarding params in rails core pipe. One disclosed tonight may affect Redmine in some way, I'll open a different issue for that one.
- Status changed from New to Closed
- Target version deleted (
2.2.1)
- Resolution set to Fixed
Superseded by #12776 and upgrade to 3.2.11.
- Private changed from Yes to No
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by Toshi MARUYAMA 
Updated by