Following the announcement of a security vulnerability related to Rails' default XML parsing, it was discovered that similar exploits are present in Rails' default JSON parsing*. Mingle uses Rails as its web application framework. Given the potential impact of this vulnerability we have made a priority release available. Download this release now (Mingle Server 12.4.2 Windows, Mingle Server 12.4.2 Linux, Mingle Server 12.4.2 Mac OSX).
We recommend upgrading your version of Mingle immediately. If an immediate upgrade is not possible, and your instance is available on the public internet then we recommend that you disable public access until your instance has been upgraded.
If you use a Mingle instance that is hosted by ThoughtWorks we will apply the fix for you immediately. No further action is needed on your part.
If you have any questions about the security issue or upgrading please contact Customer Support on our website: http://www.thoughtworks-studios.com/support.
- Mingle Team
* Vulnerability Note VU#628463: Ruby on Rails 3.0 and 2.3 JSON Parser vulnerability (http://www.kb.cert.org/vuls/id/628463)
Please sign in to leave a comment.