https://bugzilla.novell.com/show_bug.cgi?id=670349
https://bugzilla.novell.com/show_bug.cgi?id=670349#c4
Lars Vogdt changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |draht@novell.com,
| |lrupp@novell.com
--- Comment #4 from Lars Vogdt 2011-05-27 20:05:31 UTC ---
Just for reference, here's a short list of public VUL issues fixed in the newer
versions:
3.0.5:
* Fix XSS bug: Properly encode title used in Quick/Bulk Edit, and offer
additional sanitization to various fields. Affects users of the Author or
Contributor role. (r17397, r17406, r17412)
* Fix XSS bug: Preserve tag escaping in the tags meta box. Affects users of the
Author or Contributor role. (r17401)
* Fix potential information disclosure of posts through the media uploader.
Affects users of the Author role. (r17393)
3.0.6:
* Fix a vulnerability that allowed Contributor-level users to improperly
publish posts. (r17710)
3.1.1:
* Security hardening to media uploads (r17569)
* Correct minor XSS flaw on database upgrade screens (r17583)
3.1.2:
* Fix a vulnerability that allowed Contributor-level users to improperly
publish posts. (r17710)
3.1.3:
* Various security hardening by Alexander Concha.
* Taxonomy query hardening by John Lamansky.
* Prevent sniffing out user names of non-authors by using canonical redirects.
Props Verónica Valeros.
* Media security fixes by Richard Lundeen of Microsoft, Jesse Ou of Microsoft,
and Microsoft Vulnerability Research.
* Introduce “clickjacking” protection in modern browsers on admin and login
pages.
This P2 bug is open since 2011-02-08 (more than 3 months) now. I did not
investigate time to see if our instances are affected by the vulnerabilities or
information disclosures listed above, please ping me if I should do so.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.