Hoger Just discovered an SQL injection in Redmine, a project management web application. In addition a cross-site scripting issue was found in Textile formatting.
WordPress 5.2.4 Update
Late-breaking news on the 5.2.4 short-cycle security release that landed October 14. When we released the news post, I inadvertently missed giving props to Simon Scannell of RIPS Technologies for finding and disclosing an issue where path traversal can lead to remote code execution.
Simon has done a great deal of work on the WordPress project, and failing to mention his contributions is a huge oversight on our end.
Thank you to all of the reporters for privately disclosing vulnerabilities, which gave us time to fix them before WordPress sites could be attacked.
Multiple vulnerabilities have been found in the Symfony PHP framework which could lead to a timing attack/information leak, argument injection and code execution via unserialization.
It was discovered in the Simple Linux Utility for Resource Management (SLURM), a cluster resource management and job scheduling system did not escape strings when importing an archive file into the accounting_storage/mysql backend, resulting in SQL injection.