On Fri, Feb 25, 2011 at 08:04:31PM +0200, Niko Tyni wrote: > package request-tracker3.8 > retitle 614575 request-tracker3.8: CVE-2011-1007: Back button attacks
> On Tue, Feb 22, 2011 at 11:44:03AM +0000, Dominic Hargreaves wrote: > > The following appears in the changelog of 3.8.9: > > > > * Redirect users to their desired pages after login. > > This prevents possible back button attacks after a user logs out. > > > > This has been assigned CVE-2011-1007. I discussed this a bit with upstream and I concluded that although it's clearly a useful security enhancement, it probably doesn't qualify as a security bug that justifies the potentially large breakage in stable that a stable update would entail (we know, for example, that it would break a popular extension). -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org