[request-tracker-maintainers] Bug#614575: Bug#614575: CVE IDs etc.
Dominic Hargreaves
dom at earth.li
Sun Apr 10 11:31:54 UTC 2011
On Fri, Feb 25, 2011 at 08:04:31PM +0200, Niko Tyni wrote:
> package request-tracker3.8
> retitle 614575 request-tracker3.8: CVE-2011-1007: Back button attacks
> On Tue, Feb 22, 2011 at 11:44:03AM +0000, Dominic Hargreaves wrote:
> > The following appears in the changelog of 3.8.9:
> >
> > * Redirect users to their desired pages after login.
> > This prevents possible back button attacks after a user logs out.
> >
>
> This has been assigned CVE-2011-1007.
I discussed this a bit with upstream and I concluded that although it's
clearly a useful security enhancement, it probably doesn't qualify as a
security bug that justifies the potentially large breakage in stable that
a stable update would entail (we know, for example, that it would break
a popular extension).
--
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
More information about the pkg-request-tracker-maintainers
mailing list