[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Backports-security-announce] Security Update for redmine

Jan Wagner uploaded a new package for redmine which fixed the following
security problem:

CVE-2009-4459[2] and Debian Bug #563940[3]

 It was discovered that Redmine 0.8.7 and earlier uses the title tag before 
 defining the character encoding in a meta tag, which allows remote attackers 
 to conduct cross-site scripting (XSS) attacks and inject arbitrary script via 
 UTF-7 encoded values in the title parameter to a new issue page, which may be 
 interpreted as script by Internet Explorer 7 and 8.
For the lenny-backports distribution the problem has been fixed in
version 0.9.1-1~bpo50+1.

For the sid and testing distribution the problem has been fixed in
version 0.9.1-1.

Upgrade instructions

If you don't use pinning (see [1]) you have to update redmine
manually via "apt-get -t lenny-backports install redmine".
[1] <http://backports.org/dokuwiki/doku.php?id=instructions>

We recommend to pin the backports repository to 200 so that new versions
of installed backports will be installed automatically:

Package: *
Pin: release a=lenny-backports
Pin-Priority: 200

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4459 
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=563940

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: