Re: CVE request: redmine issues

[Kurt Seifried <kseifrie () redhat com>]

On 01/06/2012 10:02 AM, Moritz Muehlenhoff wrote:
> Hi,
> please assign three CVE IDs for the following issues in Redmine:
>
> These need to be CVE-2011-* IDs:
>
> The announcement can be found here: http://www.redmine.org/news/49
>
> --------
> This release also fixes 3 security issues reported by joernchen of
> Phenoelit:
>
> * logged in users may be able to access private data (affected
> versions: 1.0.x)
Please use CVE-2011-4927 for this issue.
> * persistent XSS vulnerability in textile formatter (affected
> versions: all previous releases)
Please use CVE-2011-4928 for this issue.
> * remote command execution in bazaar repository adapter (affected
> versions: 0.9.x, 1.0.x)
Please use CVE-2011-4929 for this issue.
> --------
>
> This was already fixed in a Debian security update some time ago,
> but never received a CVE ID:
> http://lists.debian.org/debian-security-announce/2011/msg00131.html
>
> Patches can be found in the Debian patch tracker:
> http://patch-tracker.debian.org/package/redmine/1.0.1-2
>
> Cheers,
>         Moritz


-- 

-- Kurt Seifried / Red Hat Security Response Team