Jan Wagner uploaded a new package for redmine which fixed the following security problem: CVE-2009-4459[2] and Debian Bug #563940[3] It was discovered that Redmine 0.8.7 and earlier uses the title tag before defining the character encoding in a meta tag, which allows remote attackers to conduct cross-site scripting (XSS) attacks and inject arbitrary script via UTF-7 encoded values in the title parameter to a new issue page, which may be interpreted as script by Internet Explorer 7 and 8. For the lenny-backports distribution the problem has been fixed in version 0.9.1-1~bpo50+1. For the sid and testing distribution the problem has been fixed in version 0.9.1-1. Upgrade instructions --------------------- If you don't use pinning (see [1]) you have to update redmine manually via "apt-get -t lenny-backports install redmine". [1] <http://backports.org/dokuwiki/doku.php?id=instructions> We recommend to pin the backports repository to 200 so that new versions of installed backports will be installed automatically: Package: * Pin: release a=lenny-backports Pin-Priority: 200 [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4459 [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=563940
Attachment:
signature.asc
Description: This is a digitally signed message part.