Defect #12727
closed
CVE-2012-5664
0%
Description
Rails-3.2.9 needs to be updated to 3.2.10 in Gemfile.
Updated by Etienne Massip over 11 years ago
- Target version set to Candidate for next minor release
- Private changed from No to Yes
Related to .
Updated by Jean-Philippe Lang over 11 years ago
- Target version changed from Candidate for next minor release to 2.2.1
trunk upgraded to 3.2.10 in r11109.
Updated by Toshi MARUYAMA
Updated by Jean-Baptiste Barth over 11 years ago
I saw comments on various blog posts / tweets saying that the article mentionned in the forum thread is not accurate and the problem could be exploited without knowing the secret token. Btw, none of the code related to authentication is affected (there's already a params[:blah].to_s performed on user inputs everywhere, which is a workaround mentionned on rails blog post). So I'm 99% sure your Redmine instance is totally unaffected if you force authentication.
Unfortunately there are other security vulnerabilities regarding params in rails core pipe. One disclosed tonight may affect Redmine in some way, I'll open a different issue for that one.
Updated by Etienne Massip over 11 years ago
- Status changed from New to Closed
- Target version deleted (
2.2.1) - Resolution set to Fixed
Superseded by #12776 and upgrade to 3.2.11.