Redmine before 4.0.9 and 4.1.x before 4.1.3 allows an attacker to learn the values of internal authentication keys by observing timing differences in string comparison operations within SysController and MailHandlerController.
{ "binaries": [ { "binary_version": "3.2.1-2ubuntu0.2", "binary_name": "redmine" }, { "binary_version": "3.2.1-2ubuntu0.2", "binary_name": "redmine-mysql" }, { "binary_version": "3.2.1-2ubuntu0.2", "binary_name": "redmine-pgsql" }, { "binary_version": "3.2.1-2ubuntu0.2", "binary_name": "redmine-sqlite" } ] }
{ "binaries": [ { "binary_version": "3.4.4-1ubuntu0.1", "binary_name": "redmine" }, { "binary_version": "3.4.4-1ubuntu0.1", "binary_name": "redmine-mysql" }, { "binary_version": "3.4.4-1ubuntu0.1", "binary_name": "redmine-pgsql" }, { "binary_version": "3.4.4-1ubuntu0.1", "binary_name": "redmine-sqlite" } ] }