[request-tracker-maintainers] Bug#614575: Bug#614575: CVE IDs etc.

Dominic Hargreaves dom at earth.li
Sun Apr 10 11:31:54 UTC 2011


On Fri, Feb 25, 2011 at 08:04:31PM +0200, Niko Tyni wrote:
> package request-tracker3.8
> retitle 614575 request-tracker3.8: CVE-2011-1007: Back button attacks

> On Tue, Feb 22, 2011 at 11:44:03AM +0000, Dominic Hargreaves wrote:

> > The following appears in the changelog of 3.8.9:
> >
> >  * Redirect users to their desired pages after login.
> >     This prevents possible back button attacks after a user logs out.
> >
> 
> This has been assigned CVE-2011-1007. 

I discussed this a bit with upstream and I concluded that although it's
clearly a useful security enhancement, it probably doesn't qualify as a
security bug that justifies the potentially large breakage in stable that
a stable update would entail (we know, for example, that it would break
a popular extension).

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)





More information about the pkg-request-tracker-maintainers mailing list