It was discovered that there was a data disclosure vulnerability in
Redmine, a web-based bug and project management tool.
The time logging form could disclose subjects of issues that are not
visible/public. Patch by Holger Just.
For Debian 6 Squeeze, this issue has been fixed in redmine version
1.0.1-2+deb6u11.