https://bugzilla.novell.com/show_bug.cgi?id=670349 https://bugzilla.novell.com/show_bug.cgi?id=670349#c4 Lars Vogdt <lrupp@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |draht@novell.com, | |lrupp@novell.com --- Comment #4 from Lars Vogdt <lrupp@novell.com> 2011-05-27 20:05:31 UTC --- Just for reference, here's a short list of public VUL issues fixed in the newer versions: 3.0.5: * Fix XSS bug: Properly encode title used in Quick/Bulk Edit, and offer additional sanitization to various fields. Affects users of the Author or Contributor role. (r17397, r17406, r17412) * Fix XSS bug: Preserve tag escaping in the tags meta box. Affects users of the Author or Contributor role. (r17401) * Fix potential information disclosure of posts through the media uploader. Affects users of the Author role. (r17393) 3.0.6: * Fix a vulnerability that allowed Contributor-level users to improperly publish posts. (r17710) 3.1.1: * Security hardening to media uploads (r17569) * Correct minor XSS flaw on database upgrade screens (r17583) 3.1.2: * Fix a vulnerability that allowed Contributor-level users to improperly publish posts. (r17710) 3.1.3: * Various security hardening by Alexander Concha. * Taxonomy query hardening by John Lamansky. * Prevent sniffing out user names of non-authors by using canonical redirects. Props Verónica Valeros. * Media security fixes by Richard Lundeen of Microsoft, Jesse Ou of Microsoft, and Microsoft Vulnerability Research. * Introduce “clickjacking” protection in modern browsers on admin and login pages. This P2 bug is open since 2011-02-08 (more than 3 months) now. I did not investigate time to see if our instances are affected by the vulnerabilities or information disclosures listed above, please ping me if I should do so. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.